dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
3

cyberpost
join:2004-05-15
Osgoode, ON

cyberpost to damn

Member

to damn

Re: PIX - VPN Client to site-to-site VPN ?

If you have a router on an inside network you could bounce your packets off of *it* as your next hop gateway to the remote site. You might need to NAT the source address of the VPN client's packets in order to fool the PIX into letting them back out through the site-to-site VPN.

/Eric

damn
Premium Member
join:2002-10-23
nyc

damn

Premium Member

Is that only PIX limitation? Maybe I should just ask management to get something more current.

cyberpost
join:2004-05-15
Osgoode, ON

cyberpost

Member

ASA too. Might be able to configure a router as a VPN gateway and use its loopback interface to bounce the traffic back through the site-to-site VPN.

/Eric
garnetbobcat
join:2007-10-02

garnetbobcat

Member

Beginning with 7.x you can configure hairpinning on the ASA or PIX. 7.x does not run on the 501 or 506e.

The command "same-security-traffic" will allow you to do what you want, so if you can get an upgrade to an ASA you should be all set. Here are a couple hairpinning examples:

»www.cisco.com/en/US/prod ··· 07.shtml

»www.cisco.com/en/US/prod ··· ae.shtml

FYI, the ASA5505 is the SOHO ASA.

cyberpost
join:2004-05-15
Osgoode, ON

cyberpost

Member

said by garnetbobcat:

Beginning with 7.x you can configure hairpinning on the ASA or PIX. 7.x does not run on the 501 or 506e.

The command "same-security-traffic" will allow you to do what you want, so if you can get an upgrade to an ASA you should be all set. Here are a couple hairpinning examples:

»www.cisco.com/en/US/prod ··· 07.shtml

»www.cisco.com/en/US/prod ··· ae.shtml

FYI, the ASA5505 is the SOHO ASA.
Good catch! Thanks,

Eric

damn
Premium Member
join:2002-10-23
nyc

damn to garnetbobcat

Premium Member

to garnetbobcat
I actually found another PIX 501. I will establish the tunnels on it and will use old one for dial-in access. Tested it today and it worked fine.