cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
325
Views
0
Helpful
5
Replies

2 site to site VPNs on Pix 506 E

pshemrudkar
Level 1
Level 1

Hi,

I have two sites connecting via a Hub site Bangalore, where I have a Pix 506E. I have got site-site VPN tunnel on both inside and outside iterface of the Pix. Can i get the two communicate amongst themselves? Will 2 IPSEC tunnels on 2 different interfaces on the same PIX work and communicate between the two sites?

5 Replies 5

Fernando_Meza
Level 7
Level 7

Hi .. yes you can but you will have to include the spokes sites on the respective crypto map you are using .for example if the hub site is 10.10.10.0/24, spoke 1 is 20.20.20.0/24 and spoke 3 is 30.30.30.0/24 then

1.- tunnel from spoke one to Hub needs to include

from 20.20.20.0/24 to 10.10.10.0/24

from 20.20.20.0/24 to 30.30.30.0/24

2.- tunnel from spoke two to Hub needs to include

from 30.30.30.0/24 10.10.10.0/24

from 30.30.30.0/24 20.20.20.0/24

The access-list applied to the crypto map on your hub router has to be modified accordingly as well.

I hope it helps ...please rate if it it does !!!

The crypto ACL is already in place.Sent the attachment.

 

 

This discussion has been modified to comply to the CSC terms of use conditions.

 

Fernando_Meza
Level 7
Level 7

forgot to mention that teh routing needs to be modified accrodignly so that spoke 1 knows how to get to spoke 2

Vikas Saxena
Cisco Employee
Cisco Employee

Hello,

Routing will be a nightmare in this scenario.

But it is possible.

Assume your network is :

pix1------(out)-PIX_A-(in)-------pix2

pix1 network = 192.168.1.0/24

pix2 network = 192.168.2.0/24

PIX_A net = 192.168.3.0/24

First check the tunnels from pix1 to PIX_A.

crypto acl in pix1

permit ip 192.168.1.0/24 192.168.3.0/24

in PIX_A

permit ip 192.168.3.0/24 192.168.1.0/24

Above is a normal tunnel and no routing is needed because of route outside 0 0

Then check the tunnel in pix2 and PIX_A

crypto acl in pix2

permit ip 192.168.2.0/24 192.168.3.0/24

in PIX_A

permit ip 192.168.3.0/24 192.168.2.0/24

route inside 192.168.2.0 255.255.255.0

Then comm. in pix2 and pix1 via PIX_A

crypto acl in pix1

permit ip 192.168.1.0/24 192.168.3.0/24

permit ip 192.168.1.0/24 192.168.2.0/24

pix2

permit ip 192.168.2.0/24 192.168.3.0/24

permit ip 192.168.2.0/24 192.168.1.0/24

PIX_A

permit ip 192.168.3.0/24 192.168.1.0/24

permit ip 192.168.2.0/24 192.168.1.0/24

permit ip 192.168.1.0/24 192.168.2.0/24

Routing in PIX-A

route outside 0 0 (in case you out to the INTERNET via outside)

route outside 192.168.1.0 255.255.255.0

route inside 192.168.2.0 255.255.255.0

This is going to be a little complicated. Please use at your own risk :-)

Vikas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: