Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN3k and inter-spoke communication - Need official Cisco position

Hi Experts.

Will a Cisco VPN3k in the headend of a hub-and-spoke IPSEC network be able to route packets between spokes?

In the spokes I have Cisco Pix Firewalls.

Thank you

michele

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN3k and inter-spoke communication - Need official Cisco po

Yes, provided that each spoke's subnet is included in the network lists sent to each other spoke. Remember that the PIX will only forward traffic over the tunnel that matches its crypto access-list, so this ACL has to include the subnets behind each other PIX. Consequently, the ACL's on the 3000 have to include all of these networks as the local network.

This is quite easy to do if you set up your spoke networks correctly. A good way to do this is make sure each spoke subnet is say, a subnet of 10.0.0.0/8. So spoke A is 10.1.1.0/24, spoke B is 10.2.2.0/24, spoke C is 10.3.3.0/24, etc.

Then your PIX ACL for spoke A just has to be:

access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.0.0.0

PIX ACL for spoke B just has to be:

access-list ipsec permit ip 10.2.2.0 255.255.255.0 10.0.0.0 255.0.0.0

You then just have the reverse on the 3000 and everything get's routed accordingly.

1 REPLY
Cisco Employee

Re: VPN3k and inter-spoke communication - Need official Cisco po

Yes, provided that each spoke's subnet is included in the network lists sent to each other spoke. Remember that the PIX will only forward traffic over the tunnel that matches its crypto access-list, so this ACL has to include the subnets behind each other PIX. Consequently, the ACL's on the 3000 have to include all of these networks as the local network.

This is quite easy to do if you set up your spoke networks correctly. A good way to do this is make sure each spoke subnet is say, a subnet of 10.0.0.0/8. So spoke A is 10.1.1.0/24, spoke B is 10.2.2.0/24, spoke C is 10.3.3.0/24, etc.

Then your PIX ACL for spoke A just has to be:

access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.0.0.0

PIX ACL for spoke B just has to be:

access-list ipsec permit ip 10.2.2.0 255.255.255.0 10.0.0.0 255.0.0.0

You then just have the reverse on the 3000 and everything get's routed accordingly.

93
Views
0
Helpful
1
Replies
CreatePlease login to create content