Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot pass traffic destined for another network through VPN

Hi,

I've configured a VPN between 2 offices. I can send data from the head office to the remote office. My problem is that the remote office needs to connect to other offices though the head office. Please see the attachments for the 2 route configs (ABC-Cardiff = head office, ABC-Swansea= remote office).

Users in the remote office 10.41.X.X need to connect to servers in another office 10.10.X.X through the cardiff office 10.40.X.X.

Can anyone advise me how to edit the configs to allow the remote office access to all networks. A traceroute from the remote office to 10.10.1.101 shows that the traffic isn;t going down the VPN connection.

If any of this doesn't make sense please let me know and I will be happy to provide further info.

TIA,

Al

2 REPLIES
Bronze

Re: Cannot pass traffic destined for another network through VPN

It looks like you are trying to setup Hub and spoke VPN.

Hub-and-spoke topology is not supported in PIX version 6.x because version 6.x does not redirect traffic back out the same interface it was received on.

This feature is also known as traffic redirection or hairpinning and is supported in PIX version 7.x.

Refer this link for config:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

New Member

Re: Cannot pass traffic destined for another network through VPN

hello,

The first reply is technically correct if you had two VPN sites connected to your head office, and wanted to establish connections between the two vpn sites.

Thats certainly my scenario.

Your scenario, your VPN is only configured to match the traffic for the 10.4x. networks.

At your head office you route 10.10.0.0/16 via 10.40.5.100.

You need to ensure your ACL's 100 and 101 permit and deny the traffic to 10.10.0.0/16 the same way your currently doing between 10.40 and 10.41

Hope that helps

PS - on both ends!!!

96
Views
0
Helpful
2
Replies