Connecting across multiple vpn tunnels

Unanswered Question
Jan 20th, 2008

I have lan2lan tunnels between 2 branch offices and the main office. The branch offices have ASA5505 and the main office has a PIX515E. We are using cisco soft phones at the branch offices and they can talk to the main office but cannot talk to each other. There is no audio even though the call connects. What we need is to configure the PIX515e such that there is RTP stream between the 2 branch offices. This can be achieved by creating a l2l vpn between the 2 branch offices but I am lookinfg for a soultion that allows data to flow between the 2 branches via the main office.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Sun, 01/20/2008 - 14:17

make sure your crypto acl's for each remote site, allows now only HQ, but also the other remote site.

then add the command "same-security-interface permit inter-interface".

side note, voice quality would be better if the vpn flowed directly between sites. If you don't plan on growing the number of remote sites, it only takes one more L2L vpn to be fully meshed.

Richard Burts Sun, 01/20/2008 - 19:26


I believe that Steven has correctly identified the basic issue as the fact that by default the PIX will not forward out an interface traffic that was received on that interface. A common result of that is that VPN site to site works from remotes to HQ but not from remote to remote. The command that he gives will resolve this issue. Be aware that this command was introduced in releases 7.0 and above. If your PIX is running 6.x or lower then it will not work.



zul.shariff Sun, 01/20/2008 - 19:59

Thanks Rick and Steven.

The head office PIX is running 6.3(3) so I guess l2l between branches is the only option.

Richard Burts Mon, 01/21/2008 - 10:22


I agree that Lan2Lan is the best option, not necessarily the only option. A code upgrade might also get you remote to remote. But it would be more complex and I agree that for types of traffic that are delay sensitive (such as voice/RTP) a site to site connection is better than one relayed through a common HQ.




This Discussion