Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

2 site to site VPNs on Pix 506 E

Hi,

I have two sites connecting via a Hub site Bangalore, where I have a Pix 506E. I have got site-site VPN tunnel on both inside and outside iterface of the Pix. Can i get the two communicate amongst themselves? Will 2 IPSEC tunnels on 2 different interfaces on the same PIX work and communicate between the two sites?

5 REPLIES

Re: 2 site to site VPNs on Pix 506 E

Hi .. yes you can but you will have to include the spokes sites on the respective crypto map you are using .for example if the hub site is 10.10.10.0/24, spoke 1 is 20.20.20.0/24 and spoke 3 is 30.30.30.0/24 then

1.- tunnel from spoke one to Hub needs to include

from 20.20.20.0/24 to 10.10.10.0/24

from 20.20.20.0/24 to 30.30.30.0/24

2.- tunnel from spoke two to Hub needs to include

from 30.30.30.0/24 10.10.10.0/24

from 30.30.30.0/24 20.20.20.0/24

The access-list applied to the crypto map on your hub router has to be modified accordingly as well.

I hope it helps ...please rate if it it does !!!

New Member

Re: 2 site to site VPNs on Pix 506 E

The crypto ACL is already in place.Sent the attachment.

 

 

New Member

This discussion has been

This discussion has been modified to comply to the CSC terms of use conditions.

 

Re: 2 site to site VPNs on Pix 506 E

forgot to mention that teh routing needs to be modified accrodignly so that spoke 1 knows how to get to spoke 2

Cisco Employee

Re: 2 site to site VPNs on Pix 506 E

Hello,

Routing will be a nightmare in this scenario.

But it is possible.

Assume your network is :

pix1------(out)-PIX_A-(in)-------pix2

pix1 network = 192.168.1.0/24

pix2 network = 192.168.2.0/24

PIX_A net = 192.168.3.0/24

First check the tunnels from pix1 to PIX_A.

crypto acl in pix1

permit ip 192.168.1.0/24 192.168.3.0/24

in PIX_A

permit ip 192.168.3.0/24 192.168.1.0/24

Above is a normal tunnel and no routing is needed because of route outside 0 0

Then check the tunnel in pix2 and PIX_A

crypto acl in pix2

permit ip 192.168.2.0/24 192.168.3.0/24

in PIX_A

permit ip 192.168.3.0/24 192.168.2.0/24

route inside 192.168.2.0 255.255.255.0

Then comm. in pix2 and pix1 via PIX_A

crypto acl in pix1

permit ip 192.168.1.0/24 192.168.3.0/24

permit ip 192.168.1.0/24 192.168.2.0/24

pix2

permit ip 192.168.2.0/24 192.168.3.0/24

permit ip 192.168.2.0/24 192.168.1.0/24

PIX_A

permit ip 192.168.3.0/24 192.168.1.0/24

permit ip 192.168.2.0/24 192.168.1.0/24

permit ip 192.168.1.0/24 192.168.2.0/24

Routing in PIX-A

route outside 0 0 (in case you out to the INTERNET via outside)

route outside 192.168.1.0 255.255.255.0

route inside 192.168.2.0 255.255.255.0

This is going to be a little complicated. Please use at your own risk :-)

Vikas

111
Views
0
Helpful
5
Replies