|
Posted by inventica on February 26, 2007, 1:13 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi All!
I've got 4 site-to-site VPN tunnels to PIX 515E in my central office
(A). From this office I can ping branch offices B, C and D. From
offices B, C and D I can also ping my central office A. However, my
problem is that I can't ping office C from office B or office D from
office C so on.
He is the question: is there a way to configure vpn routing for
packets to travel from office B to office C via central office A? I
know I can configure a vpn link between B and C but it's not an ideal
scenario for me.
|
|
Posted by Trendkill on February 26, 2007, 1:57 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi All!
>
> I've got 4 site-to-site VPN tunnels to PIX 515E in my central office
> (A). From this office I can ping branch offices B, C and D. From
> offices B, C and D I can also ping my central office A. However, my
> problem is that I can't ping office C from office B or office D from
> office C so on.
>
> He is the question: is there a way to configure vpn routing for
> packets to travel from office B to office C via central office A? I
> know I can configure a vpn link between B and C but it's not an ideal
> scenario for me.
I do not think this is possible without a B to C VPN. The problem is
in the fundamentals of VPNs. Your VPN is setup so that traffic from
Site B (say 2.2.2.0/24) goes through the IPSec tunnel to Site A (say
1.1.1.0). Let's say you have the same thing setup between Site C (say
3.3.3.0/24) and Site A. For starters, anything from 2.2.2.0 does not
know to take the 'A' Tunnel unless it is configured as a default
route. Second, when it arrives, it is automatically pushed onto the
local subnet of 'A', which even if there was another router there,
would not send traffic back into the same interface to route to 'B'.
You have to remember that VPNs are setup as tunnels from LAN to LAN,
and therefore traffic doesn't 'come out' of the tunnel until you are
on the local subnet. In short, I'm fairly certain you need to setup a
VPN directly from B to C. It might work if the VPNs were on different
routers at the HQ, but I'd need to think about that some more......
|
|
Posted by Walter Roberson on February 26, 2007, 2:50 pm
If you were Registered and logged in, you could reply and use other advanced thread options >I've got 4 site-to-site VPN tunnels to PIX 515E in my central office
>(A). From this office I can ping branch offices B, C and D. From
>offices B, C and D I can also ping my central office A. However, my
>problem is that I can't ping office C from office B or office D from
>office C so on.
>He is the question: is there a way to configure vpn routing for
>packets to travel from office B to office C via central office A? I
>know I can configure a vpn link between B and C but it's not an ideal
>scenario for me.
You need PIX 7.x for this;
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml
|
|
Posted by Trendkill on February 26, 2007, 2:56 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
> >I've got 4 site-to-site VPN tunnels to PIX 515E in my central office
> >(A). From this office I can ping branch offices B, C and D. From
> >offices B, C and D I can also ping my central office A. However, my
> >problem is that I can't ping office C from office B or office D from
> >office C so on.
> >He is the question: is there a way to configure vpn routing for
> >packets to travel from office B to office C via central office A? I
> >know I can configure a vpn link between B and C but it's not an ideal
> >scenario for me.
>
> You need PIX 7.x for this;
>
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_config...
Very cool Walther. I'm more on the network side as opposed to vpn/
security, so I appreciate the link as well.
"Note: In PIX version 7.2 and later, the intra-interface keyword
allows all traffic to enter and exit the same interface, and not just
IPsec traffic."
Do previous versions allow IPsec traffic to do this, as it kind of
suggests that 'other traffic' is the addition in this version?
|
|
Posted by Walter Roberson on February 26, 2007, 2:58 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>"Note: In PIX version 7.2 and later, the intra-interface keyword
>allows all traffic to enter and exit the same interface, and not just
>IPsec traffic."
>Do previous versions allow IPsec traffic to do this, as it kind of
>suggests that 'other traffic' is the addition in this version?
7.0 introduced the intra-interface facility. 6.x and below do NOT
allow traffic to go back out the same [logical] interface, even if
ipsec is involved.
|
| Similar Threads | Posted | | Routing Issues | March 26, 2007, 12:42 pm |
| PIX 501 routing issues | June 28, 2007, 3:08 pm |
| More VPN routing issues... )-: | October 22, 2008, 3:05 pm |
| VPN Client Routing Issues | September 12, 2007, 11:08 am |
| InterVLAN routing issues | December 3, 2007, 2:49 pm |
| VLAN and Routing performance issues | December 18, 2006, 8:35 pm |
| HELP VPN, Routing issues, no acess to 25 port of exchange | May 27, 2006, 4:26 am |
| Serious Cisco issues | August 19, 2004, 3:39 pm |
| Cisco VPN issues | August 2, 2005, 6:30 pm |
| cisco 837 ip issues | January 26, 2006, 2:00 pm |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map