pix 515e routing between tunnels

jknott2004 · ‎11-01-2004

hi,

my client has the need to tunnel into my network via a B2B and be routed through a VPN appliance to one of a series of remote sites which have VPN tunnels connected to them.

im thinking of using a pix 515e and have the client tunnel into one of the 2000 possible tunnels available and be routed directly to one of the other 800+ vpn tunnels maintained through the appliance.

i know the pix 515e will maintain all of the tunnels but will it route traffic between them? ive heard that there may be issues due to security priority on the ports. any suggestions?

ddawson · ‎11-01-2004

The PIX can route traffic between tunnels that terminate on different interfaces, but not between any two tunnels that terminate on the same interface.

HTH

jknott2004 · ‎11-02-2004

so if i had the need to offer routing from my own network (A) and my client's network (B) to a series of remote sites (C-Z), id be safe with this appliance as long as network (A) were connected to one interface, network (B) connected to a second interface, and all other tunnels terminated at yet a third interface.

btw, thanks again for all your input.

ddawson · ‎11-02-2004

Yes, that should work, but the configuration will be complex, since the crypto ACL's will have to be set up to match all the possible source and destination address combinations. Note also that the PIX will decrypt and re-encrypt all traffic between tunnels, which will increase the processing load. Make sure you factor that in when you choose your hardware. In general, the IOS routers are the preferred platform for large scale site-to-site VPN configurations, so I'd suggest you consider that option as well.

Good luck!