Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 294
  • Last Modified:

PIX 515 VPN , Central hub needs to remote locations to talk to each other

We have 2 remote sites connected into our central location using cisco 515e. Each location currently accesses the main location.
We recently installed a voice over IP system and need the 2 remote sites to "speak" to each other.

Central Facility-
10.3.0.0 network
10.4.0.0 Remote network
105.0 remote network.

10.3 can reach both locations
10.4 currently can only access 10.3
10.5 can currently reach 10.3

We need 10.5 and 10.4 to talk to each other.
Site to site connections use IPSEC.  We do not have any routers routing traffic.
0
infrastructureadmin
Asked:
infrastructureadmin
  • 2
1 Solution
 
pjcooleCommented:
What Routing protocols are running on the Central 515E Firewall?  Try adding routes for the 2 remote networks.  You will also have to add the routes on each remote firewall as well. Or you can create a second site to site VPN between the 2 remote sites this can be configured the same way you have the vpn configured with the central office.
0
 
atyarCommented:
I'd go with the 2nd site-to-site vpn between the 2 remote sites.  There is no need for a router, as you will specify the specific traffic in the access-list you use in the vpn definition on the pix.

In other words, you'd have something like:
1)at the 10.4.office
Access lists:
access-list 100 permit ip 10.4.0.0.0.0.255.255 10..3.0.0 0.0.255.255 (if I recall correctly, you use inverse masks.  if not, use 255.255.0.0)
access-list 110 permit ip 10.4.0.0 0.0.255.255 10.5.0.0 0.0.255.255
VPN definitions:
in the definition for the 10.4 to 10.3 link, use 'match address 100'
in the definition for the 10.4.to 10.5 link, use 'match address 110'

2)At the 10.5 office:
Access lists:
access-list 100 permit ip 10.5.0.0.0.0.255.255 10..3.0.0 0.0.255.255 (if I recall correctly, you use inverse masks.  if not, use 255.255.0.0)
access-list 110 permit ip 10.5.0.0 0.0.255.255 10.4.0.0 0.0.255.255
VPN definitions:
in the definition for the 10.5 to 10.3 link, use 'match address 100'
in the definition for the 10.5.to 10.4 link, use 'match address 110'

the different 'match address' statements will identify the traffic going across that particular vpn tunnel.  I used to have a setup just like this - called a 'full mesh' network, where each of our 4 offices could 'talk' to each of the other 4 offices.
0
 
infrastructureadminAuthor Commented:
Great thank you!
0
 
atyarCommented:
Glad it helped :)
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now