I have three sites (sites A, B, and C). There is a site-to-site IPsec tunnel between PIXs from an internal LAN on site A (172.30.10.0 /24) to an internal LAN on site B (192.168.20.0 /24), and another tunnel from site B to site C (172.30.20.0). How can I route traffic from site A to C across the existing tunnels without creating another tunnel between sites A and C? Many thanks in advance.
I don't think hairpinning will solve the problem. Perhaps some simple static routes to get from A->C, and C->A. Also, update your crypto acl's at each point to allow the traffic to get from A->C, and C->A, as well as normal acl's.
Actually the setup requires hairpinning/u-turn VPN. I didn't make this up.
You are right in that routing needs to be taken care of, i.e. the PIX in site A needs to know that to get to site C it needs to send traffic out the outside interface, and the crypto ACLs need to be taken care of as you describe.
What I meant by "the same-security-traffic permit intra-interface command is key" is that this command is necessary so the PIX in site B can send traffic out on the same interface it was originally received (traffic from site A arrives on the outside interface and needs to be sent out the same interface so it can reach site C). Without this command in the PIX on site B u-turn VPN won't work, even if routing and the crypto ACLs are taken care of.
I didn't go into details when I first replied to Ryan because I thought that all the details, including routing, crypto ACLs, and the same-security-traffic command, are well presented in the tech. tip I mentioned in that original reply yesterday.
Ryan got it to work so everything is good, though :-)
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...