Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Remote Pix 501 connections through 1 Pix 515

Posted on 2006-04-19
4
Medium Priority
?
314 Views
Last Modified: 2013-11-16
We are setting up multiple branch office VPN tunnels with one Pix 501 in each branch office - connecting to our main office Pix 515e.

Our main network with the 515e is 192.168.0.0/24

The networks for the remote offices are as follows.

192.168.8.0/21

192.168.16.0/21

192.168.0.24/21

etc, etc

Currently, our main office can connect to each branch office - and the branch offices can connect with the main office with no problem.

We would like to add routes into the Pix's so that the branch offices can communicate with each other through the VPN tunnels to the main office.  Is this possible?
I am not 100% familiar with how, and where to make the changes to put routing like this into place.

Any and all help is greatly appreciated,
Jonathan
0
Comment
Question by:fulcherjl
  • 2
  • 2
4 Comments
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 1000 total points
ID: 16491479
If your PIX on the main office is running version 6.3, then this will not work even if you put routes because PIX does not do redirection.

If the PIX 515e which is acting as the hub is running version 7.x, then this is possible using the command "same-security-traffic permit intra-interface" and some modification on the interesting traffic of each branch.

I can provide you with a sample configuration if it would help you. But you **definitely** need a PIX version 7.x
0
 

Author Comment

by:fulcherjl
ID: 16491536


Ok, I would LOVE a sample config - yes that would help greatly.

Currently the 515e is running 6.2(2) - but I have been thinking about the 7.x upgrade for some time now, and will probably try and do that this weekend.  But this is a feature that we would like to put in place.

Look forward to seeing the config,
the points are yours,

Jonathan

0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16492078
The following configuration which allows hub and spoke with communication between spoke is based on the following assumptions:

Main PIX
external IP: 1.1.1.1
internal network: 192.168.1.0/24
Version: 7.x

Branch1 PIX:
external IP: 2.2.2.2
internal network: 192.168.2.0/24
Version: 6.x

Branch2 PIX:
external IP: 3.3.3.3
internal network: 192.168.3.0/24
Version 6.x

Let me know if you have any questions on the configuration provided. This only shows 2 branch office, if you have more, then just follow the pattern. Good luck.

#############################################################################

FOR MAIN PIX

same-security-traffic permit intra-interface

access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 --> For Branch 1
access-list 101 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0


access-list 102 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 --> For Branch 2
access-list 102 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0


access-list bypassnat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list bypassnat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (inside) 0 access-list nonat

crypto ipsec transform-set 3DES esp-3des esp-md5-hmac

crypto map mainVPN 10 match address 101 --> For branch 1
crypto map mainVPN 10 set peer 2.2.2.2
crypto map mainVPN 10 set transform-set 3DES

crypto map mainVPN 20 match address 102 --> For branch 2
crypto map mainVPN 20 set peer 3.3.3.3
crypto map mainVPN 20 set transform-set 3DES

crypto map mymap interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key test123

tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
 pre-shared-key test123


FOR BRANCH 1

access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0  ---> for branch1PIX to MainPIX
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0  ---> for branch1PIX to branch2PIX
access-list bypassnat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list bypassnat permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
nat (inside) 0 access-list bypassnat
sysopt connection permit-ipsec
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
crypto map branch1vpn 10 ipsec-isakmp
crypto map branch1vpn 10 match address 101
crypto map branch1vpn 10 set peer 1.1.1.1
crypto map branch1vpn 10 set transform-set myset
crypto map branch1vpn interface outside
isakmp enable outside
isakmp key test 123 address 1.1.1.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400


FOR BRANCH 2

access-list 102 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0  ---> for branch2PIX to MainPIX
access-list 102 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0  ---> for branch2PIX to branch1PIX
access-list bypassnat permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list bypassnat permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list bypassnat
sysopt connection permit-ipsec
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
crypto map branch2vpn 20 ipsec-isakmp
crypto map branch2vpn 20 match address 102
crypto map branch2vpn 20 set peer 1.1.1.1
crypto map branch2vpn 20 set transform-set myset
crypto map branch2vpn interface outside
isakmp enable outside
isakmp key test 123 address 1.1.1.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

0
 

Author Comment

by:fulcherjl
ID: 16508031
Hey Stressedout,
Just wanted to thank you for all of your help.  The information that you sent was very, VERY helpful.

Thanks again and again,
Jonathan

0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question