Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Connectivity between two site-to-site VPNs

I have two remote offices that each connect to our main office via a site to site VPN. The remote offices have 831 routers. The main office has a PIX 515.

One remote office is 192.168.15.X and the other is 192.168.100.X. The main office is on a 10.X.X.X network.

Each of the remote offices can communicate with the main office without any problems. However, they can't communicate with each other at all and I need that to work. I simply want to be able to access the 192.168.100.X network from the 192.168.15.X network through the VPN tunnel that is already setup between each remote office.

I tried adding the other network to the ACL for the tunnel but that didnt work. I feel like I am missing something simple.

For instance, here is the ACL initially.

access-list 103 remark IPSec Rule

access-list 103 permit ip 192.168.15.0 0.0.0.255 10.0.0.0 0.255.255.255

I added this line to that ACL.

access-list 103 permit ip 192.168.15.0 0.0.0.255 192.168.100.0 0.0.0.255

But that didnt help.

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Connectivity between two site-to-site VPNs

Hi,

What code are you running on the Pix. Spoke to Spoke IPSEC Connectivity is supported only in version 7.0 and higher.

Enhanced Spoke-to-Spoke VPN Support

Version 7.0(1) improves support for spoke-to-spoke (and client-to-client) VPN communications, by providing the ability for encrypted traffic to enter and leave the same interface. Furthermore, split-tunnel remote access connections can now be terminated on the outside interface for the security appliance, allowing Internet-destined traffic from remote access user VPN tunnels to leave on the same interface as it arrived (after firewall rules have been applied).

The same-security-traffic command permits traffic to enter and exit the same interface when used with the intra-interface keyword enabling spoke-to-spoke VPN support. For more information, see the " Permitting Intra-Interface Traffic" section in the in the Cisco Security Appliance Command Line Configuration Guide.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/70_rn/pix_70rn.htm#wp162358

Sample Configuration:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

Let me know if it helps.

Regards,

Arul

** Please rate all helpful posts **

3 REPLIES
Cisco Employee

Re: Connectivity between two site-to-site VPNs

Hi,

What code are you running on the Pix. Spoke to Spoke IPSEC Connectivity is supported only in version 7.0 and higher.

Enhanced Spoke-to-Spoke VPN Support

Version 7.0(1) improves support for spoke-to-spoke (and client-to-client) VPN communications, by providing the ability for encrypted traffic to enter and leave the same interface. Furthermore, split-tunnel remote access connections can now be terminated on the outside interface for the security appliance, allowing Internet-destined traffic from remote access user VPN tunnels to leave on the same interface as it arrived (after firewall rules have been applied).

The same-security-traffic command permits traffic to enter and exit the same interface when used with the intra-interface keyword enabling spoke-to-spoke VPN support. For more information, see the " Permitting Intra-Interface Traffic" section in the in the Cisco Security Appliance Command Line Configuration Guide.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/70_rn/pix_70rn.htm#wp162358

Sample Configuration:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

Let me know if it helps.

Regards,

Arul

** Please rate all helpful posts **

Community Member

Re: Connectivity between two site-to-site VPNs

Perfect Arul. That is exactly what I needed to know.

So my options are upgrade the PIX or setup a separate VPN between the remote offices directly.

Clint

Cisco Employee

Re: Connectivity between two site-to-site VPNs

Yes, you are correct.

Regards,

Arul

91
Views
0
Helpful
3
Replies
CreatePlease to create content