Access Thru Hub and Spoke Tunnels

Unanswered Question
Jun 5th, 2007

Hi,

I'm not even sure how to title this conversation, but here goes. We have a hub and spoke VPN setup with a 515E as the headend. There are PIX 501s at the remote locations. I have several remote site connecting to the PIX server, but not to each remote location. For server administrative purposes, I'd like to be able to allow the remote site to be able to at least VNC or Remote Desktop thru the tunnels.

Is this possible? What are the security implications? What would the access-list look like? Are the access-lists on the PIX head end only or are there access-list on all firewalls allowing traffic thru?

Some sites are easy VPN and others are Site to Site.

Thanks in advance for any advice,

Vince

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

The standard VPN configuration for PIXes includes the command:

sysopt connection permit-ipsec

If that command is present then no traffic will be filtered through the VPN tunnels at all. So there's nothing limiting traffic between the sites that have a successful VPN connection.

If that command is not present in the config, then there have to be specific access-list rules allowing inbound IPSec traffic and what the remote users need access to.

So if you already have VPNs configured between the remote sites and the hub site, then they will be able to VNC or whatever already (if the above command is present).

If your looking to get remote-site to remote-site VPN access to work that's a different issue.

srue Tue, 06/05/2007 - 12:06

sounds like he wants remote-site to remote-site network connectivity, w/o doing full-mesh vpn's. right???

upgrade your PIX to 7.x and use 'hairpinning'.

If this is the case, let us know.

vdinenna71 Tue, 06/05/2007 - 12:27

Thanks for your reply,

No, we are not looking to do site to site.

We are trying to use the 515E as a VPN hub in a sense. VPN connections exist from remote offices to HQ in a hub and spoke config.

I want to sit at a remote office and control a server in another remote office.

RemoteOfficeA501E---HQ515E---remoteOfficeB501E

In one VPN tunnel and out the other.

Thanks,

Vince

vdinenna71 Tue, 06/05/2007 - 12:21

Thanks for the reply.

The command "sysopt connection permit-ipsec" is present. Does this command need to be on the remote office PIX also or just the headend?

The access-list is extensive. Maybe there's an access-list that supercedes this command? I don't see any "deny" statements.

We are not looking to have site to site between remote offices.

Thanks again,

Vince

srue Tue, 06/05/2007 - 12:31

but you need CONNECTIVITY between remote sites (w/o using remote-site to remote-site vpn). If that's the case, you need to use hairpinning - which means your PIX515e needs to be running PIX OS 7.x since 6.x doesn't support it.

vdinenna71 Tue, 06/05/2007 - 12:37

Ok, I understand what you are saying.

So what I'm asking now wasn't possible with 6.x.

We are suppose to upgrade to two T1 lines as soon as AT&T gets off their...and calls us back. Been wait 2 months to upgrade. We are upgrading to PIX 7.0. and newest IOS.

I'll revisit this later if not alternative exists.

Thanks for you help,

Vince

Actions

This Discussion