Cisco Support Community
Community Member

PIX VPN Hub and Spoke

I have a PIX VPN hub and spoke configuration and I want to let the spokes communicate with eachother. In the documentation it says "The two outlying networks are not able to communicate with each other by going through the central PIX because the PIX does not route traffic received on one interface back out the same interface."

Can I use an router on the inside network to work around this limitation? If so, how sould I configure this?

All PIX firewalls are 506's so I cannot use PIX version 7.

Best regards, Frank

Hall of Fame Super Gold

Re: PIX VPN Hub and Spoke


It is certainly true that the PIX code up to version 7 would not route traffic back out the interface that it arrived on. One of the implications of this was that in hub and spoke networks the spokes could not communicate with each other.

If you could configure the inside router to run IPSec and to terminate VPNs, you could then have the spokes terminate their VPN on the router and the spokes could communicate with each other. Or if you could get the PIX to forward spoke to spoke traffic to the router, and get the router to forward it back to the PIX it might work (but I am not sure how you could get the PIX to do that).

So I do not believe that there is an easy answer for you as long as you need to keep these PIX.



CreatePlease to create content