PIX Multiple IPSEC Tunnels

Hi, Just wondering if someone could explain to me a bit better on how the IPSEC Tunnels on a PIX work. We have an environment where we have our central HUB where the PIX's terminate. Between two of our sites most of the traffic is only between those two networks. For some reason the traffic comes down to the central PIX and back to the other site. We do have an IPSEC Tunnel between the two sites that need to communicate. Is there any prefence over routing policies (access-list) etc?

access-list vpntraffictoSITE1 permit ip 10.33.96.0 255.255.255.0 10.33.64.0

255.255.255.0 access-list SITE2 permit ip 10.33.80.0 255.255.240.0 10.0.0.0 255.0.0.0 access-list SITE2 permit ip 10.33.96.0 255.255.255.0 10.0.0.0 255.0.0.0

sysopt connection permit-ipsec crypto ipsec transform-set SET-NAME esp-des esp-sha-hmac crypto map map_name 5 ipsec-isakmp crypto map map_name 5 match address vpntraffictoSITE1 crypto map map_name 5 set peer w.x.y.z crypto map map_name 5 set transform-set SET_NAME crypto map map_name 30 ipsec-isakmp crypto map map_name 30 match address SITE2 crypto map map_name 30 set peer h.i.j.k crypto map map_name 30 set transform-set SET-NAME crypto map map_name interface outside isakmp enable outside isakmp key ******** address w.x.y.z netmask 255.255.255.255 isakmp key ******** address h.i.j.k netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400

Any Suggestions?

Regards, Shane

Reply to
Shane Malden
Loading thread data ...

Hi, Just wondering if someone could explain to me a bit better on how the IPSEC Tunnels on a PIX work. We have an environment where we have our central HUB where the PIX's terminate. Between two of our sites most of the traffic is only between those two networks. For some reason the traffic comes down to the central PIX and back to the other site. We do have an IPSEC Tunnel between the two sites that need to communicate. Is there any prefence over routing policies (access-list) etc?

access-list vpntraffictoSITE1 permit ip 10.33.96.0 255.255.255.0 10.33.64.0

255.255.255.0 access-list SITE2 permit ip 10.33.80.0 255.255.240.0 10.0.0.0 255.0.0.0 access-list SITE2 permit ip 10.33.96.0 255.255.255.0 10.0.0.0 255.0.0.0

sysopt connection permit-ipsec crypto ipsec transform-set SET-NAME esp-des esp-sha-hmac crypto map map_name 5 ipsec-isakmp crypto map map_name 5 match address vpntraffictoSITE1 crypto map map_name 5 set peer w.x.y.z crypto map map_name 5 set transform-set SET_NAME crypto map map_name 30 ipsec-isakmp crypto map map_name 30 match address SITE2 crypto map map_name 30 set peer h.i.j.k crypto map map_name 30 set transform-set SET-NAME crypto map map_name interface outside isakmp enable outside isakmp key ******** address w.x.y.z netmask 255.255.255.255 isakmp key ******** address h.i.j.k netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400

Any Suggestions?

Regards, Shane

Reply to
Shane Malden

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.