PIX 501 Question

[Emperor Jashugan]

Can a Pix 501 route one VPN connection to another one?

We have a Pix 501 at our branch office that has a VPN tunnel to our main office. I connect remotely to the branch office's Pix, via Cisco vpn dialer. I am not able to access computers at our main office. The reason for this is because I think that since the Pix is not a router, it had no idea what to do with ip requests that are outside of its LAN. Is there a way to get around this?

 

[MysticLlama]

The way I understand it, after doing some reading and talking to a Cisco rep about a similar situation, is that you can't send traffic back out on the interface it came in on.

It's one of the big differentiating factors between the PIX and a router, a router can make decisions on where to send traffic, a firewall is more about forcing rules on the way through.

What we have planned for my network is a design where you have Internet->Router->PIX->Router->Internal Systems. The reason for the second router is to "turn-around" the traffic.

In other words, if I have multiple tunnels to my 515 at the office, and I try to go from one to the other, that would need some routing so it would know how to get back out. With an extra router, the traffic comes in on the PIX, gets unencrypted, turned around on the router and sent back to the PIX with it's destination address, re-encrypted, and sent down the correct tunnel.

I'm not sure if the software client will allow you to make multiple connections, but I'm using a 501 at home, and it connects me direct to the 515 at the office, and the 501 at the colo, which is also connected to the 515, so instead of doing routing all at the office, I just made a triangle shaped network out of it.

If you don't have a way to connect direct to the main office though, you might have to do the router behind the PIX trick.

Hope this helps.

 

[spidey07]

you should be able to do it. It's called a hub-and-spoke VPN, where the spokes can communicate with each other.

http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

-edit- in other words the branch PIX is a hub because it in essence has two tunnels (1 client based, another PIX based). You need to check the links above for enabling "spoke to spoke" communication.

-edit2- this should help clean up your design some mysticllama and not rely on funky routing.

 

[MysticLlama]

AH-HA, Sweet!!

I had a feeling that that was a really funky way to do it, but he seemed to know what he was talking about. (Although the other day I talked to a Cisco rep who knew about as much as my kid sister it seemed, no use at all, luck of the draw I guess)

I'm going to have to cruise through the links a bit, because on the PIX hub and spoke one, it seems to be all the same config that I already have, but I can't get mine to pass in from one one endpoint and through the middle to another endpoint. There is something small in there I'm missing, I'll just have to comb my way through it.

Thanks for the links. 🙂

* After looking at a couple of the other links, it looks like I'm working in fully meshed mode right now, because all of the endpoints are all connected to each other (there are only 4). This isn't going to work when I start hooking up the retail stores though.

* And a question: Does this solve the problem of coming in to the central office and then still going out to the Internet through the same PIX? I would like to control the stores access to the net all in one central location, but I had decided to just not give them net access at all at the moment, since they *shouldn't* really need it anyway. I'd have to send all traffic (0.0.0.0) to the central office in the access-list, but then determine which was going to go out to the internet, and which was going to internal addresses to pull that off, correct?

 

[spidey07]

mysticlama,

If I were you I would call cisco TAC and provide them with a diagram and let them solve it for you.