PIX 515 VPN , Central hub needs to remote locations to talk to each other

We have 2 remote sites connected into our central location using cisco 515e. Each location currently accesses the main location.
We recently installed a voice over IP system and need the 2 remote sites to "speak" to each other.

Central Facility-
10.3.0.0 network
10.4.0.0 Remote network
105.0 remote network.

10.3 can reach both locations
10.4 currently can only access 10.3
10.5 can currently reach 10.3

We need 10.5 and 10.4 to talk to each other.
Site to site connections use IPSEC.  We do not have any routers routing traffic.
infrastructureadminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pjcooleCommented:
What Routing protocols are running on the Central 515E Firewall?  Try adding routes for the 2 remote networks.  You will also have to add the routes on each remote firewall as well. Or you can create a second site to site VPN between the 2 remote sites this can be configured the same way you have the vpn configured with the central office.
0
atyarCommented:
I'd go with the 2nd site-to-site vpn between the 2 remote sites.  There is no need for a router, as you will specify the specific traffic in the access-list you use in the vpn definition on the pix.

In other words, you'd have something like:
1)at the 10.4.office
Access lists:
access-list 100 permit ip 10.4.0.0.0.0.255.255 10..3.0.0 0.0.255.255 (if I recall correctly, you use inverse masks.  if not, use 255.255.0.0)
access-list 110 permit ip 10.4.0.0 0.0.255.255 10.5.0.0 0.0.255.255
VPN definitions:
in the definition for the 10.4 to 10.3 link, use 'match address 100'
in the definition for the 10.4.to 10.5 link, use 'match address 110'

2)At the 10.5 office:
Access lists:
access-list 100 permit ip 10.5.0.0.0.0.255.255 10..3.0.0 0.0.255.255 (if I recall correctly, you use inverse masks.  if not, use 255.255.0.0)
access-list 110 permit ip 10.5.0.0 0.0.255.255 10.4.0.0 0.0.255.255
VPN definitions:
in the definition for the 10.5 to 10.3 link, use 'match address 100'
in the definition for the 10.5.to 10.4 link, use 'match address 110'

the different 'match address' statements will identify the traffic going across that particular vpn tunnel.  I used to have a setup just like this - called a 'full mesh' network, where each of our 4 offices could 'talk' to each of the other 4 offices.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
infrastructureadminAuthor Commented:
Great thank you!
0
atyarCommented:
Glad it helped :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.