04-19-2004 11:00 AM
Currently, I have configured two PIX 506 firewalls with site-to-site and remote access VPN. The configuration commands on one of PIX firewall to be:
access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ip local pool pool1 192.168.1.200-192.168.1.254
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map peeroffice 10 ipsec-isakmp
crypto map peeroffice 10 match address 120
crypto map peeroffice 10 set peer 172.16.1.2
crypto map peeroffice 10 set transform-set myset
crypto map peeroffice 20 ipsec-isakmp dynamic dynmap
crypto map peeroffice interface outside
isakmp enable outside
isakmp key **** address 172.16.1.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup officevpn address-pool pool1
vpngroup officevpn dns-server 123.123.123.123
vpngroup officevpn idle-time 1800
vngroup officevpn password *****
The problem that I have is if I want to use the remote access VPN to connect one of the PIX firewall called PIX-A. Then can I use this remote VPN connection to connect to the other PIX firewall called PIX-B by having both firewalls being configured with site-to-site VPN. Actually, I found the current configurations are not supported, thus I would like someone give me an advice on how to make this possible.
Thanks for your advice!
04-19-2004 11:50 AM
I don't think you will be able to do this - the pix does not allow traffic to leave on an interface it came in on:
you are home
you vpn connect to pix A.
if you were to ping a machine on network B, it would go thru your remote connect tunnel to PIX A on its outside int, and back out its outside int via the point to point tunnel to pix B
currently, pix os does not support this. this is allegedly a feature that will be included in the next major version of the OS
05-12-2004 07:05 PM
True PIX is only one way street and does not allow you to do this however this can be achieved if you have a Perimeter router on both the sites.
I knwo its a bummer but thats how PIX is designed, i tried to do this but just couldnt.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide