RE: PIX to PIX IPSec Tunnel Through a PIX

["Al Cooper" <alc () 2wh com>]

Sorry for the lack of detail.


                10.1.3.1/24
             / [pix 501]
          / x.x.64.177/28  \
         /         |        \
        /          |         \
       /      ISP Network   Public IP's
       \           |         /
        \          |        /
         \         x.x.64.136/28
          \     [pix 515E]
         [VPN] 192.168.100.1/24
            \      |
             \     |
              \ Ethernet
               \   |
                    \  |
                102.168.100.54/24
               [pix 501]
              10.1.2.1/24




I hope this drawing makes sense.  The x.x IP's are public addresses.

I need the 10.1.2.0 and the 10.1.3.0 networks to see each other over the
public network with the 515 acting as a border firewall for one end.  The
501 behind the 515 needs to stay privately addressed so that it can access
services (servers and printers that are located on the 192.168.100.x
network).  It is preferred that the VPN terminates 501 to 501, however if
this design is not feasible the next best choice would be to terminate the
VPN 501 to 515 and access list the traffic through the last 501.

Access-list on the 515:
access-list 101 permit esp any host x.x.64.136
access-list 101 permit ah any host x.x.64.136
access-list 101 permit udp any host x.x.64.136 eq isakmp

Static mapping
static (inside,outside) x.x.64.136 192.168.100.54 netmask 255.255.255.255 0
0

and I added this command to the 515
isakmp nat-traversal

Both 501 have your basic ipsec/isakmp setup.

By the way, I have spent hours on the CCO site and on Google but cannot find
anything relating to this design.

Thanks for any help you can offer,

Al





-----Original Message-----
From: Brian Ford [mailto:brford () cisco com]
Sent: Thursday, March 04, 2004 9:17 AM
To: firewall-wizards () honor icsalabs com
Cc: Al Cooper
Subject: Re: [fw-wiz] PIX to PIX IPSec Tunnel Through a PIX


Al,

Have you looked at the Cisco web site (CCO)?  We have all sorts of examples
of how to configure IPSec VPN connectivity to and from the PIX on CCO.

Might I point out that based on how I read your message I don't think you
can do what you want to do.  In my opinion your message contains the
absolute minimum of actual useful information to qualify as a post.  You
should (look at CCO and then maybe) re-post your original message and give
us a clue as to how this is all addressed.

Try something like:

?IP [506] ?IP -- ?IP [501] ?IP -- ?IP [515] ?IP

BTW: Did I get this connectivity right?  I wasn't sure.  Are you trying to
run an IPSec VPN tunnel through an IPSec VPN tunnel or just through a
Firewall?

Please point out if the IP addresses are being supplied by the PIX, by and
ISP or if they are Internet addresses.

Liberty for All,

Brian


At 08:44 AM 3/4/2004 -0500, firewall-wizards-request () honor icsalabs com
wrote:
> From: "Al Cooper" <alc () 2wh com>
> To: <firewall-wizards () honor icsalabs com>
> Date: Tue, 2 Mar 2004 10:41:01 -0700
> Subject: [fw-wiz] PIX to PIX IPSec Tunnel Through a PIX
>
> I am attempting to establish a IPSec tunnel where 3 pix's are involved.  I
> have a PIX 506E on one end of the tunnel.  On the other end is a PIX 515E
> running PAT, that needs to pass through the IPSec tunnel to an internal 501
> where the tunnel will be terminated (through the Border firewall and
> terminated on the Departmental firewall).
>
> I am finding very little information on the proper way to set-up this
> network configuration.  I have read that I may need to use NAT instead of
> PAT, and use the Nat-T function on the 515E.  But other than that I am
lost.
> Can you Firewall experts lead me in the right direction?
>
> Thanks in advance for your help,
>
> Al Cooper


Brian Ford
Consulting Engineer, Security & Integrity Specialist
Office of Strategic Technology Planning
Cisco Systems Inc.
http://www.cisco.com/go/safe/

The opinions expressed in this message are those of the author and not
necessarily those of Cisco Systems, Inc..

This email address is transmitted from San Jose, California, U.S.A..


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards