Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Dual PIX's? 1

Status
Not open for further replies.
Bubbalouie

Bubbalouie

Technical User
Mar 25, 2009
107
US
I have a PIX 506 connected to a 2811 router (ATT T1x2 MIS). The PIX resides on 192.168.1.0 255.255.255.0 network. It supports 8 site-to-site vpn tunnels.

Each tunnel terminates at a 1750 router that resides on a corresponding class c sunbnet that increments up from 192.168.2.0 255.255.255.0 to 192.168.9.0 255.255.255.0.

I have a spare PIX 506 laying on a shelf, just in case the one in production fritzes on me. A couple of weeks ago I got a backup cable modem with a static IP that I would plan on using in case the T1's went down (3 times in the last year, two cable cuts and a corrupted flash image on the 2811. so much for 5 9's of reliability!).

One of the 8 vpn tunnels connects to a site that has special needs and very whiny users. I wanna hook that spare PIX to the cable modem, remove that site's VPN from the existing PIX and add it to the new PIX so that the cable connection is dedicated solely to the traffic of the whiny people.

So in the end, I'm just wanting to have two PIX connected to my network. Is that possible to do?

Thanks In Advance!

 
Sort by date Sort by votes
Yes, you. You will have to square away your internal routing.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Well it sounds positive from the standpoint that you seem to indicate I can do it, but the 'square away your internal routing' sound a little worrisome. Do you see an obvious problem with it now?

Should I be looking to do something in particular on this kinda setup?

 
Upvote 0 Downvote
just make sure your servers etc. have routes back to the separate vpn network so traffic knows where to go.
shouldn't be that hard.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
OK, I'm gonna give this a try tomorrow.

I've got the second PIX (PIX2) online now but it's not hooked up to my internal network. It's already config'ed and looking for the external ip on router at the remote site.

1. at the central site, i've got a 1750 on the internal network doing routing. i'm gonna add an ip route command to tell traffic looking for the 192.168.9.0 255.255.255.0 subnet to head for PIX2 instead of PIX1.

2. break the tunnel on PIX1 to 192.168.9.0

3. connect PIX2 to my internal network

4. on the remote router, I'll change the isakmp key and the set peer statement to look for PIX2's external ip address.

I've got a little ping utility on a worksation at the remote site. I'm gonna set it to start pinging a server at the main site before I start the process. I'm thinking if my idea is correct the pinging should bring the tunnel up.

I think that is all I should need to do. However, I'm sure I'm forgetting something! If anyone can spot something I've missed I'd sure appreciate hearing it.

 
Upvote 0 Downvote
It's working!!!

Thanks for the heads up on the routing!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxnkey
  • Locked
  • Question
ASA 5505 with Dual ISP's
Replies
1
Views
42
nosebreaker
nosebreaker
DROFNUD
  • Locked
  • Question
Routing issue over dual path firewall...
Replies
0
Views
41
DROFNUD
DROFNUD
zaleeu
  • Locked
  • Question
TZ 100 Dual ISP's
Replies
1
Views
59
joepc
joepc
Dinamik
  • Locked
  • Question
Easy VPN between PIX's
Replies
0
Views
26
Dinamik
Dinamik
litelnole
  • Locked
  • Question
Dual gateway infrastructure - ASA gives TCP/SYN error on wrong port
Replies
0
Views
31
litelnole
litelnole

Part and Inventory Search

Sponsor

Back
Top