03-24-2007 07:25 PM
Does anyone know if it's possible to setup a full mesh VPN topology when using 2 Cisco PIX firewalls and 1 Cisco 2600 router. I have no issues at all getting the VPN up between the PIX firewalls and 1 tunnel up between the router and PIX. The problem i am having is when trying to get the second tunnel from the router to the second PIX up and running.
03-25-2007 01:35 AM
Hi
All the devices you mention can do multiple tunnels so there should not be an issue with creating a full mesh between them.
Suspect it may be a configuration issue ? Perhaps you could post the configs.
Jon
03-25-2007 08:47 AM
Here is the Configs i have right now. The PIX VPN is working just fine so i think there is something missing on the Router side of the VPN to the 2 PIX firewalls.
Thanks
03-26-2007 01:43 AM
Hi
Which VPN tunnel is not working ?
In your router config it is a bit confusing as access-list 101 refers to 192.168.31.0/24 which matches all your other configs on the pix firewalls.
Access-list 102 however references 192.168.3.x. Unless this is a typo this would mean that this traffic would get natted and hence would not initiate a VPN tunnel ie.
Pix1 thinks traffic should be coming from 192.168.31.0/24. However because your access-list 102 is referencing 192.168.3.x/24 then the 192.168.31.x traffic from your 2600 will get natted and hence will not match at the pix end.
Does this make sense ??
Jon
03-26-2007 08:41 PM
Yes that did make some sense. I was able to get the tunnels all up and working in the mesh configuration by just rebuilding ACL 101 to deny the other 2 remote offices to bypass NAT.
access-list 101 deny ip 192.168.31.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.31.0 0.0.0.255 10.1.52.0 0.0.0.255
access-list 101 deny ip 192.168.31.0 0.0.0.255 10.169.88.0 0.0.0.255
access-list 101 permit ip 192.168.31.0 0.0.0.255 any
Then i just used my nonat policy to match ip address 101
Once i did that everything came up just fine and working great now.
Thanks for your input it was good information.
03-26-2007 11:52 PM
No problem, glad you got it sorted.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide