VPN Concentrator to route traffic between end-point peers?
Have the following setup:
Site A (PIX501) connect to the central hub site (3015).
Site B (PIX501) also connect to the central hub site.
There is no tunnel setup btwn SiteA and SiteB.
What I've been trying to do is to get traffic from SiteA to SiteB, via the Concentrator.
At first I thought this might not not be possible, but it does work. Here's how:
At the endpoint PIX'es add the other enpoint subnet to the ACL that matches the crypto map and the NAT 0-rule. (SiteA's ACL will contain te subnets at the hub site and at SiteB).
On the hub site concentrator set up a new Network List containing ALL these subnets (three in this case). Then edit the Rules for the Lan-2-Lan tunnels by changing the destination list for the incoming filter rule and the source list for the outgoing rule - to the new list containing all the subnets.
This is what my log said before changing the rules:
Re: VPN Concentrator to route traffic between end-point peers?
This kind of setup is quite common, so you're not doing anything the concentrator wasn't designed to do. In fact if you search through the archives of this forum I've told probbly half a dozen people to do exactly this previously, so good work in finding it for yourself.
For the concentrator there's really very little additional extra work here than if the packets were simply coming in from one tunnel and going onto the private network. It simply decrypts the packet as it comes in, check's that it has to go over another tunnel and re-encrypts it and sends it on.
I don't know that this is documented anywhere specifically, but as I aid, it's quite a common setup and the way you configured it is exactly how you must do it for one tunnel to talk to another.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...