cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
427
Views
0
Helpful
3
Replies

Multiple VPN

rdubo
Level 1
Level 1

Hi,

My network is that way:

ASA1(7.2.2)

||

INTERNET=====PIX (6.3.5)

||

ASA2(7.2.2)

I would like ASA1 can access PIX network and ASA2 Network

As well I would like ASA2 can access PIX network via ASA1, and ASA1 network

And finally, I would like PIX can access ASA2 network via ASA1, and ASA1 network

Is it possible to do so?

Thanks

1 Accepted Solution

Accepted Solutions

Yes, it is possible to hairpin the traffic on the outside interfaces of the ASA's to get the traffic over the tunnels to the pix.

You need to enable same-security-traffic permit intra-interface. You also need to add the traffic to your crypto and nat exemption acls(only if running outside nat). Here is a good doc with an example...these are pixes, but the config in the version 7 pix is pretty much the same.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

Please rate if it helps.

View solution in original post

3 Replies 3

Hi,

It is possible. This is called 'Mesh VPN' that is each device will have seperate tunnel for all other devcies in the network topology.

On the device ASA1(7.2.2.2):

------------------------------

Create a site-to-site vpn to PIX

create another site-to-site vpn to ASA2

On the device ASA2:

-------------------

Create a site-to-site vpn to PIX

create another site-to-site vpn to ASA1

On the devcie PIX:

-------------------

Create a site-to-site vpn to ASA2

create another site-to-site vpn to ASA1

Hope it helps.

--Jaffer

Hi,

well that is not exactly what I want to do.

I don't want a direct VPN Tunnel between ASA2 and PIX. I want ASA2 goes to PIX through ASA1.

Yes, it is possible to hairpin the traffic on the outside interfaces of the ASA's to get the traffic over the tunnels to the pix.

You need to enable same-security-traffic permit intra-interface. You also need to add the traffic to your crypto and nat exemption acls(only if running outside nat). Here is a good doc with an example...these are pixes, but the config in the version 7 pix is pretty much the same.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

Please rate if it helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: