[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco PIX VPN Routing Problems

Posted on 2010-01-01
10
Medium Priority
?
307 Views
Last Modified: 2012-05-08
I have several sites sucessfully connecting via VPN to a central site at a data center (hub and spoke). Two of these sites need to access all of the other sites using the VPN connections. Most of the remote sites are using Linksys VPN routers, the data center and downtown sites are using PIX firewalls.

I'm trying to get the downtown site to route to another site across the central site. I believe I have the downtown PIX configured correctly because I'm seeing traffic hit the ACL for both the nat 0 and crypto map on the that PIX. However, I don't see any of the traffic going into the data center PIX. I've attached the key parts of the configuration for both sites. Can someone tell me what I've configured wrong? Thanks.

Downtown    10.10.128.0 /24
Data Center   10.10.17.0 /24
Remote site (Mike)  10.20.1.0/24
PIX-Cleaned.txt
0
Comment
Question by:SueBeeFuqua
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26158655
I don't know PIX VPN configs but is there a reason you don't just create a new tunnel between downtown and the remote vs complicating it with an extra VPN/Router in the middle?
0
 

Author Comment

by:SueBeeFuqua
ID: 26158688
I've considered that solution but there's several sites (10) that need to be connected which takes quite a bit of time to configure and can't be centrally managed.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26158747
In that case you need to have the core site be able to route back out to go site to site but I don't know how to set that up on your platform.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 1000 total points
ID: 26160627
looking at the config, it appears that you have pre-7.x PIX OS installed.  what version of PIX OS is on the data center PIX? also, what is the model of your PIX?

reason I ask is that what you are wanting to do wasn't capable until 7.x; its called hair-pinning.  If you have a PIX that is capable of upgrading to 7.x, then the following is the command to enable hair-pinning:

same-security-traffic permit intra-interface
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 1000 total points
ID: 26160631
PIX doesn't support the U-turn of VPN traffic and is one of the major functionality introduced with ASA series of firewalls.

For PIX 7.0 and above I believe support this but 7.0 can't be upgraded on all boxes. You need to check if your model supports it.

Cheers,
rsivanandan
0
 

Author Comment

by:SueBeeFuqua
ID: 26162116
Both PIX's are 515E and running 6.3(5). Can the downtown PIX (spoke) stay at 6.3 or does it also have to be upgraded to 7.0?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 26162146
with 6.3(5), it won't be possible. You need to be on 7.x. Only the hub matters, the spoke can remain at the current version.

Cheers,
rsivanandan
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 26162463
The 515E is upgradeablr to 7.x if you meet the memory reqs. I think it's 256mb. However you'd need an active smartnet to get it. I would call your vendor about the smartnet if you don't already have one as I don't believe you can just do a one time purchase to get the 7.x or 8.x code. Rajesh can correct me if I'm wrong on that one
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 26164713
I guess yes, you need to have a smartnet.

Cheers,
rsivanandan
0
 

Author Comment

by:SueBeeFuqua
ID: 26165942
Thanks for the info, I'll be looking into a SmartNet contract.
0

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question