- Bronze, 100 points or more
I am having some trouble getting this tested in the lab. Essentially I have two PIX 506e setup, one pretending to be the hub, and the other a spoke (outside interfaces on the same network) with a working tunnel between them. I could ping across them without problem (to hosts on each of their internal networks). So I then wanted to tackle the forcing of all traffic from the spoke to the hub, where I'll eventually integrate some traffic monitoring which we don't want to replicate at the spoke site. To do this I changed up the access-list for the tunnel to essentially say src spoke_net to any (and the reverse on the other side). Trouble is it isn't working. I have a feeling traffic from the spoke is going across the tunnel as I can capture IP ESP traffic on the outside interface when pinging IPs on the outside network. Could this be a nat issue, routing issue, or impossible? Any help is appreciated. I've attached configs for both the Hub and Spoke.