Pushing Internet through IPsec Tunnel

Unanswered Question
Feb 8th, 2009
User Badges:

Hi ,


We have scenario where in Customer has 10 sites connecting via Private network and built Ipsec tunnel from all the branch PIX ( running 6.3 image) to Central Site Pix(6.3). central site pix connected to Internet and Private Network and LAN Network

Please find the details below .


Central Site details


ethernet0 Outside ----- Internet

ethernet1 WAN --- Connected to Private Network

ethernet2 BACKUP ----- Connected to Private Network

ethernet3 inside ---- LAN




Branch Details.


interface ethernet0 WAN ---- Connected To Private Network

interface ethernet2 BACKUP --- Connected to Private Network

interface ethernet1 Inside --- LAN


All the IPsec tunnels are working and its getting terminated at WAN port ( Private Network) and backup line also working absolutely fine when ever Primary is going down,The requirement is to push internet from Central to All the Branches. Branches are configured to send all the traffic over the Active tunnels but we are not able to get the internet. suggestion would be highly appreciated.


Central PIX is configured allow traffic from all the 3 ( WAN,BACKUP and LAN) interfaces to go internet.


Rgds

Rama

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Rama,


there are several ways of doing this - but they depend on topology and equipment, can you expand on the below:-


1) Are the branch devices pix/asa?

2) What is the central site device pix/asa

3) Do any of the site have layer 3 routing devices, routers or mls?

4) Is there a dynaimic routing protocol being used?

5) Any GRE tunnels configured?

6) Does your customer have a proxy server?

7) Does your customer have an Active Directory Domain?

ryancolson Sun, 02/08/2009 - 15:04
User Badges:

I could be wrong, but I believe that this is not supported in anything under pix 7.x/8.x. Basically, it sounds like your trying to do hairpinning, or U turn routing. Routers support this, as do the newer code versions, but I do not believe it is supported in 6.x

RAMACHANDRA R Sun, 02/08/2009 - 21:06
User Badges:

But Hair pinning is different then what we are trying to achieve, i am sure we should be able to crack this, its similar to disabling split tunnelling in Easy vpn where in u are forcing remote users to go through corporate internet if am not wrong.


Regards

Rama

RAMACHANDRA R Sun, 02/08/2009 - 20:55
User Badges:

Hi Andrew,


Plesase find the details.


1) All the branches has pix 515e(6.3)

2) Central also PIX 515e(6.3)

3) No routing devices at Branches only one router kept at Central where in internet is landing on Serial and same has taken out from Fastethernet and it is connected to Pix 515E outside Interface

4)All are running through Static routes

5)No Gre Tunnels

6)No idea about Proxy, i need check the same with Customer .

7)No ACtive Directory Domain



Regards

Rama


RAMACHANDRA R Mon, 02/09/2009 - 02:15
User Badges:

Hi

All Pix are 128 MB RAM.


Does it required For me to upgrade all the Spoke PIX too ?


Hope you understood my Requirement. let me brief the same.


All the Branch Ipsec tunnels are getting Terminated on WAN Interface of the PIX and users can access the application which are there in Inside interfafce of the PIX.

we have Internet landing on Outside Interface of the PIX and the users sitting in Inside interface are able go internet and if they want to access branch they will be sent out on WAN interface through Ipsec Tunnel, the requirement is to share the internet the users coming from WAN Interface through IPsec.


i don't see any hairpinning requirement.

Ipsec traffic is landing on the Box from the Branch and i need to send them on Outside interface with NATing them if they are going apart from Inside segment



Regards

Rama

Rama,


Firstly - the only PIX that needs to be updated is the HQ PIX.


Secondly - you do not understand what "hairpining" is. Let me ask you this - do you think that the PIX will transmit traffic out of the same interface it was recevied on?


If you answer the above question yes - then I suggest you google "same-security-traffic permit intra-interface" and read.


Below is a 80% config example of what you want to do:-


http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00805734ae.shtml


HTH>



Actions

This Discussion