Link to home
Start Free TrialLog in
Avatar of terminalb
terminalbFlag for United States of America

asked on

Cisco ASA to PIX VPN with additional VPN to outlying office

Here you go Experts. Picture if you will, three VPN devices. VPN1 is an ASA 5100 with 7.1. VPN 2 is a PIX 506E with 6.3.5. VPN3 is a PIX 501 with 6.3.5.

VPN 1 is already a hub to IPSEC client spokes for purposes of monitoring and pushing software to all private hosts behind the client spokes. All of the other, existing  spokes are PIX 501 6.3.5.

The challenge is to add  VPN2 to the exsting Hub and Spoke while also adding VPN3 as a "spoke" to VPN2. Ideally VPN3 would also be able to talk to VPN1 but traffic between VPN2 and VPN3 cannot go through VPN1 due to bandwidth limitations and the traffic that is expected to be generated between VPN2 and VPN3.

Suggestions?

Thanks

-Alex
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image

So you want something like this I assume, I'm a little confused when you are talking about 3 VPNs with only 3 devices
  ASA <--VPNA-->506E<--VPNB-->501
   ^                      ^                       ^
    |                       |                        |
 VPN 1              VPN 2                   VPN 3

Can you please confirm.

If it is something like this then I think you can do it, but am not sure.  The thing you have to do if it would work is on the 506E you'll need to configure a logical interface on the outside and have one VPN go into one outside interface and the other one go into the logical interface.  This is because PIX 6.3X will not allow packets to go in and out interfaces with the same security level.  So the VPN packets going from the 501 to the 506E and then to the ASA cannot happen.  If it is possible though, you'd have to do it with a logical interface on the 506E.

Mind you, I've never tried that so I don't know if it'd work or not.
Everything else is just making sure the routes on the PIXs/ASA is configured right

Someone correct me if I'm wrong though.  
Avatar of terminalb

ASKER

The above diagram is almost correct. The only addition is that VPN3, or the 501, would also be able to communicate directly to the ASA or, VPN1 through a tunnel.



However, you bring up an interesting point. If I understand you correctly I assign a second IP to the outside interface of the 506 then I create a separate tunnel so that the 506 can talk to the ASA and the 501 can talk to the ASA and the 501 and the 506 talk to each other?
Like I said, I've never tried it before so I'm not positive if that will work or not though.
ASKER CERTIFIED SOLUTION
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OK, thanks. Let me work through this methodically and see where it gets me. I tried this before getting the ASA and one VPN broke when I established the other. I know it's easy to screw up if you rush the access-lists so I'll take my time and get back with the results.
Future tip, give the helpers a chance to help you out further before handing out a less than A grade.  We might be able to help you more if you ask what else you need help on.