Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
0
Helpful
6
Replies

PIX 501, 1 Static IP, 2 Dynamic IP. Possible Full Mesh?

Go to solution
r.banez
Level 1
Level 1

‎01-21-2004 03:39 AM

I have 3 sites. All sites have PIX 501. Central Site has static IP, 2 remote sites has dynamic IP.

I have no problem with the remote sites connecting to the central site using their dynamic IP in a hub and spoke connection.

Is it possible for the 2 remote sites communicate? There are some data that needs to be transfered between the remote sites. I've read somewhere in cisco web site that its possible via Full-mesh on demand.

Anybody has a sample config on a Site-to-Site VPN where Central site has static IP, and remote sites having dynamic IP? Remote sites learns dynamic IP of other remote sites from central server.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to r.banez

‎01-22-2004 03:21 PM

With IOS as your hub and spokes then yes, the spokes can dynamically learn the address of other spokes using NHRP. This type of setup is called Dynamic Multipoint VPN (DMVPN), you can read everything you ever wanted to know about it here:

http://www.cisco.com/warp/public/105/dmvpn.html

Even with EzVPN (not DMVPN) the spokes won't learn the address of other spokes, all communication is still via the hub. Calling another spoke would work, but as I said, the packets will go spoke-hub-spoke.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎01-21-2004 05:10 PM

If these were IOS routers you could use DMVPN, but this is not supported on a PIX (this is the "full-mesh on demand" you mention I believe).

Similarly with IOS and VPN3000's, you could route the spoke-to-spoke traffic via the hub and everything would work, but the PIX won't route a packet back out the same interface it came in on, which includes IPSec traffic from one spoke going back out to another.

In short, I don't see any way to do this with a PIX as your hub. Sorry.

0 Helpful

Go to solution
r.banez
Level 1
Level 1
In response to gfullage

‎01-21-2004 06:10 PM

If I replace the hub(PIX) with an IOS Router, will this work? Can the PIX that are spoke be able to learn info about other spokes and intiate an on-demand tunnel?

Or the only solution is to have a static IP on 2 sites and only 1 site with dynamic?

0 Helpful

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to r.banez

‎01-21-2004 07:48 PM

If you replace the hub with a router then you'll be able to get spoke-to-spoke commnication, but it will still go via the hub. There is no way for one spoke PIX to learn the IP address of the other spoke.

0 Helpful

Go to solution
r.banez
Level 1
Level 1
In response to gfullage

‎01-21-2004 11:51 PM

Does it also apply to IOS? I mean the spoke can't learn the IP address of other spoke?

On one of the Cisco University I attended, we had a lab exercise where we created EZVPN.The 3600 Routers was configured as the server, with 1760 as the spokes. We were told that the 1760 learned the IP of the other 1760 from the EZVPN Server and created an on-demand vpn tunnel. It was tested by calling the IP Phone on the other router running CME.

Was this possible, I can't seem to remember much, it was almost a year ago.

Is it possible to have a full-mesh even with dynamic IPs on some of the PIX? IOS-based?

Thanks.

0 Helpful

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to r.banez

‎01-22-2004 03:21 PM

With IOS as your hub and spokes then yes, the spokes can dynamically learn the address of other spokes using NHRP. This type of setup is called Dynamic Multipoint VPN (DMVPN), you can read everything you ever wanted to know about it here:

http://www.cisco.com/warp/public/105/dmvpn.html

Even with EzVPN (not DMVPN) the spokes won't learn the address of other spokes, all communication is still via the hub. Calling another spoke would work, but as I said, the packets will go spoke-hub-spoke.

0 Helpful

Go to solution
r.banez
Level 1
Level 1
In response to gfullage

‎01-22-2004 06:15 PM

Thanks.

I guess I'll be getting 806 router to replace one of the PIX501.

0 Helpful
Customers Also Viewed These Support Documents