Cisco ASA to PIX VPN with additional VPN to outlying office

Here you go Experts. Picture if you will, three VPN devices. VPN1 is an ASA 5100 with 7.1. VPN 2 is a PIX 506E with 6.3.5. VPN3 is a PIX 501 with 6.3.5.

VPN 1 is already a hub to IPSEC client spokes for purposes of monitoring and pushing software to all private hosts behind the client spokes. All of the other, existing  spokes are PIX 501 6.3.5.

The challenge is to add  VPN2 to the exsting Hub and Spoke while also adding VPN3 as a "spoke" to VPN2. Ideally VPN3 would also be able to talk to VPN1 but traffic between VPN2 and VPN3 cannot go through VPN1 due to bandwidth limitations and the traffic that is expected to be generated between VPN2 and VPN3.



Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

So you want something like this I assume, I'm a little confused when you are talking about 3 VPNs with only 3 devices
  ASA <--VPNA-->506E<--VPNB-->501
   ^                      ^                       ^
    |                       |                        |
 VPN 1              VPN 2                   VPN 3

Can you please confirm.

If it is something like this then I think you can do it, but am not sure.  The thing you have to do if it would work is on the 506E you'll need to configure a logical interface on the outside and have one VPN go into one outside interface and the other one go into the logical interface.  This is because PIX 6.3X will not allow packets to go in and out interfaces with the same security level.  So the VPN packets going from the 501 to the 506E and then to the ASA cannot happen.  If it is possible though, you'd have to do it with a logical interface on the 506E.

Mind you, I've never tried that so I don't know if it'd work or not.
Everything else is just making sure the routes on the PIXs/ASA is configured right

Someone correct me if I'm wrong though.  
terminalbAuthor Commented:
The above diagram is almost correct. The only addition is that VPN3, or the 501, would also be able to communicate directly to the ASA or, VPN1 through a tunnel.

However, you bring up an interesting point. If I understand you correctly I assign a second IP to the outside interface of the 506 then I create a separate tunnel so that the 506 can talk to the ASA and the 501 can talk to the ASA and the 501 and the 506 talk to each other?
Like I said, I've never tried it before so I'm not positive if that will work or not though.
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Oh and you really don't need to do that if you are doing this

                VPN1                          VPN2
                   |                                   |
                ASA<----  VPNA    ---->506E
                  ^                                    ^
                   |                                     |

Its all in the access-lists you have each crypto match up to.  I thought you wanted to have VPN3 communicate to VPN1 thru the 506E using VPNB and VPNA.  Since you want the 501 to have its own VPNC to the ASA, you don't need to worry about the logical interface on the 506E.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
terminalbAuthor Commented:
OK, thanks. Let me work through this methodically and see where it gets me. I tried this before getting the ASA and one VPN broke when I established the other. I know it's easy to screw up if you rush the access-lists so I'll take my time and get back with the results.
Future tip, give the helpers a chance to help you out further before handing out a less than A grade.  We might be able to help you more if you ask what else you need help on.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.