All traffic in Vpn

Unanswered Question
Mar 6th, 2007

Hi,

I have some Vpn (IPSec)that are deployed from my headquarter and some branch office through Cisco Pix.

Pix 525 on headquarter and Pix 501 on branch.

So far internet traffic from each branch

office was indipendent (nat).

Now we have increase bandwidth on headquarter (2Mb > 8 Mb)and I would like

do pass all traffic on headquarter through tunnel IPSec so also all internet traffic will pass from only router on main site.

Can I do it ?

Does somebody advice me some documents or configuration examples about it ?

best regards

Lorenzo

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kaachary Tue, 03/06/2007 - 02:12

Hi Lorenzo,

First of all you need to have PIX 525 on 7.x code for U-turning to work.

You can go through the document that explains the similar scenario for a VPN client :

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

You setup would be very much similar. Let me know if you have some more questions.

*Please rate if helped.

-Kanishka

lformelli Tue, 03/06/2007 - 02:57

Hi

perhaps I'm not explain so well.

I haven't Vpn client but I have all my branch

networks behind Pix 501.

I want know if I can do pass also traffic internet in tunnel IPSec and if I can how do it.

best regards

Lorenzo

kaachary Tue, 03/06/2007 - 05:03

Hi Lorenzo,

I understand you do not have a VPN client, but there's no readymade config example for what you are trying to do.

To give you brief idea of how the configuration on PIX 7.X would look like, I sent you the doc.

I will proceed to give you an example of how the config will look like. Assuming the PIX 501 n/w is 1.1.1.0/24 and PIX 525 n/w is 2.2.2.0

ON PIX 501 :

The crypto ACL would look like :

access-list cry_acl permit ip 1.1.1.0 /24 any

On PIX 525:

same-security-traffic permit intra-interface

The crypto ACL :

access-list cry_acl permit ip any 1.1.1.0 /24

The NAT config(to nat the traffic for Internet) :

nat (outside) 1 1.1.1.0 255.255.255.0

global (outside) 1 interface

Let me know if you have some more questions.

*Please rate if helped.

-Kanishka

Actions

This Discussion