Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
896
Views
0
Helpful
10
Replies

Pushing Internet through IPsec Tunnel

RAMACHANDRA R
Level 1
Level 1

‎02-08-2009 08:21 AM - edited ‎02-21-2020 04:08 PM

Hi ,

We have scenario where in Customer has 10 sites connecting via Private network and built Ipsec tunnel from all the branch PIX ( running 6.3 image) to Central Site Pix(6.3). central site pix connected to Internet and Private Network and LAN Network

Please find the details below .

Central Site details

ethernet0 Outside ----- Internet

ethernet1 WAN --- Connected to Private Network

ethernet2 BACKUP ----- Connected to Private Network

ethernet3 inside ---- LAN

Branch Details.

interface ethernet0 WAN ---- Connected To Private Network

interface ethernet2 BACKUP --- Connected to Private Network

interface ethernet1 Inside --- LAN

All the IPsec tunnels are working and its getting terminated at WAN port ( Private Network) and backup line also working absolutely fine when ever Primary is going down,The requirement is to push internet from Central to All the Branches. Branches are configured to send all the traffic over the Active tunnels but we are not able to get the internet. suggestion would be highly appreciated.

Central PIX is configured allow traffic from all the 3 ( WAN,BACKUP and LAN) interfaces to go internet.

Rgds

Rama

Labels:
0 Helpful
10 Replies 10

andrew.prince
Level 10
Level 10

‎02-08-2009 11:36 AM

Rama,

there are several ways of doing this - but they depend on topology and equipment, can you expand on the below:-

1) Are the branch devices pix/asa?

2) What is the central site device pix/asa

3) Do any of the site have layer 3 routing devices, routers or mls?

4) Is there a dynaimic routing protocol being used?

5) Any GRE tunnels configured?

6) Does your customer have a proxy server?

7) Does your customer have an Active Directory Domain?

0 Helpful

ryancolson
Level 1
Level 1
In response to andrew.prince

‎02-08-2009 03:04 PM

I could be wrong, but I believe that this is not supported in anything under pix 7.x/8.x. Basically, it sounds like your trying to do hairpinning, or U turn routing. Routers support this, as do the newer code versions, but I do not believe it is supported in 6.x

0 Helpful

RAMACHANDRA R
Level 1
Level 1
In response to ryancolson

‎02-08-2009 09:06 PM

But Hair pinning is different then what we are trying to achieve, i am sure we should be able to crack this, its similar to disabling split tunnelling in Easy vpn where in u are forcing remote users to go through corporate internet if am not wrong.

Regards

Rama

0 Helpful

andrew.prince
Level 10
Level 10
In response to RAMACHANDRA R

‎02-08-2009 11:32 PM

Rama,

Actually Ryan is correct - but it depends on the hardware, as the version of code 7.x/8.x only runs on PIX 515 and above with 64mbs memory.

0 Helpful

RAMACHANDRA R
Level 1
Level 1
In response to andrew.prince

‎02-08-2009 08:55 PM

Hi Andrew,

Plesase find the details.

1) All the branches has pix 515e(6.3)

2) Central also PIX 515e(6.3)

3) No routing devices at Branches only one router kept at Central where in internet is landing on Serial and same has taken out from Fastethernet and it is connected to Pix 515E outside Interface

4)All are running through Static routes

5)No Gre Tunnels

6)No idea about Proxy, i need check the same with Customer .

7)No ACtive Directory Domain

Regards

Rama

0 Helpful

andrew.prince
Level 10
Level 10
In response to RAMACHANDRA R

‎02-08-2009 11:34 PM

OK - some good news, how much memory does the Central Site PIX have???

64mbs of above - and you need to install version 7.x or 8.x code (I suggest 7.x personal preference) then all you need to configure are:-

1) Hairpinning

2) Your NAT.

HTH>

0 Helpful

RAMACHANDRA R
Level 1
Level 1
In response to andrew.prince

‎02-09-2009 02:15 AM

Hi

All Pix are 128 MB RAM.

Does it required For me to upgrade all the Spoke PIX too ?

Hope you understood my Requirement. let me brief the same.

All the Branch Ipsec tunnels are getting Terminated on WAN Interface of the PIX and users can access the application which are there in Inside interfafce of the PIX.

we have Internet landing on Outside Interface of the PIX and the users sitting in Inside interface are able go internet and if they want to access branch they will be sent out on WAN interface through Ipsec Tunnel, the requirement is to share the internet the users coming from WAN Interface through IPsec.

i don't see any hairpinning requirement.

Ipsec traffic is landing on the Box from the Branch and i need to send them on Outside interface with NATing them if they are going apart from Inside segment

Regards

Rama

0 Helpful

andrew.prince
Level 10
Level 10
In response to RAMACHANDRA R

‎02-09-2009 03:44 AM

Rama,

Firstly - the only PIX that needs to be updated is the HQ PIX.

Secondly - you do not understand what "hairpining" is. Let me ask you this - do you think that the PIX will transmit traffic out of the same interface it was recevied on?

If you answer the above question yes - then I suggest you google "same-security-traffic permit intra-interface" and read.

Below is a 80% config example of what you want to do:-

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00805734ae.shtml

HTH>

0 Helpful

RAMACHANDRA R
Level 1
Level 1
In response to andrew.prince

‎02-11-2009 10:43 PM

Tnx for the info Andrew,

enabled NAT at brach as well NAT at Central and it started working without upgrading the Imaage :)

Regards

Rama

0 Helpful

andrew.prince
Level 10
Level 10
In response to RAMACHANDRA R

‎02-12-2009 02:12 AM

OK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents