Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
5
Replies

IPsec VPN with 2 PIX firewalls and 1 2600 router

bhansen70
Level 1
Level 1

‎03-24-2007 07:25 PM

Does anyone know if it's possible to setup a full mesh VPN topology when using 2 Cisco PIX firewalls and 1 Cisco 2600 router. I have no issues at all getting the VPN up between the PIX firewalls and 1 tunnel up between the router and PIX. The problem i am having is when trying to get the second tunnel from the router to the second PIX up and running.

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎03-25-2007 01:35 AM

Hi

All the devices you mention can do multiple tunnels so there should not be an issue with creating a full mesh between them.

Suspect it may be a configuration issue ? Perhaps you could post the configs.

Jon

0 Helpful

bhansen70
Level 1
Level 1
In response to Jon Marshall

‎03-25-2007 08:47 AM

Here is the Configs i have right now. The PIX VPN is working just fine so i think there is something missing on the Router side of the VPN to the 2 PIX firewalls.

Thanks

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to bhansen70

‎03-26-2007 01:43 AM

Hi

Which VPN tunnel is not working ?

In your router config it is a bit confusing as access-list 101 refers to 192.168.31.0/24 which matches all your other configs on the pix firewalls.

Access-list 102 however references 192.168.3.x. Unless this is a typo this would mean that this traffic would get natted and hence would not initiate a VPN tunnel ie.

Pix1 thinks traffic should be coming from 192.168.31.0/24. However because your access-list 102 is referencing 192.168.3.x/24 then the 192.168.31.x traffic from your 2600 will get natted and hence will not match at the pix end.

Does this make sense ??

Jon

0 Helpful

bhansen70
Level 1
Level 1
In response to Jon Marshall

‎03-26-2007 08:41 PM

Yes that did make some sense. I was able to get the tunnels all up and working in the mesh configuration by just rebuilding ACL 101 to deny the other 2 remote offices to bypass NAT.

access-list 101 deny ip 192.168.31.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.31.0 0.0.0.255 10.1.52.0 0.0.0.255

access-list 101 deny ip 192.168.31.0 0.0.0.255 10.169.88.0 0.0.0.255

access-list 101 permit ip 192.168.31.0 0.0.0.255 any

Then i just used my nonat policy to match ip address 101

Once i did that everything came up just fine and working great now.

Thanks for your input it was good information.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to bhansen70

‎03-26-2007 11:52 PM

No problem, glad you got it sorted.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents