Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPsec VPN with 2 PIX firewalls and 1 2600 router

Does anyone know if it's possible to setup a full mesh VPN topology when using 2 Cisco PIX firewalls and 1 Cisco 2600 router. I have no issues at all getting the VPN up between the PIX firewalls and 1 tunnel up between the router and PIX. The problem i am having is when trying to get the second tunnel from the router to the second PIX up and running.

5 REPLIES
Hall of Fame Super Blue

Re: IPsec VPN with 2 PIX firewalls and 1 2600 router

Hi

All the devices you mention can do multiple tunnels so there should not be an issue with creating a full mesh between them.

Suspect it may be a configuration issue ? Perhaps you could post the configs.

Jon

Community Member

Re: IPsec VPN with 2 PIX firewalls and 1 2600 router

Here is the Configs i have right now. The PIX VPN is working just fine so i think there is something missing on the Router side of the VPN to the 2 PIX firewalls.

Thanks

Hall of Fame Super Blue

Re: IPsec VPN with 2 PIX firewalls and 1 2600 router

Hi

Which VPN tunnel is not working ?

In your router config it is a bit confusing as access-list 101 refers to 192.168.31.0/24 which matches all your other configs on the pix firewalls.

Access-list 102 however references 192.168.3.x. Unless this is a typo this would mean that this traffic would get natted and hence would not initiate a VPN tunnel ie.

Pix1 thinks traffic should be coming from 192.168.31.0/24. However because your access-list 102 is referencing 192.168.3.x/24 then the 192.168.31.x traffic from your 2600 will get natted and hence will not match at the pix end.

Does this make sense ??

Jon

Community Member

Re: IPsec VPN with 2 PIX firewalls and 1 2600 router

Yes that did make some sense. I was able to get the tunnels all up and working in the mesh configuration by just rebuilding ACL 101 to deny the other 2 remote offices to bypass NAT.

access-list 101 deny ip 192.168.31.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.31.0 0.0.0.255 10.1.52.0 0.0.0.255

access-list 101 deny ip 192.168.31.0 0.0.0.255 10.169.88.0 0.0.0.255

access-list 101 permit ip 192.168.31.0 0.0.0.255 any

Then i just used my nonat policy to match ip address 101

Once i did that everything came up just fine and working great now.

Thanks for your input it was good information.

Hall of Fame Super Blue

Re: IPsec VPN with 2 PIX firewalls and 1 2600 router

No problem, glad you got it sorted.

Jon

150
Views
0
Helpful
5
Replies
CreatePlease to create content