Cisco VPN concentrator

brasslan
brasslan used Ask the Experts™
on
I'm currently running a PIX 501 at our office and I have 4 point to point VPN's setup there.  The problem is now 2 of the points not only want to talk to my office, now they want to talk to each other.

I've always been told that the PIX 501 will not allow VPN traffic from one office to come in and leave for another office.  Is that true?  Is there a way around it?  Maybe with a router on the inside?

What is the least expensive Cisco device that will allow VPN traffic to do what I want?

Thanks!
brasslan
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010
Commented:
HI,

I think the better way, to make l2l vpn with each other than route traffic the office!
If the endpoints are routers, I recommend you to configure DMVPN hup and spoke , and change PIX to a router!

Best regards,
Istvan

Author

Commented:
I also forgot to mention that I only have control of the hardware at my office.  No control over office B and office C, I don't even know what hardware they are running.  Here is what needs to happen.  Office B and office C want to talk to each other, but they refuse to build a VPN tunnel between themselves (because of political bull).  There currently exists a VPN tunnel between our office and office B and another tunnel between us and office C.  So they want me to route the traffic between the two VPN tunnels.

Can this be done with any Cisco router?  Do I need to look for one with VPN capabilities?
I've never heard of DMVPN, but from the 2 pages that I just read, it sounds like all endpoints would have to be setup for the DMVPN and I don't know if the other 2 locations are capable (or willing) to do this.

Right now, the PIX is the head end for our network.  Should I put the Cisco router outside the firewall and move the VPN responsibilities to the new device?  Or should the router sit inside the firewall?
Sr. Systems Engineer
Top Expert 2008
Commented:
Just for my own curiosity....
>Office B and office C want to talk to each other, but they refuse to build a VPN tunnel between themselves (because of political bull).
So.... you are willing to take on additional risks and spend additional money yourself, just to make them happy?
If you have no control over their end and cannot make changes to them, and they are not willing to do it themselves, then no matter what you do on your end, it won't happen. The configs for the VPN tunnels between you and each of the other offices has to be modified at the remote site. B has to have your subnet as well as C's subnet listed for the interesting traffic for the VPN tunnel, and nat-bypass as well, and so C has to also have B's subnet as well as yours listed.

Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Can this be done with any Cisco router?  Does every Cisco router have VPN capabilities?

And yes, the stupid guys at Office B and C will adjust their current access lists to allow the new traffic, but won't build a tunnel between themselves :-(

Author

Commented:
The question wasn't really answered.  But I do apreciate the responces, they were very helpful.
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Yes it is possible, the cisco routers have VPN capabilies

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial