02-08-2009 08:21 AM - edited 02-21-2020 04:08 PM
Hi ,
We have scenario where in Customer has 10 sites connecting via Private network and built Ipsec tunnel from all the branch PIX ( running 6.3 image) to Central Site Pix(6.3). central site pix connected to Internet and Private Network and LAN Network
Please find the details below .
Central Site details
ethernet0 Outside ----- Internet
ethernet1 WAN --- Connected to Private Network
ethernet2 BACKUP ----- Connected to Private Network
ethernet3 inside ---- LAN
Branch Details.
interface ethernet0 WAN ---- Connected To Private Network
interface ethernet2 BACKUP --- Connected to Private Network
interface ethernet1 Inside --- LAN
All the IPsec tunnels are working and its getting terminated at WAN port ( Private Network) and backup line also working absolutely fine when ever Primary is going down,The requirement is to push internet from Central to All the Branches. Branches are configured to send all the traffic over the Active tunnels but we are not able to get the internet. suggestion would be highly appreciated.
Central PIX is configured allow traffic from all the 3 ( WAN,BACKUP and LAN) interfaces to go internet.
Rgds
Rama
02-08-2009 11:36 AM
Rama,
there are several ways of doing this - but they depend on topology and equipment, can you expand on the below:-
1) Are the branch devices pix/asa?
2) What is the central site device pix/asa
3) Do any of the site have layer 3 routing devices, routers or mls?
4) Is there a dynaimic routing protocol being used?
5) Any GRE tunnels configured?
6) Does your customer have a proxy server?
7) Does your customer have an Active Directory Domain?
02-08-2009 03:04 PM
I could be wrong, but I believe that this is not supported in anything under pix 7.x/8.x. Basically, it sounds like your trying to do hairpinning, or U turn routing. Routers support this, as do the newer code versions, but I do not believe it is supported in 6.x
02-08-2009 09:06 PM
But Hair pinning is different then what we are trying to achieve, i am sure we should be able to crack this, its similar to disabling split tunnelling in Easy vpn where in u are forcing remote users to go through corporate internet if am not wrong.
Regards
Rama
02-08-2009 11:32 PM
Rama,
Actually Ryan is correct - but it depends on the hardware, as the version of code 7.x/8.x only runs on PIX 515 and above with 64mbs memory.
02-08-2009 08:55 PM
Hi Andrew,
Plesase find the details.
1) All the branches has pix 515e(6.3)
2) Central also PIX 515e(6.3)
3) No routing devices at Branches only one router kept at Central where in internet is landing on Serial and same has taken out from Fastethernet and it is connected to Pix 515E outside Interface
4)All are running through Static routes
5)No Gre Tunnels
6)No idea about Proxy, i need check the same with Customer .
7)No ACtive Directory Domain
Regards
Rama
02-08-2009 11:34 PM
OK - some good news, how much memory does the Central Site PIX have???
64mbs of above - and you need to install version 7.x or 8.x code (I suggest 7.x personal preference) then all you need to configure are:-
1) Hairpinning
2) Your NAT.
HTH>
02-09-2009 02:15 AM
Hi
All Pix are 128 MB RAM.
Does it required For me to upgrade all the Spoke PIX too ?
Hope you understood my Requirement. let me brief the same.
All the Branch Ipsec tunnels are getting Terminated on WAN Interface of the PIX and users can access the application which are there in Inside interfafce of the PIX.
we have Internet landing on Outside Interface of the PIX and the users sitting in Inside interface are able go internet and if they want to access branch they will be sent out on WAN interface through Ipsec Tunnel, the requirement is to share the internet the users coming from WAN Interface through IPsec.
i don't see any hairpinning requirement.
Ipsec traffic is landing on the Box from the Branch and i need to send them on Outside interface with NATing them if they are going apart from Inside segment
Regards
Rama
02-09-2009 03:44 AM
Rama,
Firstly - the only PIX that needs to be updated is the HQ PIX.
Secondly - you do not understand what "hairpining" is. Let me ask you this - do you think that the PIX will transmit traffic out of the same interface it was recevied on?
If you answer the above question yes - then I suggest you google "same-security-traffic permit intra-interface" and read.
Below is a 80% config example of what you want to do:-
HTH>
02-11-2009 10:43 PM
Tnx for the info Andrew,
enabled NAT at brach as well NAT at Central and it started working without upgrading the Imaage :)
Regards
Rama
02-12-2009 02:12 AM
OK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide