Re: pix to pix vpn

d_unafraid · ‎12-28-2004

Hi All

I am setting a pix site to site vpn for my customer

my environment

Internet

!

ADSL Router

!

PIX firewall

!

Site to site router------------------------- router

(branch office

!

internal

by default i have already set up a site to site VPN router, the pix site to site is a second link if the router goes down, all the default gateway of the internal host are pointing to the site to site router, that router also act as a forwarder for other external requests from the internal host

the site to site router will throw any request to the pix and only route request going to the branch office network

I have attached my configuration for the pix to pix VPN for your reference.

My problem

after configuring the pix for site to site vpn, i change one of the internal host of the gateway to point to my PIX (instead of the router) i am able to send icmp request to the internal host sitting over at the branch office. when i open up the browser i can see the server of the branch office. but when i try to click on them for access, i received a network path not found error

i have enable debug for isakmp crypto, but no error was return

is there is way to configure the pix to take on the role of the site to site vpn immediately when the site to site vpn router goes down without having the change the default gateway of the internal clients?

i really appeciate all your time and help

admukada · ‎12-28-2004

As per my understanding ( correct me if im wrong )

Site A has >> Router 1 & PIX 1

Site B has >> Router 2 & PIX 2

- We have existing Site to site tunnel using Router 1 & 2

- We have craeted back up using PIX 1 & 2.

>> Since we require all the traffic using the router presently we have routes pointing to the router .

>>> We tried to have one of the PC to point to the PIX.

our issue is that we need to configure PIX so that the router goes down without to change the internal client route.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

If above is correct:

It is difficult for any config as such for teh client to learn route with present set up,but we can try:

1>>on PC set two default routes,one pointing to the router & othet with lower metric pointing to the PIX.

2>> We can have a router behind the PIX & the Router which would decide how to send the traffic or rather to whom to send the traffic.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

We can also have say ( as per above consideration ),

Router 1 can have two set peer pointing to Router 2 & PIX 2 & vice versa.

PIX 1 can have two set peer pointing to Router 2 & PIX 2 & Vice versa.

This will also solve the purpose ie if one if the device fails ,the hhead end would negotiate using next set peer.

Let me know if any query

Thanks

Adi

aditya.mukadam@gmail.com

d_unafraid · ‎12-28-2004

Hi Mr Mukadam

Thank you for your reply and tips

I will try it out

By the way, do you know about the error I am encountered when i try to access the server on the reomote site and i receive a network path not find error?

I have attached my VPN configuration files, please let me have your advice

Thank

d_unafraid · ‎12-28-2004

Router 1 can have two set peer pointing to Router 2 & PIX 2 & vice versa.

PIX 1 can have two set peer pointing to Router 2 & PIX 2 & Vice versa.

By the way,can you help to explain what the two set peer mean?

thank you