06-14-2007 12:45 AM
Hi,
My network is that way:
ASA1(7.2.2)
||
INTERNET=====PIX (6.3.5)
||
ASA2(7.2.2)
I would like ASA1 can access PIX network and ASA2 Network
As well I would like ASA2 can access PIX network via ASA1, and ASA1 network
And finally, I would like PIX can access ASA2 network via ASA1, and ASA1 network
Is it possible to do so?
Thanks
Solved! Go to Solution.
06-14-2007 06:42 AM
Yes, it is possible to hairpin the traffic on the outside interfaces of the ASA's to get the traffic over the tunnels to the pix.
You need to enable same-security-traffic permit intra-interface. You also need to add the traffic to your crypto and nat exemption acls(only if running outside nat). Here is a good doc with an example...these are pixes, but the config in the version 7 pix is pretty much the same.
Please rate if it helps.
06-14-2007 03:17 AM
Hi,
It is possible. This is called 'Mesh VPN' that is each device will have seperate tunnel for all other devcies in the network topology.
On the device ASA1(7.2.2.2):
------------------------------
Create a site-to-site vpn to PIX
create another site-to-site vpn to ASA2
On the device ASA2:
-------------------
Create a site-to-site vpn to PIX
create another site-to-site vpn to ASA1
On the devcie PIX:
-------------------
Create a site-to-site vpn to ASA2
create another site-to-site vpn to ASA1
Hope it helps.
--Jaffer
06-14-2007 04:01 AM
Hi,
well that is not exactly what I want to do.
I don't want a direct VPN Tunnel between ASA2 and PIX. I want ASA2 goes to PIX through ASA1.
06-14-2007 06:42 AM
Yes, it is possible to hairpin the traffic on the outside interfaces of the ASA's to get the traffic over the tunnels to the pix.
You need to enable same-security-traffic permit intra-interface. You also need to add the traffic to your crypto and nat exemption acls(only if running outside nat). Here is a good doc with an example...these are pixes, but the config in the version 7 pix is pretty much the same.
Please rate if it helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: