Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
2
Replies

How to configure the PIX

marstar
Level 1
Level 1

‎04-19-2004 11:00 AM

Currently, I have configured two PIX 506 firewalls with site-to-site and remote access VPN. The configuration commands on one of PIX firewall to be:

access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

ip local pool pool1 192.168.1.200-192.168.1.254

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map peeroffice 10 ipsec-isakmp

crypto map peeroffice 10 match address 120

crypto map peeroffice 10 set peer 172.16.1.2

crypto map peeroffice 10 set transform-set myset

crypto map peeroffice 20 ipsec-isakmp dynamic dynmap

crypto map peeroffice interface outside

isakmp enable outside

isakmp key **** address 172.16.1.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup officevpn address-pool pool1

vpngroup officevpn dns-server 123.123.123.123

vpngroup officevpn idle-time 1800

vngroup officevpn password *****

The problem that I have is if I want to use the remote access VPN to connect one of the PIX firewall called PIX-A. Then can I use this remote VPN connection to connect to the other PIX firewall called PIX-B by having both firewalls being configured with site-to-site VPN. Actually, I found the current configurations are not supported, thus I would like someone give me an advice on how to make this possible.

Thanks for your advice!

Labels:
0 Helpful
2 Replies 2

mostiguy
Level 6
Level 6

‎04-19-2004 11:50 AM

I don't think you will be able to do this - the pix does not allow traffic to leave on an interface it came in on:

you are home

you vpn connect to pix A.

if you were to ping a machine on network B, it would go thru your remote connect tunnel to PIX A on its outside int, and back out its outside int via the point to point tunnel to pix B

currently, pix os does not support this. this is allegedly a feature that will be included in the next major version of the OS

0 Helpful

satishuws
Level 1
Level 1

‎05-12-2004 07:05 PM

True PIX is only one way street and does not allow you to do this however this can be achieved if you have a Perimeter router on both the sites.

I knwo its a bummer but thats how PIX is designed, i tried to do this but just couldnt.

0 Helpful
Customers Also Viewed These Support Documents