Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
0
Helpful
6
Replies

PIX 7.0 and hairpinning VPN connections

bgilbertson1966
Level 1
Level 1

‎04-26-2005 05:25 PM - edited ‎02-21-2020 01:44 PM

We have a need to bring VPN clients into a PIX and route some of them back out over a site-site VPN. Until now, we've had to route them internally to a second PIX with the site-site connection because packets cannot leave by the same interface they came in on (hairpinning). I understood that this functionality would be provided by 7.0, which would really simplify things, but can't find the feature documented anywhere. Has anyone been able to find this?

Thanks

Labels:
0 Helpful
6 Replies 6

pcomeaux
Cisco Employee
Cisco Employee

‎04-26-2005 06:00 PM

Hey -

I found the following in the 7.0 release notes:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/70_rn/pix_70rn.htm

Enhanced Spoke-to-Spoke VPN Support

Version 7.0(1) improves support for spoke-to-spoke (and client-to-client) VPN communications, by providing the ability for encrypted traffic to enter and leave the same interface. Furthermore, split-tunnel remote access connections can now be terminated on the outside interface for the security appliance, allowing Internet-destined traffic from remote access user VPN tunnels to leave on the same interface as it arrived (after firewall rules have been applied).

The same-security-traffic command permits traffic to enter and exit the same interface when used with the intra-interface keyword enabling spoke-to-spoke VPN support. For more information, see the " Permitting Intra-Interface Traffic" section in the in the Cisco Security Appliance Command Line Configuration Guide.

For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

"Permitting Intra-Interface Traffic"

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/config/vpnsysop.htm#wp1042114

Let us know if you have any follow up questions.

thanks

peter

0 Helpful

bgilbertson1966
Level 1
Level 1
In response to pcomeaux

‎04-26-2005 06:45 PM

Thanks Peter, this was just the info I've been searching for!

0 Helpful

john_tipton
Level 1
Level 1

‎05-20-2005 10:17 AM

I've been trying to do the same thing with a VPN Concentrator 3060. Anyone know if this is possible?

Thanks,

John R. Tipton

0 Helpful

pcomeaux
Cisco Employee
Cisco Employee
In response to john_tipton

‎05-25-2005 06:26 AM

Hi John -

Yes - you can have spoke to spoke communication using a router or vpn concentrator as a head-end device. The Pix 7.0 code now permits the Pix to allow spoke to spoke communication.

You'll need to make sure the spokes have the right routing configured on the device along with the right definition of interesting traffic.

What are you using as your spokes?

thanks

peter

0 Helpful

john_tipton
Level 1
Level 1
In response to pcomeaux

‎05-25-2005 07:20 AM

We have a VPN Concentrator 3060 and are trying to configure client-to-client traffic for one of our clients.

The client has a 3002 VPN Hardware client on their network connected to our VPN Concentrator 3060. They want their software VPN clients connecting to our VPN Concentrator to see within their network through the VPN Concentrator and VPN Hardware client.

When I look at the traffic on the private interface it appears that the VPN Concentrator is routing the traffic out the private interface, instead to the VPN Hardware client.

Thanks for any help.

John R. Tipton

0 Helpful

john_tipton
Level 1
Level 1

‎06-15-2005 07:33 AM

Yes this can be done with the VPN Concentrator. Look here http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee11d.html

John R. Tipton

0 Helpful
Customers Also Viewed These Support Documents