I've a couple of questions relating to the functionality of VPN's configured on a PIX.
I've a PIX 515E, configured with multiple remote VPN's. All are working fine.
My questions relate to the following.
Can I or should I be able to route between these VPN's via the PIX? Currently any site connected via VPN (or client sessions for that matter) are unable to connect to the other VPN subnets. Not such an issue but nice to do.
I get the following logg message
110001: No route to 192.168.aa.ab from 192.168.bb.ab
Secondly, my VPNS terminate to the outside interface.
Ok, so as far as your first question goes..it depends on what version you are running. With version 7 you can have traffic routed between your vpns. First you have to enable same-security-traffic permit intra-interface which will allow the traffic in and out of the same interface, the outside interface in this case. Next you will have to define your interesting traffic acl's to include the new networks. For example, if you have 3 sites A, B and C and your existing crypto acl's permit traffic between A-B and A-C, you will have to add an entries for traffic between B-C if you want the remote sites to communicate.
As far as the second question goes, since the traffic is sourced from the external ip, this address must be defined as interesting traffic as well to be able to cross the tunnel. If you do not do this you are attempting to export to a private address (non-routable), which obviously won't work. Here is a link to an example of syslog and snmp via outside interface of pix over a vpn tunnel. Though your remote vpn endpoints may not be pixes, it does explain the concept of it needing to be interesting traffic.
Well, version 7 will solve your first issue for sure. I misunderstood your second one, not sure how to help you there. So you basically want the netflow traffic to travel over the tunnel or is there a specific requirement to use inside addresses?
No worries with the second one. basically, my netflow data was not working, for any VPN connected site. My work around was to use the static statment I had in place as I was exporting netflow data from my internet routers. The static statement using the interface address saved me wasting an address simply for netflow data. I do use the interface for a number of other services.
I guess from a security view point, netflow traversing the web is not overly ideal :)
i want to exactly the same thing but my problem is that i m establishing the vpn between 515e and 506 so 515e has been upgrading with version 7 but i can t upgrade 506 with version 7. it must use 6.3 anyway.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :