PIX VPN mesh with acess to multiple subnets at one of the sites?
I wonder whether any of the experts in this group can help me.
I have three sites (a 'central' one, and two remotes), each with a single subnet, and that are interconnected with a PIX-PIX IPsec VPN mesh. The whole thing has worked flawlessly since originally set up a few months ago, in that it provides intervisibility between IP hosts at each of the three sites.
I now have to move some of the servers at the central site to their own subnet on their own VLAN (named 'Databases' at 192.168.3.0/24). I need to be able to provide connectivity to hosts on the Databases subnet/VLAN from the two remote sites. However, I just have not been able to make this work.
With the central and remote configurations that are attached, if I do 'debug packet Databases' and then ping a host on the Databases VLAN at Central from the remote site, I can see the echo packet being sent to the host on the Databases subnet/VLAN, and I can see the echo reply being sent back from that host to the central PIX.
I can also see the hitcount increment on the
access-list Databases_acl permit icmp any any echo-reply
rule (that is generated from the object group named 'ICMP-allowed') on the central PIX.
However, I do not see the encapsulated packets count increment on the PIX at the central site end of the IPsec SA with the remote site that originated the ping. And, needless to say, the host from which I sent the ping does not see any response.
Can anybody point me at what I've got wrong in the attached configs. Note that other required access to the Databases subnet/VLAN from the 10.0.0.0/24 subnet at the central site, and from two other subnets, 10.0.1.0/24 and 10.0.2.0/24, (that are each connected via a router) all works fine. The problem is only with the VPN-connected sites that have the 10.0.3.0/24 and 10.0.4.0/24 subnets on their inside interfaces. I realise that, in what follows, some of the ACLs show signs of my increasing desperation to get the required setup working:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :