• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 264
  • Last Modified:

PIX - Communication between two site-to-site VPNs

I currently have two site to site VPNs terminating at a central site and want to know is it possible for the two remote sites to talk to each other directly via the main site.

To eleablorate, say you have a main site called SiteA which two other sites, SiteB and SiteC, terminate a VPN to and everyone is happily talking to SiteA. Is it possible for SiteB to talk to SiteC without setting up another VPN connection between those two sites?

Thanks for your help
0
SELSupport
Asked:
SELSupport
  • 3
  • 2
  • 2
1 Solution
 
Keith AlabasterCommented:
This is the configuration that you are likely using. It does not support site B and site C talking to each (as is) as there is no routing on the central PIX. For all sites to talk directly, it needs to be fully meshed.

http://www.cisco.com/warp/public/110/pixhubspoke.html



0
 
stressedout2004Commented:
Possible. But only if you have a PIX capable of running version 7.x. On PIX version 7.x, you can enable the command
same-security-traffic permit intra-interface that allows U turn of IPSEC traffic allowing spokes to communicate with one another via  the VPN connection on the main site.

PIX/ASA 7.x Enhanced Spoke-to-Spoke VPN Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml
0
 
SELSupportAuthor Commented:
Excellent, stressedout2004!
That's the job! I've enabled it on the central PIX, but I'm still experiencing a weird thing. If I do a ping on one site  to the other to test this it doesn't work, but if I try it the other way it does, and then the other pings from the first site also work.
It's as if the initialisation between spokes is only one way. Any ideas?

Phil
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
SELSupportAuthor Commented:
One other thing I should mention, but I don't think it's an issue; the first site is running a 501, the other site is running an 837, with the central PIX running 515E v7.0 with 160MB RAM.
0
 
stressedout2004Commented:
For spoke to spoke communication to take place, with the PIX acting as a hub, you need the following:

1) the command "same-security-traffic permit intra-interface" on the PIX acting as a hub
2) You need to modify the interesting traffic of all the sites, not just on the hub but all the spokes as well.

It doesn't matter what type of devices you have on the spokes as long as they are configured correctly.
Will you be able to post a sanized configuration of the hub and spokes? We need to double check it.
0
 
Keith AlabasterCommented:
Nice. I'll have to get myself up to speed with the new services available in version 7.
0
 
SELSupportAuthor Commented:
Yea, seems to be working fine now. Must have just been a case of re-establishing the ipsec sa's.

Thanks, much appreciated!

Phil
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now