Cisco ASA to PIX VPN with additional VPN to outlying office

Posted on 2006-03-27
Last Modified: 2013-11-16
Here you go Experts. Picture if you will, three VPN devices. VPN1 is an ASA 5100 with 7.1. VPN 2 is a PIX 506E with 6.3.5. VPN3 is a PIX 501 with 6.3.5.

VPN 1 is already a hub to IPSEC client spokes for purposes of monitoring and pushing software to all private hosts behind the client spokes. All of the other, existing  spokes are PIX 501 6.3.5.

The challenge is to add  VPN2 to the exsting Hub and Spoke while also adding VPN3 as a "spoke" to VPN2. Ideally VPN3 would also be able to talk to VPN1 but traffic between VPN2 and VPN3 cannot go through VPN1 due to bandwidth limitations and the traffic that is expected to be generated between VPN2 and VPN3.



Question by:terminalb
    LVL 25

    Expert Comment

    So you want something like this I assume, I'm a little confused when you are talking about 3 VPNs with only 3 devices
      ASA <--VPNA-->506E<--VPNB-->501
       ^                      ^                       ^
        |                       |                        |
     VPN 1              VPN 2                   VPN 3

    Can you please confirm.

    If it is something like this then I think you can do it, but am not sure.  The thing you have to do if it would work is on the 506E you'll need to configure a logical interface on the outside and have one VPN go into one outside interface and the other one go into the logical interface.  This is because PIX 6.3X will not allow packets to go in and out interfaces with the same security level.  So the VPN packets going from the 501 to the 506E and then to the ASA cannot happen.  If it is possible though, you'd have to do it with a logical interface on the 506E.

    Mind you, I've never tried that so I don't know if it'd work or not.
    Everything else is just making sure the routes on the PIXs/ASA is configured right

    Someone correct me if I'm wrong though.  
    LVL 2

    Author Comment

    The above diagram is almost correct. The only addition is that VPN3, or the 501, would also be able to communicate directly to the ASA or, VPN1 through a tunnel.

    However, you bring up an interesting point. If I understand you correctly I assign a second IP to the outside interface of the 506 then I create a separate tunnel so that the 506 can talk to the ASA and the 501 can talk to the ASA and the 501 and the 506 talk to each other?
    LVL 25

    Expert Comment

    Like I said, I've never tried it before so I'm not positive if that will work or not though.
    LVL 25

    Accepted Solution

    Oh and you really don't need to do that if you are doing this

                    VPN1                          VPN2
                       |                                   |
                    ASA<----  VPNA    ---->506E
                      ^                                    ^
                       |                                     |

    Its all in the access-lists you have each crypto match up to.  I thought you wanted to have VPN3 communicate to VPN1 thru the 506E using VPNB and VPNA.  Since you want the 501 to have its own VPNC to the ASA, you don't need to worry about the logical interface on the 506E.
    LVL 2

    Author Comment

    OK, thanks. Let me work through this methodically and see where it gets me. I tried this before getting the ASA and one VPN broke when I established the other. I know it's easy to screw up if you rush the access-lists so I'll take my time and get back with the results.
    LVL 25

    Expert Comment

    Future tip, give the helpers a chance to help you out further before handing out a less than A grade.  We might be able to help you more if you ask what else you need help on.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now