Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Open Hub and Spoke and stateful inspection

Hi,

I have to setup a MPLS VPN hub and spoke configuration where all traffic from spoke sites must go through the hub site before going to any other spoke. At this hub site, I need to send the traffic through a PIX to check it against some security rules.

The problem is the following : for a given TCP session, the SYN packet will come on the inside interface of the PIX and will go out by the outside interface. BUT the SYN/ACK will do exactly the same : coming on the inside and going out by the outside interface. In other words, all the traffic will always go through the PIX in the same direction.

Can this work or will the PIX drop the packets ?

Thanks for your help,

Thierry

1 REPLY
Community Member

Re: Open Hub and Spoke and stateful inspection

Hi, it's me again !

I made the test and the answer is : PIX drops the packets... SYN is seen on the inside interface and when SYN/ACK comes, the PIX rejects it.

So, I decided to try something else : PIX v7.02, incoming traffic and outgoing traffic on the same interface... with no more success.

When I use "same-security-interface permit intra-interface", traffic is still rejected.

Any idea ?

Thanks a lot,

Thierry

191
Views
0
Helpful
1
Replies
CreatePlease to create content