1. Home
  2. Cisco Systems
  3. cisco pix VPN routing issues

cisco pix VPN routing issues

Hi All!

I've got 4 site-to-site VPN tunnels to PIX 515E in my central office (A). From this office I can ping branch offices B, C and D. From offices B, C and D I can also ping my central office A. However, my problem is that I can't ping office C from office B or office D from office C so on.

He is the question: is there a way to configure vpn routing for packets to travel from office B to office C via central office A? I know I can configure a vpn link between B and C but it's not an ideal scenario for me.

Reply to
inventica
Loading thread data ...

I do not think this is possible without a B to C VPN. The problem is in the fundamentals of VPNs. Your VPN is setup so that traffic from Site B (say 2.2.2.0/24) goes through the IPSec tunnel to Site A (say

1.1.1.0). Let's say you have the same thing setup between Site C (say 3.3.3.0/24) and Site A. For starters, anything from 2.2.2.0 does not know to take the 'A' Tunnel unless it is configured as a default route. Second, when it arrives, it is automatically pushed onto the local subnet of 'A', which even if there was another router there, would not send traffic back into the same interface to route to 'B'.

You have to remember that VPNs are setup as tunnels from LAN to LAN, and therefore traffic doesn't 'come out' of the tunnel until you are on the local subnet. In short, I'm fairly certain you need to setup a VPN directly from B to C. It might work if the VPNs were on different routers at the HQ, but I'd need to think about that some more......

Reply to
Trendkill

You need PIX 7.x for this;

formatting link

Reply to
Walter Roberson

Very cool Walther. I'm more on the network side as opposed to vpn/ security, so I appreciate the link as well.

"Note: In PIX version 7.2 and later, the intra-interface keyword allows all traffic to enter and exit the same interface, and not just IPsec traffic."

Do previous versions allow IPsec traffic to do this, as it kind of suggests that 'other traffic' is the addition in this version?

Reply to
Trendkill

Very cool Walter. I'm more on the network side as opposed to vpn/ security, so I appreciate the link as well.

"Note: In PIX version 7.2 and later, the intra-interface keyword allows all traffic to enter and exit the same interface, and not just IPsec traffic."

Do previous versions allow IPsec traffic to do this, as it kind of suggests that 'other traffic' is the addition in this version?

Reply to
Trendkill

7.0 introduced the intra-interface facility. 6.x and below do NOT allow traffic to go back out the same [logical] interface, even if ipsec is involved.
Reply to
Walter Roberson

Could this also solve my routing problem? Would PIX 7 be able to accept a packet on the inside interface and build a VPN tunnel from the same interface?

Regards

fw

Reply to
Frank Winkler

That's an unusual requirement -- usually people want to be able to accept a packet on an -outside- interface and have it go through a VPN tunnel out that same interface (to a client host or network.) But what can be done on one interface can -usually- be done on another (not *always* though.)

PIX 7 is not supported on your PIX 501. It is supported on your PIX 515 but officially requires a memory upgrade beyond the memory that the

515 series shipped with. Some people have reported success in using PIX 7.0 on a PIX 515 with relatively small configurations (e.g., don't use turbo ACLs.)
Reply to
Walter Roberson

Yep - but in my setup, the PIX doesn't have the WAN link so I have to find some workaround. All attempts failed so far.

I agree.

I know. I was just wondering if it's worth getting an ASA 5505 for that job. Is it? :)

Regards

fw

Reply to
Frank Winkler

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.