> You could do this but if you did you would have to > configure the firewall > outside interface to pass VPN traffic. yes, and no. yes i am passing vpn traffic, but its not bound for the outside ip of the firewall, its bound for the static NAT rule, which xlats the external to the outside ip of the vpn (asumming the outside nic doesn't have a routable ip.
If you > configure the firewall to > pass VPN traffic you lose the capability of using > that outside firewall > interface to terminate site to site VPN connections. Are you sure? I can't see any reason why this would be with the PIX. You could terminate one vpn to a static ip(as in using the static+conduit commands), and one to the outside nic's ip couldn't you? I can test this out if you like. > I like leaving that > capability available in case I have to build a site > quickly. I don't like vpns on firewalls, for site to site it may not be that bad, but there is always the chance that the vpn can runaway with your cpu, and thus DoS your firewall, and affecting any traffic passing thought it. If its for general remote access then i would flat out not use it. If there is ever a problem vpn(say buffer over flow or something else nasty) who knows what could happen. worst case you are going into the office a 3am to upgrade/reinstall the firewall (eek!) (....backups?...) >For troubleshooting sake you might find > yourself allowing the > firewalls outside interface to respond to pings. which is default setup on the pix. > This is in case a remote > user wants to check to see if they can reach your > site. Great for > troubleshooting, I hate turning on ping for the > firewalls outside interface. This is why you log everything. want to trouble shoot a connection issue. Look at the vpn logs, still nothing go to your log server and tail -f | egrep '(x\.x\.x\.x|y\.y\.y\.y)' (x being the vpn's ip, y being the remote vpns ip). You will find out what the problem is, and if the other side wants to know whats going paste the logs into an email. Problem solved. Thoughts? __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
