Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Connecting across multiple vpn tunnels

I have lan2lan tunnels between 2 branch offices and the main office. The branch offices have ASA5505 and the main office has a PIX515E. We are using cisco soft phones at the branch offices and they can talk to the main office but cannot talk to each other. There is no audio even though the call connects. What we need is to configure the PIX515e such that there is RTP stream between the 2 branch offices. This can be achieved by creating a l2l vpn between the 2 branch offices but I am lookinfg for a soultion that allows data to flow between the 2 branches via the main office.

4 REPLIES
Gold

Re: Connecting across multiple vpn tunnels

make sure your crypto acl's for each remote site, allows now only HQ, but also the other remote site.

then add the command "same-security-interface permit inter-interface".

side note, voice quality would be better if the vpn flowed directly between sites. If you don't plan on growing the number of remote sites, it only takes one more L2L vpn to be fully meshed.

Hall of Fame Super Gold

Re: Connecting across multiple vpn tunnels

Zul

I believe that Steven has correctly identified the basic issue as the fact that by default the PIX will not forward out an interface traffic that was received on that interface. A common result of that is that VPN site to site works from remotes to HQ but not from remote to remote. The command that he gives will resolve this issue. Be aware that this command was introduced in releases 7.0 and above. If your PIX is running 6.x or lower then it will not work.

HTH

Rick

New Member

Re: Connecting across multiple vpn tunnels

Thanks Rick and Steven.

The head office PIX is running 6.3(3) so I guess l2l between branches is the only option.

Hall of Fame Super Gold

Re: Connecting across multiple vpn tunnels

Zul

I agree that Lan2Lan is the best option, not necessarily the only option. A code upgrade might also get you remote to remote. But it would be more complex and I agree that for types of traffic that are delay sensitive (such as voice/RTP) a site to site connection is better than one relayed through a common HQ.

HTH

Rick

223
Views
0
Helpful
4
Replies
CreatePlease to create content