Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
230
Views
0
Helpful
1
Replies

VPN3k and inter-spoke communication - Need official Cisco position

Go to solution
m.laporta
Level 1
Level 1

‎12-08-2003 03:00 AM - edited ‎03-09-2019 05:47 AM

Hi Experts.

Will a Cisco VPN3k in the headend of a hub-and-spoke IPSEC network be able to route packets between spokes?

In the spokes I have Cisco Pix Firewalls.

Thank you

michele

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎12-08-2003 02:23 PM

Yes, provided that each spoke's subnet is included in the network lists sent to each other spoke. Remember that the PIX will only forward traffic over the tunnel that matches its crypto access-list, so this ACL has to include the subnets behind each other PIX. Consequently, the ACL's on the 3000 have to include all of these networks as the local network.

This is quite easy to do if you set up your spoke networks correctly. A good way to do this is make sure each spoke subnet is say, a subnet of 10.0.0.0/8. So spoke A is 10.1.1.0/24, spoke B is 10.2.2.0/24, spoke C is 10.3.3.0/24, etc.

Then your PIX ACL for spoke A just has to be:

access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.0.0.0

PIX ACL for spoke B just has to be:

access-list ipsec permit ip 10.2.2.0 255.255.255.0 10.0.0.0 255.0.0.0

You then just have the reverse on the 3000 and everything get's routed accordingly.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎12-08-2003 02:23 PM

Yes, provided that each spoke's subnet is included in the network lists sent to each other spoke. Remember that the PIX will only forward traffic over the tunnel that matches its crypto access-list, so this ACL has to include the subnets behind each other PIX. Consequently, the ACL's on the 3000 have to include all of these networks as the local network.

This is quite easy to do if you set up your spoke networks correctly. A good way to do this is make sure each spoke subnet is say, a subnet of 10.0.0.0/8. So spoke A is 10.1.1.0/24, spoke B is 10.2.2.0/24, spoke C is 10.3.3.0/24, etc.

Then your PIX ACL for spoke A just has to be:

access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.0.0.0

PIX ACL for spoke B just has to be:

access-list ipsec permit ip 10.2.2.0 255.255.255.0 10.0.0.0 255.0.0.0

You then just have the reverse on the 3000 and everything get's routed accordingly.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents