PIX VPN Hub and Spoke

fembsen · ‎03-28-2006

I have a PIX VPN hub and spoke configuration and I want to let the spokes communicate with eachother. In the documentation it says "The two outlying networks are not able to communicate with each other by going through the central PIX because the PIX does not route traffic received on one interface back out the same interface."

Can I use an router on the inside network to work around this limitation? If so, how sould I configure this?

All PIX firewalls are 506's so I cannot use PIX version 7.

Best regards, Frank

rafaelgarcia · ‎03-28-2006

I have a similiar configuration but instead of using VPN I used IPSec just for the fact that it allows my remote users to communicate with each other. I also need to manage the exact IP addresses behind it because we are using IP Phones.

You basically configure IPSec tunnel between them as you configure it to talk to your hub Pix. This tunnel is seemless to your hub Pix.

Let me know if helps.

fembsen · ‎03-28-2006

Thanks for the reply but I am not sure what you mean.

What I want to do is place a router on the inside network of the hub.

I my opinion it should then be possible to direct VPN traffic comming from one spoke to the inside router (using a 'route inside 0 0 ' on the PIX). Next the router on the inside network sends traffic destined for the other spoke back to the PIX and the PIX sends it through a VPN to the other spoke.

Can this work?

jmia · ‎03-29-2006

Check the following documents and see if this meets your requirements…..

PIX to PIX to PIX IPSec Fully Meshed Configuration

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml

OR

PIX to PIX to PIX IPSec Hub Spoke Configuration

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

If the above is not what your after then what you could do is to use GRE on your internal router to route the packet across to your external site.

Hope this helps, and please rate post if it does as it will helps others too.

Jay

fembsen · ‎03-29-2006

Thanks for the info. I know both the documents. A fully meshed config as well as GRE would probably solve my problem if it was not for the time it would take me to reconfigure everything. I would have to reconfigure about 20 sites.

Everything is allready in a hub and spoke config but the spokes can't communicate. The setup is like the 'PIX to PIX to PIX IPSec Hub Spoke Config' as is the remark in my original post "The two outlying networks are not able to communicate with each other by going through the central PIX because the PIX does not route traffic received on one interface back out the same interface"

To work around the issue above I want to use a router on the inside network of the hub to route traffic between the spokes. Let's say the hub uses network 10.0.0.0/8 on the insde, the PIX inside interface is 10.0.0.1 and the router on the inside is 10.0.0.2. The spokes are 20.0.0.0/8 and 30.0.0.0/8.

On the PIX I use a 'route inside 0 0 10.0.0.2' and on the router something like 'route 20.0.0.0/8 10.0.0.1' and 'route 30.0.0.0/8 10.0.0.1'.

Will this setup work at all or do I have to use GRE or a fully meshed setup? Will this work when on the PIX there is also a 'route outside 0 0 '?