« Return to Thread: Cisco PIX VPN question...
RE: Cisco PIX VPN question...
by ddenton
::
Rate this Message:
I've read through Cisco's docs on creating remote access VPN's and L2L VPN's
and they do seem really straight forward, but I've ran into a few sticking
points. I'm using ASDM/PDM on the two firewalls to set this up, and since
the two versions (firewall software and management software) are different,
it creates more questions.
1. During the guided setup (on the first page actually...) of the L2L VPN on
the PIX running 6.3, there's no place to specify the Tunnel Group, whereas
on the 7.0 there is. Also the commands seem to be slightly different
(vpngroup versus tunnel-group). Are these the same?
2. That leads to point two, which is, since I can't specify a tunnel-group
name on the 6.3 firewall, how will it know which tunnel to use? The existing
remote access VPN, or whatever the guided setup names it?
3. Also, I've read a lot about 6.3 having the limitation that traffic from
VPN clients can't be routed back out the same interface it entered. This
will be a problem if true, because firewall in question only has 1 external
interface. I've read that the same-interface-security and split-tunnel
commands can mitigate that problem. Is this true?. I think it may be true
that is does work, since I can access the internet unhindered when connected
by VPN client, but I'll have to trace it and verify that.
Thanks to all who have replied, and your further input is greatly
appreciated...
-----Original Message-----
From: Michael Diana [mailto:MDiana@...]
Sent: Wednesday, May 23, 2007 12:45 PM
To: Dan Denton
Subject: RE: Cisco PIX VPN question...
You can easily have both VPN clients and Multiple PIX to PIX tunnels on
the same appliance. The easiest way is to go through the easy VPN set
up within the PDM on both ends. Be aware though that when you add a new
VPN instance, the IPSEC is reset and clients might be bounced. So I
tend to add new tunnels after hours and notifying the clients. Hope
this helps,
Michael
-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Dan Denton
Sent: Tuesday, May 22, 2007 4:33 PM
To: firewalls@...
Subject: Cisco PIX VPN question...
-----Original Message-----
From: Dan Denton [mailto:ddenton@...]
Sent: Monday, May 21, 2007 1:47 PM
To: 'firewalls@...'
Subject: Cisco PIX VPN question...
Hello list...
I have a PIX 506E and a PIX515E, each at a different location. Each
firewall
has a remote access VPN set up. I'd like to set up a point-to-point VPN
connection between the two so users at one location won't have to use
their
VPN clients unless they're off site. Each firewall only has one outside
and
one inside interface. The 515E is running 7.0 and the 506E is running
6.3.
Does anyone out there have experience on setting up the two vpn
technologies
simultaneously? I don't want to break the existing remote access vpn's.
Dan Denton
and they do seem really straight forward, but I've ran into a few sticking
points. I'm using ASDM/PDM on the two firewalls to set this up, and since
the two versions (firewall software and management software) are different,
it creates more questions.
1. During the guided setup (on the first page actually...) of the L2L VPN on
the PIX running 6.3, there's no place to specify the Tunnel Group, whereas
on the 7.0 there is. Also the commands seem to be slightly different
(vpngroup versus tunnel-group). Are these the same?
2. That leads to point two, which is, since I can't specify a tunnel-group
name on the 6.3 firewall, how will it know which tunnel to use? The existing
remote access VPN, or whatever the guided setup names it?
3. Also, I've read a lot about 6.3 having the limitation that traffic from
VPN clients can't be routed back out the same interface it entered. This
will be a problem if true, because firewall in question only has 1 external
interface. I've read that the same-interface-security and split-tunnel
commands can mitigate that problem. Is this true?. I think it may be true
that is does work, since I can access the internet unhindered when connected
by VPN client, but I'll have to trace it and verify that.
Thanks to all who have replied, and your further input is greatly
appreciated...
-----Original Message-----
From: Michael Diana [mailto:MDiana@...]
Sent: Wednesday, May 23, 2007 12:45 PM
To: Dan Denton
Subject: RE: Cisco PIX VPN question...
You can easily have both VPN clients and Multiple PIX to PIX tunnels on
the same appliance. The easiest way is to go through the easy VPN set
up within the PDM on both ends. Be aware though that when you add a new
VPN instance, the IPSEC is reset and clients might be bounced. So I
tend to add new tunnels after hours and notifying the clients. Hope
this helps,
Michael
-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Dan Denton
Sent: Tuesday, May 22, 2007 4:33 PM
To: firewalls@...
Subject: Cisco PIX VPN question...
-----Original Message-----
From: Dan Denton [mailto:ddenton@...]
Sent: Monday, May 21, 2007 1:47 PM
To: 'firewalls@...'
Subject: Cisco PIX VPN question...
Hello list...
I have a PIX 506E and a PIX515E, each at a different location. Each
firewall
has a remote access VPN set up. I'd like to set up a point-to-point VPN
connection between the two so users at one location won't have to use
their
VPN clients unless they're off site. Each firewall only has one outside
and
one inside interface. The 515E is running 7.0 and the 506E is running
6.3.
Does anyone out there have experience on setting up the two vpn
technologies
simultaneously? I don't want to break the existing remote access vpn's.
Dan Denton
« Return to Thread: Cisco PIX VPN question...
| Free embeddable forum powered by Nabble | Forum Help |
