Cannot pass traffic destined for another network through VPN

alunemanuel · ‎05-14-2007

Hi,

I've configured a VPN between 2 offices. I can send data from the head office to the remote office. My problem is that the remote office needs to connect to other offices though the head office. Please see the attachments for the 2 route configs (ABC-Cardiff = head office, ABC-Swansea= remote office).

Users in the remote office 10.41.X.X need to connect to servers in another office 10.10.X.X through the cardiff office 10.40.X.X.

Can anyone advise me how to edit the configs to allow the remote office access to all networks. A traceroute from the remote office to 10.10.1.101 shows that the traffic isn;t going down the VPN connection.

If any of this doesn't make sense please let me know and I will be happy to provide further info.

TIA,

Al

bwilmoth · ‎05-18-2007

It looks like you are trying to setup Hub and spoke VPN.

Hub-and-spoke topology is not supported in PIX version 6.x because version 6.x does not redirect traffic back out the same interface it was received on.

This feature is also known as traffic redirection or hairpinning and is supported in PIX version 7.x.

Refer this link for config:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

tkaye · ‎05-24-2007

hello,

The first reply is technically correct if you had two VPN sites connected to your head office, and wanted to establish connections between the two vpn sites.

Thats certainly my scenario.

Your scenario, your VPN is only configured to match the traffic for the 10.4x. networks.

At your head office you route 10.10.0.0/16 via 10.40.5.100.

You need to ensure your ACL's 100 and 101 permit and deny the traffic to 10.10.0.0/16 the same way your currently doing between 10.40 and 10.41

Hope that helps

PS - on both ends!!!