Cisco ASA to PIX VPN with additional VPN to outlying office

Posted on 2006-03-27
Medium Priority
Last Modified: 2013-11-16
Here you go Experts. Picture if you will, three VPN devices. VPN1 is an ASA 5100 with 7.1. VPN 2 is a PIX 506E with 6.3.5. VPN3 is a PIX 501 with 6.3.5.

VPN 1 is already a hub to IPSEC client spokes for purposes of monitoring and pushing software to all private hosts behind the client spokes. All of the other, existing  spokes are PIX 501 6.3.5.

The challenge is to add  VPN2 to the exsting Hub and Spoke while also adding VPN3 as a "spoke" to VPN2. Ideally VPN3 would also be able to talk to VPN1 but traffic between VPN2 and VPN3 cannot go through VPN1 due to bandwidth limitations and the traffic that is expected to be generated between VPN2 and VPN3.



Question by:terminalb
  • 4
  • 2
LVL 25

Expert Comment

ID: 16306659
So you want something like this I assume, I'm a little confused when you are talking about 3 VPNs with only 3 devices
  ASA <--VPNA-->506E<--VPNB-->501
   ^                      ^                       ^
    |                       |                        |
 VPN 1              VPN 2                   VPN 3

Can you please confirm.

If it is something like this then I think you can do it, but am not sure.  The thing you have to do if it would work is on the 506E you'll need to configure a logical interface on the outside and have one VPN go into one outside interface and the other one go into the logical interface.  This is because PIX 6.3X will not allow packets to go in and out interfaces with the same security level.  So the VPN packets going from the 501 to the 506E and then to the ASA cannot happen.  If it is possible though, you'd have to do it with a logical interface on the 506E.

Mind you, I've never tried that so I don't know if it'd work or not.
Everything else is just making sure the routes on the PIXs/ASA is configured right

Someone correct me if I'm wrong though.  

Author Comment

ID: 16312883
The above diagram is almost correct. The only addition is that VPN3, or the 501, would also be able to communicate directly to the ASA or, VPN1 through a tunnel.

However, you bring up an interesting point. If I understand you correctly I assign a second IP to the outside interface of the 506 then I create a separate tunnel so that the 506 can talk to the ASA and the 501 can talk to the ASA and the 501 and the 506 talk to each other?
LVL 25

Expert Comment

ID: 16313235
Like I said, I've never tried it before so I'm not positive if that will work or not though.
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

LVL 25

Accepted Solution

Cyclops3590 earned 1500 total points
ID: 16313283
Oh and you really don't need to do that if you are doing this

                VPN1                          VPN2
                   |                                   |
                ASA<----  VPNA    ---->506E
                  ^                                    ^
                   |                                     |

Its all in the access-lists you have each crypto match up to.  I thought you wanted to have VPN3 communicate to VPN1 thru the 506E using VPNB and VPNA.  Since you want the 501 to have its own VPNC to the ASA, you don't need to worry about the logical interface on the 506E.

Author Comment

ID: 16313395
OK, thanks. Let me work through this methodically and see where it gets me. I tried this before getting the ASA and one VPN broke when I established the other. I know it's easy to screw up if you rush the access-lists so I'll take my time and get back with the results.
LVL 25

Expert Comment

ID: 16345572
Future tip, give the helpers a chance to help you out further before handing out a less than A grade.  We might be able to help you more if you ask what else you need help on.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month16 days, 16 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question