Remote Pix 501 connections through 1 Pix 515

We are setting up multiple branch office VPN tunnels with one Pix 501 in each branch office - connecting to our main office Pix 515e.

Our main network with the 515e is 192.168.0.0/24

The networks for the remote offices are as follows.

192.168.8.0/21

192.168.16.0/21

192.168.0.24/21

etc, etc

Currently, our main office can connect to each branch office - and the branch offices can connect with the main office with no problem.

We would like to add routes into the Pix's so that the branch offices can communicate with each other through the VPN tunnels to the main office.  Is this possible?
I am not 100% familiar with how, and where to make the changes to put routing like this into place.

Any and all help is greatly appreciated,
Jonathan
fulcherjlAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stressedout2004Commented:
If your PIX on the main office is running version 6.3, then this will not work even if you put routes because PIX does not do redirection.

If the PIX 515e which is acting as the hub is running version 7.x, then this is possible using the command "same-security-traffic permit intra-interface" and some modification on the interesting traffic of each branch.

I can provide you with a sample configuration if it would help you. But you **definitely** need a PIX version 7.x
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fulcherjlAuthor Commented:


Ok, I would LOVE a sample config - yes that would help greatly.

Currently the 515e is running 6.2(2) - but I have been thinking about the 7.x upgrade for some time now, and will probably try and do that this weekend.  But this is a feature that we would like to put in place.

Look forward to seeing the config,
the points are yours,

Jonathan

0
stressedout2004Commented:
The following configuration which allows hub and spoke with communication between spoke is based on the following assumptions:

Main PIX
external IP: 1.1.1.1
internal network: 192.168.1.0/24
Version: 7.x

Branch1 PIX:
external IP: 2.2.2.2
internal network: 192.168.2.0/24
Version: 6.x

Branch2 PIX:
external IP: 3.3.3.3
internal network: 192.168.3.0/24
Version 6.x

Let me know if you have any questions on the configuration provided. This only shows 2 branch office, if you have more, then just follow the pattern. Good luck.

#############################################################################

FOR MAIN PIX

same-security-traffic permit intra-interface

access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 --> For Branch 1
access-list 101 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0


access-list 102 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 --> For Branch 2
access-list 102 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0


access-list bypassnat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list bypassnat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (inside) 0 access-list nonat

crypto ipsec transform-set 3DES esp-3des esp-md5-hmac

crypto map mainVPN 10 match address 101 --> For branch 1
crypto map mainVPN 10 set peer 2.2.2.2
crypto map mainVPN 10 set transform-set 3DES

crypto map mainVPN 20 match address 102 --> For branch 2
crypto map mainVPN 20 set peer 3.3.3.3
crypto map mainVPN 20 set transform-set 3DES

crypto map mymap interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key test123

tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
 pre-shared-key test123


FOR BRANCH 1

access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0  ---> for branch1PIX to MainPIX
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0  ---> for branch1PIX to branch2PIX
access-list bypassnat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list bypassnat permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
nat (inside) 0 access-list bypassnat
sysopt connection permit-ipsec
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
crypto map branch1vpn 10 ipsec-isakmp
crypto map branch1vpn 10 match address 101
crypto map branch1vpn 10 set peer 1.1.1.1
crypto map branch1vpn 10 set transform-set myset
crypto map branch1vpn interface outside
isakmp enable outside
isakmp key test 123 address 1.1.1.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400


FOR BRANCH 2

access-list 102 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0  ---> for branch2PIX to MainPIX
access-list 102 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0  ---> for branch2PIX to branch1PIX
access-list bypassnat permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list bypassnat permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list bypassnat
sysopt connection permit-ipsec
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
crypto map branch2vpn 20 ipsec-isakmp
crypto map branch2vpn 20 match address 102
crypto map branch2vpn 20 set peer 1.1.1.1
crypto map branch2vpn 20 set transform-set myset
crypto map branch2vpn interface outside
isakmp enable outside
isakmp key test 123 address 1.1.1.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

0
fulcherjlAuthor Commented:
Hey Stressedout,
Just wanted to thank you for all of your help.  The information that you sent was very, VERY helpful.

Thanks again and again,
Jonathan

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.