terminalb
asked on
Cisco ASA to PIX VPN with additional VPN to outlying office
Here you go Experts. Picture if you will, three VPN devices. VPN1 is an ASA 5100 with 7.1. VPN 2 is a PIX 506E with 6.3.5. VPN3 is a PIX 501 with 6.3.5.
VPN 1 is already a hub to IPSEC client spokes for purposes of monitoring and pushing software to all private hosts behind the client spokes. All of the other, existing spokes are PIX 501 6.3.5.
The challenge is to add VPN2 to the exsting Hub and Spoke while also adding VPN3 as a "spoke" to VPN2. Ideally VPN3 would also be able to talk to VPN1 but traffic between VPN2 and VPN3 cannot go through VPN1 due to bandwidth limitations and the traffic that is expected to be generated between VPN2 and VPN3.
Suggestions?
Thanks
-Alex
VPN 1 is already a hub to IPSEC client spokes for purposes of monitoring and pushing software to all private hosts behind the client spokes. All of the other, existing spokes are PIX 501 6.3.5.
The challenge is to add VPN2 to the exsting Hub and Spoke while also adding VPN3 as a "spoke" to VPN2. Ideally VPN3 would also be able to talk to VPN1 but traffic between VPN2 and VPN3 cannot go through VPN1 due to bandwidth limitations and the traffic that is expected to be generated between VPN2 and VPN3.
Suggestions?
Thanks
-Alex
ASKER
The above diagram is almost correct. The only addition is that VPN3, or the 501, would also be able to communicate directly to the ASA or, VPN1 through a tunnel.
However, you bring up an interesting point. If I understand you correctly I assign a second IP to the outside interface of the 506 then I create a separate tunnel so that the 506 can talk to the ASA and the 501 can talk to the ASA and the 501 and the 506 talk to each other?
However, you bring up an interesting point. If I understand you correctly I assign a second IP to the outside interface of the 506 then I create a separate tunnel so that the 506 can talk to the ASA and the 501 can talk to the ASA and the 501 and the 506 talk to each other?
Like I said, I've never tried it before so I'm not positive if that will work or not though.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, thanks. Let me work through this methodically and see where it gets me. I tried this before getting the ASA and one VPN broke when I established the other. I know it's easy to screw up if you rush the access-lists so I'll take my time and get back with the results.
Future tip, give the helpers a chance to help you out further before handing out a less than A grade. We might be able to help you more if you ask what else you need help on.
ASA <--VPNA-->506E<--VPNB-->50
^ ^ ^
| | |
VPN 1 VPN 2 VPN 3
Can you please confirm.
If it is something like this then I think you can do it, but am not sure. The thing you have to do if it would work is on the 506E you'll need to configure a logical interface on the outside and have one VPN go into one outside interface and the other one go into the logical interface. This is because PIX 6.3X will not allow packets to go in and out interfaces with the same security level. So the VPN packets going from the 501 to the 506E and then to the ASA cannot happen. If it is possible though, you'd have to do it with a logical interface on the 506E.
Mind you, I've never tried that so I don't know if it'd work or not.
Everything else is just making sure the routes on the PIXs/ASA is configured right
Someone correct me if I'm wrong though.