[fw-wiz] PIX to PIX VPN Assistance please



Hello All,

I know I'm new here and hopefully you folks can help me out. I am by no
means an expert with the PIX, and I'm trying hard to muddle through
this. A couple of these devices were thrown at me, and I was told to
configure them up which I did and they work. But now I'm being asked to
do something I've no experience with and it's rather challenging.

Scenario:
Local Network
PIX #1 (525 unrestricted OS = 6.35)
Inside = 10.10.10.1 / outside = 200.200.200.1 (not the real IP)
Several machines inside are statically NAT'd to external addresses
(machine 1 = 200.200.200.2, etc..) and the rest (about 50 or so) are
Dynamically NAT'd to the outside ( interface PAT)

Remote Network
PIX #2 (515E unrestricted OS=6.35)
Inside = 172.16.0.1 / outside = 101.101.101.1 (again, not the real IP)
Several machines inside are statically NAT'd to external addresses
(machine 1 = 101.101.101.2, etc..) and the rest (about 20 or so) are
Dynamically NAT'd to the outside ( interface PAT)

Both locations need to access a 3rd network (let's say 132.132.132.x),
but the 3rd network will only accept traffic from the Local network, and
this cannot be changed since the administrators of 132.132.132.x are not
a very accommodating.

Now, what I was thinking of doing was creating a VPN between the two
PIX's and routing ONLY the traffic destined to 132.132.132.x from the
remote network through the VPN into the local network. I've done similar
using PPTP and an RRAS server, but as I said before, the PIX's are
outside my normal scope of expertise.

The actual question in all of this is:
Can anyone out there assist me by sending me the commands needed to do
this from the CLI, or if possible the step by step way to do it with the
PDM(I'm comfortable with either)? I'm assuming that I could just modify
the received instructions with my real IP addresses.

Incidentally, I have looked for documentation through Google, and found
http://www.cisco.com/warp/public/110/38.html, but I'm concerned that
this will make all traffic go through the VPN and not just the
132.132.132.x bound traffic, thus my query to this list!


Kindest Regards,

Norm Bernard MCSA, MCSE, CompTIA A+
Regional Informatics Coordinator
Industrial Research Assistance Program <http://www.nrc.gc.ca/irap-pari>
Ph:(604) 221-3023 Fax: (604) 221-3101
National Research Council of Canada <http://www.nrc.gc.ca>
Government of Canada

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • RE: [fw-wiz] PIX split tunneling
    ... Split tunneling is an excellent option for saving bandwidth and SA's on your ... To use a VPN the user would need access to the internet ( ... on a public network then if they change the config then they change it. ... If your users are inside the PIX then I don't understand the question. ...
    (Firewall-Wizards)
  • Re: WKS outside PIX
    ... > inside an another private and very large intranet. ... > Between this network there is a pix Firewall. ... The problem is, unless you VPN through the firewall, you'll have to make the ...
    (microsoft.public.win2000.dns)
  • Re: Cisco VPN client connecting trough ISA 2004 - problem
    ... If you use the PDM to configure your PIX then there is a tick ... Clients are Cisco VPN 4.6 connecting to PIX IOS 6.3. ... My problem is that clients connectig from network behing ISA 2004 which i ... VPN client. ...
    (microsoft.public.isa.vpn)
  • Re: VPN and third party appliances
    ... The firewall is setup for NAT, I have checked my personal firewall at home ... into the network the connection stalls then eventually disconnects. ... a VPN config that I may have missed in AD or something with win2k3sbs. ... > remote access VPN with a Cisco PIX as the VPN Server. ...
    (microsoft.public.windows.server.sbs)
  • RE: Using MS XP SP2 Firewall and a Cisco VPN Client
    ... Are you sure that the blocking of your local network isn't part of your VPN ... I can't imagine the firewall being the issue ...
    (microsoft.public.windowsxp.security_admin)