Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site-to-site VPN with multiple subnets onone side

Hi,

Two Pix firewalls connected with a site-to-site VPN. PIX A has several subnets behind - A1, A2, A3.

Pix B has only one inside subnet. I need to access all subnets at Site A from Site B.

1.Do I need to include all Site A subnets into a crypto map on Pix B?

So it would be something like this:

access-list outside_20_cryptomap extended permit ip NetworkB NetworkA1

access-list outside_20_cryptomap extended permit ip NetworkB NetworkA2

access-list outside_20_cryptomap extended permit ip NetworkB NetworkA3

2. Do I have to add routes to A1, A2, A3 on Pix B?

route outside networkA1 Router_Behind_Pix_A

3. Will a separate IPSec SA be coming up for traffic from B to subnets A1, A2, A3 ?

4. What mode of IPSec would it be - transport or tunnel?

Thank you very much.

Regards,

Alex

2 REPLIES
New Member

Re: site-to-site VPN with multiple subnets onone side

3. I think it should be a separate SA per ACL

4. it must be tunnel mode for site-to-site VPN

Hall of Fame Super Blue

Re: site-to-site VPN with multiple subnets onone side

Alex

1) Yes you do. You include all subnets that you need to access.

2) No you don't. The crypto map access-list will match the traffic and know it has to be sent down the VPN tunnel. As long as traffic for site A subnets from site B end up at Site B's pix you don't need to add routes on site B's pix.

3) Each line with your crypto map access-list will create a separate SA.

4) Tunnel mode.

HTH

656
Views
10
Helpful
2
Replies