Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Multiple VPN

Hi,

My network is that way:

ASA1(7.2.2)

||

INTERNET=====PIX (6.3.5)

||

ASA2(7.2.2)

I would like ASA1 can access PIX network and ASA2 Network

As well I would like ASA2 can access PIX network via ASA1, and ASA1 network

And finally, I would like PIX can access ASA2 network via ASA1, and ASA1 network

Is it possible to do so?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Multiple VPN

Yes, it is possible to hairpin the traffic on the outside interfaces of the ASA's to get the traffic over the tunnels to the pix.

You need to enable same-security-traffic permit intra-interface. You also need to add the traffic to your crypto and nat exemption acls(only if running outside nat). Here is a good doc with an example...these are pixes, but the config in the version 7 pix is pretty much the same.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

Please rate if it helps.

3 REPLIES
New Member

Re: Multiple VPN

Hi,

It is possible. This is called 'Mesh VPN' that is each device will have seperate tunnel for all other devcies in the network topology.

On the device ASA1(7.2.2.2):

------------------------------

Create a site-to-site vpn to PIX

create another site-to-site vpn to ASA2

On the device ASA2:

-------------------

Create a site-to-site vpn to PIX

create another site-to-site vpn to ASA1

On the devcie PIX:

-------------------

Create a site-to-site vpn to ASA2

create another site-to-site vpn to ASA1

Hope it helps.

--Jaffer

New Member

Re: Multiple VPN

Hi,

well that is not exactly what I want to do.

I don't want a direct VPN Tunnel between ASA2 and PIX. I want ASA2 goes to PIX through ASA1.

Green

Re: Multiple VPN

Yes, it is possible to hairpin the traffic on the outside interfaces of the ASA's to get the traffic over the tunnels to the pix.

You need to enable same-security-traffic permit intra-interface. You also need to add the traffic to your crypto and nat exemption acls(only if running outside nat). Here is a good doc with an example...these are pixes, but the config in the version 7 pix is pretty much the same.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

Please rate if it helps.

211
Views
0
Helpful
3
Replies