Firewall Wizards mailing list archives
RE: PIX to PIX IPSec Tunnel Through a PIX
From: "Al Cooper" <alc () 2wh com>
Date: Thu, 4 Mar 2004 16:54:41 -0700
Sorry for the lack of detail. 10.1.3.1/24 / [pix 501] / x.x.64.177/28 \ / | \ / | \ / ISP Network Public IP's \ | / \ | / \ x.x.64.136/28 \ [pix 515E] [VPN] 192.168.100.1/24 \ | \ | \ Ethernet \ | \ | 102.168.100.54/24 [pix 501] 10.1.2.1/24 I hope this drawing makes sense. The x.x IP's are public addresses. I need the 10.1.2.0 and the 10.1.3.0 networks to see each other over the public network with the 515 acting as a border firewall for one end. The 501 behind the 515 needs to stay privately addressed so that it can access services (servers and printers that are located on the 192.168.100.x network). It is preferred that the VPN terminates 501 to 501, however if this design is not feasible the next best choice would be to terminate the VPN 501 to 515 and access list the traffic through the last 501. Access-list on the 515: access-list 101 permit esp any host x.x.64.136 access-list 101 permit ah any host x.x.64.136 access-list 101 permit udp any host x.x.64.136 eq isakmp Static mapping static (inside,outside) x.x.64.136 192.168.100.54 netmask 255.255.255.255 0 0 and I added this command to the 515 isakmp nat-traversal Both 501 have your basic ipsec/isakmp setup. By the way, I have spent hours on the CCO site and on Google but cannot find anything relating to this design. Thanks for any help you can offer, Al -----Original Message----- From: Brian Ford [mailto:brford () cisco com] Sent: Thursday, March 04, 2004 9:17 AM To: firewall-wizards () honor icsalabs com Cc: Al Cooper Subject: Re: [fw-wiz] PIX to PIX IPSec Tunnel Through a PIX Al, Have you looked at the Cisco web site (CCO)? We have all sorts of examples of how to configure IPSec VPN connectivity to and from the PIX on CCO. Might I point out that based on how I read your message I don't think you can do what you want to do. In my opinion your message contains the absolute minimum of actual useful information to qualify as a post. You should (look at CCO and then maybe) re-post your original message and give us a clue as to how this is all addressed. Try something like: ?IP [506] ?IP -- ?IP [501] ?IP -- ?IP [515] ?IP BTW: Did I get this connectivity right? I wasn't sure. Are you trying to run an IPSec VPN tunnel through an IPSec VPN tunnel or just through a Firewall? Please point out if the IP addresses are being supplied by the PIX, by and ISP or if they are Internet addresses. Liberty for All, Brian At 08:44 AM 3/4/2004 -0500, firewall-wizards-request () honor icsalabs com wrote:
From: "Al Cooper" <alc () 2wh com> To: <firewall-wizards () honor icsalabs com> Date: Tue, 2 Mar 2004 10:41:01 -0700 Subject: [fw-wiz] PIX to PIX IPSec Tunnel Through a PIX I am attempting to establish a IPSec tunnel where 3 pix's are involved. I have a PIX 506E on one end of the tunnel. On the other end is a PIX 515E running PAT, that needs to pass through the IPSec tunnel to an internal 501 where the tunnel will be terminated (through the Border firewall and terminated on the Departmental firewall). I am finding very little information on the proper way to set-up this network configuration. I have read that I may need to use NAT instead of PAT, and use the Nat-T function on the 515E. But other than that I am
lost.
Can you Firewall experts lead me in the right direction? Thanks in advance for your help, Al Cooper
Brian Ford Consulting Engineer, Security & Integrity Specialist Office of Strategic Technology Planning Cisco Systems Inc. http://www.cisco.com/go/safe/ The opinions expressed in this message are those of the author and not necessarily those of Cisco Systems, Inc.. This email address is transmitted from San Jose, California, U.S.A.. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX to PIX IPSec Tunnel Through a PIX Al Cooper (Mar 02)
- <Possible follow-ups>
- PIX to PIX IPSec Tunnel Through a PIX Al Cooper (Mar 04)
- RE: PIX to PIX IPSec Tunnel Through a PIX Melson, Paul (Mar 04)
- Re: PIX to PIX IPSec Tunnel Through a PIX Brian Ford (Mar 07)
- RE: PIX to PIX IPSec Tunnel Through a PIX Al Cooper (Mar 07)