Cisco PIX VPN Bridging – Am I missing something??

Incident response
Intrusion management
IT architecture
Network security
Service and support
Hi, I'm tryin to set up a VPN between two internal sites on the same subnet. I have 2 PIX 506E's linked together (physically) in my test lab (on outside interfaces). All the configuration examples I've seen of setting up a VPN is between 2 different logical networks. However, I want them to act as bridges so that all broadcast traffic will go across the VPN. The purpose of this setup is to purely keep out everything outside of the pix's and encrypt the data that passes through. I don't require an communication between the inside network and the logical outside network. I have set both pix's up with the VPN config and inside IP's on the same subnet but no data passes through. Does anything know what I am missing here? Thanks in advance for any help!

Answer Wiki

Thanks. We'll let you know when a new response is added.

You can’t have a VPN with the IP’s on the same subnet? If both sides of the VPN are on the same subnet they will never go to the router/pix.

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Mnm327
    If both sites are on the same subnet then they will never communicate through the PIX when talking to each other therefore they will never use the VPN you've built. If you want to set up a vpn between the two site they will need to be on different subnets so that their traffic gets routed through the PIX.
    0 pointsBadges:
  • Rgoulding
    This is what I thought at first but I saw examples of people with other firewalls that have done this, just not on the pix. They seemed to use l2tp on top of the VPN I think. However, you wouldn't think it would be so hard just to forward all the broadcasts accross the VPN as that is all that is required?? Incidentally, I don't need to do this now as I have managed to sort it out on a different subnet. The orignal reason I couldn't do this was due to some politics within the company! Thanks for your help.
    0 pointsBadges:
  • TR1947
    When both sender and destination IP numbers are on the same subnet (as determined by the subnet mask on the sender machine), the only broadcast be will the ARP request from the sender. If there is no response to that ARP, the sender will not try to send anything to the default route (the PIX). So unless the PIX is set up to do proxy ARP by responding with its MAC for any IP, it will not see anything sent from the sender host to be able to send it through the VPN. You need to configure the PIX as a layer 2 device so that it can respond to every ARP with its own MAC. It will then receive all traffic and forward what is not directly local though the VPN. The PIX will need to create an ARP table for all IP's on both sides of the VPN to be able to do this. This will also mean that all local traffic is transmitted twice, slowing down everything.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: