Cisco PIX VPN Bridging – Am I missing something??

pts.
Tags:
Administration
Architecture/Design
Cisco
Features/Functionality
Firewalls
Forensics
Incident response
Installation
Intrusion management
Management
Network security
Security
Service and support
Vendors
VPN
Wireless
Hi, I'm tryin to set up a VPN between two internal sites on the same subnet. I have 2 PIX 506E's linked together (physically) in my test lab (on outside interfaces). All the configuration examples I've seen of setting up a VPN is between 2 different logical networks. However, I want them to act as bridges so that all broadcast traffic will go across the VPN. The purpose of this setup is to purely keep out everything outside of the pix's and encrypt the data that passes through. I don't require an communication between the inside network and the logical outside network. I have set both pix's up with the VPN config and inside IP's on the same subnet but no data passes through. Does anything know what I am missing here? Thanks in advance for any help!

Answer Wiki

Thanks. We'll let you know when a new response is added.

You can’t have a VPN with the IP’s on the same subnet? If both sides of the VPN are on the same subnet they will never go to the router/pix.

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Mnm327
    If both sites are on the same subnet then they will never communicate through the PIX when talking to each other therefore they will never use the VPN you've built. If you want to set up a vpn between the two site they will need to be on different subnets so that their traffic gets routed through the PIX.
    0 pointsBadges:
    report
  • Rgoulding
    This is what I thought at first but I saw examples of people with other firewalls that have done this, just not on the pix. They seemed to use l2tp on top of the VPN I think. However, you wouldn't think it would be so hard just to forward all the broadcasts accross the VPN as that is all that is required?? Incidentally, I don't need to do this now as I have managed to sort it out on a different subnet. The orignal reason I couldn't do this was due to some politics within the company! Thanks for your help.
    0 pointsBadges:
    report
  • TR1947
    When both sender and destination IP numbers are on the same subnet (as determined by the subnet mask on the sender machine), the only broadcast be will the ARP request from the sender. If there is no response to that ARP, the sender will not try to send anything to the default route (the PIX). So unless the PIX is set up to do proxy ARP by responding with its MAC for any IP, it will not see anything sent from the sender host to be able to send it through the VPN. You need to configure the PIX as a layer 2 device so that it can respond to every ARP with its own MAC. It will then receive all traffic and forward what is not directly local though the VPN. The PIX will need to create an ARP table for all IP's on both sides of the VPN to be able to do this. This will also mean that all local traffic is transmitted twice, slowing down everything.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following