dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4437
share rss forum feed


damn
Premium
join:2002-10-23
nyc

PIX - VPN Client to site-to-site VPN ?

How can one allow Cisco VPN clients access site-to-site VPN that is established on the PIX 501 ?


MSN7

join:2004-05-15
Osgoode, ON
You can't. This type of "hairpinning" behaviour is specifically not a capability of these devices.

/Eric


damn
Premium
join:2002-10-23
nyc
Oh well that sucks. Any workarounds maybe? I have Sonicwall 1350 (I think that's the model) available too.
--
The best thing about piracy is the music in the keygens.


MSN7

join:2004-05-15
Osgoode, ON
If you have a router on an inside network you could bounce your packets off of *it* as your next hop gateway to the remote site. You might need to NAT the source address of the VPN client's packets in order to fool the PIX into letting them back out through the site-to-site VPN.

/Eric


damn
Premium
join:2002-10-23
nyc
Is that only PIX limitation? Maybe I should just ask management to get something more current.


MSN7

join:2004-05-15
Osgoode, ON
ASA too. Might be able to configure a router as a VPN gateway and use its loopback interface to bounce the traffic back through the site-to-site VPN.

/Eric

garnetbobcat

join:2007-10-02
Beginning with 7.x you can configure hairpinning on the ASA or PIX. 7.x does not run on the 501 or 506e.

The command "same-security-traffic" will allow you to do what you want, so if you can get an upgrade to an ASA you should be all set. Here are a couple hairpinning examples:

»www.cisco.com/en/US/products/hw/ ··· 07.shtml

»www.cisco.com/en/US/products/hw/ ··· ae.shtml

FYI, the ASA5505 is the SOHO ASA.
--
Matt
CCIE Security
»www.wr-mem.com


MSN7

join:2004-05-15
Osgoode, ON
said by garnetbobcat:

Beginning with 7.x you can configure hairpinning on the ASA or PIX. 7.x does not run on the 501 or 506e.

The command "same-security-traffic" will allow you to do what you want, so if you can get an upgrade to an ASA you should be all set. Here are a couple hairpinning examples:

»www.cisco.com/en/US/products/hw/ ··· 07.shtml

»www.cisco.com/en/US/products/hw/ ··· ae.shtml

FYI, the ASA5505 is the SOHO ASA.
Good catch! Thanks,

Eric


damn
Premium
join:2002-10-23
nyc
reply to garnetbobcat
I actually found another PIX 501. I will establish the tunnels on it and will use old one for dial-in access. Tested it today and it worked fine.
--
The best thing about piracy is the music in the keygens.