Re: Ping between PIX remote peers

["Brian Loe" <knobdy () gmail com>]

Now that Ralph explained my ignorance to me, I think what you'll need
is a second interface on the PIX, though you'd probably be better off
using a router if available.

A PIX doesn't route - that's the first thing. The second thing is that
if both of your VPNs are coming over the Internet into the PIX on the
third network via that PIX's outside interface, what you're trying to
do will never work. The PIX just sees the traffic from both networks
coming in on the same interface and assumes the traffic is spoofed.

One fix would be to add an interface to your PIX and give it access to
the Internet. One of those VPNs would then terminate on that
interface. Because both networks would then be local to the PIX it
would pass the traffic. I'm not sure how your friend would be doing
any better with the same setup and three PIXes - so long as the two
are still being terminated on that one PIX interface.

If I'm wrong, I'm sure Ralph or someone will let me know - and I'd be
curious about the security risks involved in using a second PIX
interface like this, if any.

On 4/28/06, Juan Pablo Feria Gomez <jferiago () gmail com> wrote:
> Ralph: A friend told me that his vpn peers can have communication, but
> he has pix as tunnel endponints on the 2 sites, (i have routers), does
> apply here what you said? "PIX will not send traffic out the same
> interface it came in on" or using pix as endpoint is different?
>
>
>
> Thanks in advance
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards