|
Posted by Peter on October 13, 2005, 8:12 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hello everybody...
I have a big problem with static routes...
i have 2 cisco pix 515 with ios 6.3 and 2 interfaces
A) cisco pix "A" have 3 VPN tunnels to 3 diferent remotes office
Network A (remote office 1)
Network B (remote office 2)
Network C (remote office 3)
B) Cisco pix "B" has no vpn tunnels, but i need to those guys which are
connected to this
pix... have access to vpn`s tunnel (Network A-Network B-Network C) on
PIX "A".
C) internal interfaces of Pix "A" and "B" are in the same network and
have connectivity
eachother (i can ping internals interfaces of both pix)
What i made:
1) inside Static route on pix "B" forwarding those vpn`s network to pix
"A".
2) I made no nating (nat 0) to vpnīs networks on pix "B"
Could you please help me with this huge and terrible problem?
Im stuck right now
Thanks in advance
Greeting
Peter
|
|
Posted by Walter Roberson on October 14, 2005, 9:06 am
If you were Registered and logged in, you could reply and use other advanced thread options
:I have a big problem with static routes...
:i have 2 cisco pix 515 with ios 6.3 and 2 interfaces
Restating your problem in more compact form:
You have two PIXes with their inside interfaces on the same subnet, and
you have some VPN tunnels on one, and you want the other PIX to forward
the traffic destined for those tunnels to the PIX that the tunnels live on.
The traffic you want to forward: where is it coming from?
Is the traffic coming from a lower security level interface on
the second PIX (such as the outside interface)?
Or is the traffic coming from the inside network that the PIXes
are both on, and the traffic is arriving at the second PIX instead
of the one that has the tunnels because the inside machines happen
to have their default gateway set to the second PIX [and no special
route for those tunnels set to the first PIX] ?
If it is the first situation, you would use a series of "route inside"
on each of the PIXes, with the forwarding PIX set to route the
tunnel destinations to the PIX that has the tunnels, and with the
PIX that has the tunnels set to route the traffic to the
outside locations through the second PIX.
If it is the second situation, where "inside" devices have a
gateway set to the second PIX and you want to redirect the traffic
to the first PIX that is on the same network, then you have a
problem because the PIX is designed not to allow that. There is a
hack which can be done involving creating "logical" interfaces
(802.1Q VLANs) on each of the 515s, provided that the switches
between the two PIXes allow the extra-length packets, or provided
that you set the MTU on the inside interfaces of the PIXes down by
a few bytes so that the tagged packets do not exceed the length
capacity of your switches.
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest
|
|
Posted by renil.lambert@gmail.com on October 14, 2005, 10:04 pm
If you were Registered and logged in, you could reply and use other advanced thread options
pls do copy and paste ur config ..and send it to us..
do take care in removing the confidential info..
thanks
renil
|
|
Posted by Walter Roberson on October 15, 2005, 3:15 pm
If you were Registered and logged in, you could reply and use other advanced thread options >hi
> pls do copy and paste ur config ..and send it to us..
> do take care in removing the confidential info..
>thanks
>renil
As you were replying to me and you did not quote any context, I must
presume that you are asking me to post my PIX configuration. I really
don't think that would do any good in solving the original poster's
question. My configuration is thousands and thousands of lines that are
completely irrelevant to the matter at hand.
Cisco TAC keeps asking for my configuration and I keep telling them,
"You don't really want to read it, it won't help you, it will only
distract you" And sure enough, if I send in my config because the TAC
person I'm dealing with only knows how to go through the "Ask for the
configuration and run it through the output interpreter" script,
inevitably the TAC points to some irrelevant line and I have to spend
the next several hours teaching the TAC person how the PIX *really*
works. So.... somehow I really really doubt that my posting my
configuration would help the original poster!
Perhaps next time you could quote enough context so that we know
what is being asked? If you are using Google Groups, don't
click reply, click on Advanced Options and use the reply feature
exposed there: it quotes the posting being replied to, and
you can then trim that down to the relevant points you wish to
discuss.
--
Many food scientists have reported chocolate to be the single most
craved food. -- Northwestern University, 2001
|
| Similar Threads | Posted | | Cisco pix 515+ static routes between 2 cisco pix | October 13, 2005, 8:09 pm |
| WTB: CISCO WE ARE BUYING USED CISCO EQUIPMENT. | February 14, 2008, 8:14 am |
| Cisco PIX 501 | September 14, 2005, 11:51 am |
| Cisco | November 22, 2005, 9:27 pm |
| Cisco PIX 506 | April 14, 2006, 12:30 pm |
| Cisco ASA help | October 3, 2006, 1:36 pm |
| Cisco VPN client | July 15, 2004, 10:49 am |
| Stupid Cisco 506 | July 30, 2004, 6:12 am |
| Checkpoint and Cisco 501 | August 29, 2004, 10:47 am |
| Allow access from RAS CISCO PIX | December 31, 2004, 10:24 am |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map