PIX in multiple IPsec roles

Is there a plausible way to convince a PIX to pass through an
IPsec tunnel to another device while simultaneously being an
endpoint for a different tunnel?

I have sites A, B, and C. Each has a PIX515E with tunnels to the
other two sites.

Now a vendor wants to establish a tunnel to a device inside
PIX A. I seem to be lacking the right keywords to search for
this.

-dsr-


--
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.
You can't defend freedom by getting rid of it.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

On Wed, 19 Aug 2009 13:52:53 -0400
Dan Ritter <dsr@...> wrote:

It sounds like your vendor wants a static nat to the their device on
the inside. Can you be a bit more verbose about the network setup. The
PIX should see this traffic as normal traffic. I usually use a unique
public IP for the NAT.

--
"An armed society is a polite society. Manners are good when one may
have to back up his acts with his life." Robert A. Heinlein

"Fear is the father of servitude, and the captor of man. There cannot
be slavery without fear, nor freedom with it."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Dan Ritter wrote:
I dont quite understand. this new tunnel you want to set up, will it go
from the outside internet to something inside pixA or will it go from
inside siteB or siteC to something inside siteA?

either way there should be no real problem that i can see, perhaps a
smaller mtu if the latter case. if the former case you may have to map
some services to the inside device.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards