|
Posted by Peter on October 13, 2005, 8:12 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hello everybody...
I have a big problem with static routes...
i have 2 cisco pix 515 with ios 6.3 and 2 interfaces
A) cisco pix "A" have 3 VPN tunnels to 3 diferent remotes office
Network A (remote office 1)
Network B (remote office 2)
Network C (remote office 3)
B) Cisco pix "B" has no vpn tunnels, but i need to those guys which are
connected to this
pix... have access to vpn`s tunnel (Network A-Network B-Network C) on
PIX "A".
C) internal interfaces of Pix "A" and "B" are in the same network and
have connectivity
eachother (i can ping internals interfaces of both pix)
What i made:
1) inside Static route on pix "B" forwarding those vpn`s network to pix
"A".
2) I made no nating (nat 0) to vpnīs networks on pix "B"
Could you please help me with this huge and terrible problem?
Im stuck right now
Thanks in advance
Greeting
Peter
|
|
Posted by Walter Roberson on October 14, 2005, 9:06 am
If you were Registered and logged in, you could reply and use other advanced thread options
:I have a big problem with static routes...
:i have 2 cisco pix 515 with ios 6.3 and 2 interfaces
Restating your problem in more compact form:
You have two PIXes with their inside interfaces on the same subnet, and
you have some VPN tunnels on one, and you want the other PIX to forward
the traffic destined for those tunnels to the PIX that the tunnels live on.
The traffic you want to forward: where is it coming from?
Is the traffic coming from a lower security level interface on
the second PIX (such as the outside interface)?
Or is the traffic coming from the inside network that the PIXes
are both on, and the traffic is arriving at the second PIX instead
of the one that has the tunnels because the inside machines happen
to have their default gateway set to the second PIX [and no special
route for those tunnels set to the first PIX] ?
If it is the first situation, you would use a series of "route inside"
on each of the PIXes, with the forwarding PIX set to route the
tunnel destinations to the PIX that has the tunnels, and with the
PIX that has the tunnels set to route the traffic to the
outside locations through the second PIX.
If it is the second situation, where "inside" devices have a
gateway set to the second PIX and you want to redirect the traffic
to the first PIX that is on the same network, then you have a
problem because the PIX is designed not to allow that. There is a
hack which can be done involving creating "logical" interfaces
(802.1Q VLANs) on each of the 515s, provided that the switches
between the two PIXes allow the extra-length packets, or provided
that you set the MTU on the inside interfaces of the PIXes down by
a few bytes so that the tagged packets do not exceed the length
capacity of your switches.
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest
|
| Similar Threads | Posted | | Cisco pix 515+ static routes between 2 cisco pix | October 13, 2005, 8:09 pm |
| WTB: CISCO WE ARE BUYING USED CISCO EQUIPMENT. | February 14, 2008, 8:14 am |
| Cisco PIX 501 | September 14, 2005, 11:51 am |
| Cisco | November 22, 2005, 9:27 pm |
| Cisco PIX 506 | April 14, 2006, 12:30 pm |
| Cisco ASA help | October 3, 2006, 1:36 pm |
| Cisco VPN client | July 15, 2004, 10:49 am |
| Stupid Cisco 506 | July 30, 2004, 6:12 am |
| Checkpoint and Cisco 501 | August 29, 2004, 10:47 am |
| Allow access from RAS CISCO PIX | December 31, 2004, 10:24 am |
|
XML site map