Multiple VPN

Answered Question
Jun 14th, 2007

Hi,

My network is that way:

ASA1(7.2.2)

||

INTERNET=====PIX (6.3.5)

||

ASA2(7.2.2)

I would like ASA1 can access PIX network and ASA2 Network

As well I would like ASA2 can access PIX network via ASA1, and ASA1 network

And finally, I would like PIX can access ASA2 network via ASA1, and ASA1 network

Is it possible to do so?

Thanks

Correct Answer by acomiskey about 9 years 8 months ago

Yes, it is possible to hairpin the traffic on the outside interfaces of the ASA's to get the traffic over the tunnels to the pix.

You need to enable same-security-traffic permit intra-interface. You also need to add the traffic to your crypto and nat exemption acls(only if running outside nat). Here is a good doc with an example...these are pixes, but the config in the version 7 pix is pretty much the same.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

Please rate if it helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
jaffer_sathik2010 Thu, 06/14/2007 - 03:17

Hi,

It is possible. This is called 'Mesh VPN' that is each device will have seperate tunnel for all other devcies in the network topology.

On the device ASA1(7.2.2.2):

------------------------------

Create a site-to-site vpn to PIX

create another site-to-site vpn to ASA2

On the device ASA2:

-------------------

Create a site-to-site vpn to PIX

create another site-to-site vpn to ASA1

On the devcie PIX:

-------------------

Create a site-to-site vpn to ASA2

create another site-to-site vpn to ASA1

Hope it helps.

--Jaffer

rdubo Thu, 06/14/2007 - 04:01

Hi,

well that is not exactly what I want to do.

I don't want a direct VPN Tunnel between ASA2 and PIX. I want ASA2 goes to PIX through ASA1.

Correct Answer
acomiskey Thu, 06/14/2007 - 06:42

Yes, it is possible to hairpin the traffic on the outside interfaces of the ASA's to get the traffic over the tunnels to the pix.

You need to enable same-security-traffic permit intra-interface. You also need to add the traffic to your crypto and nat exemption acls(only if running outside nat). Here is a good doc with an example...these are pixes, but the config in the version 7 pix is pretty much the same.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

Please rate if it helps.

Actions

This Discussion