Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Site to Site VPN between two Cisco Pix 506E and ASA5510

Posted on 2011-10-10
13
Medium Priority
?
282 Views
Last Modified: 2012-05-12
I have a new customer who has a pix 506E.  They have 6 site-to-site VPN's configured on this pix.   I have a Cisco ASA5510.  I am creating a site-to-site VPN from my ASA to their Pix tomorrow.  I also need VPN access to the other 6 locations that the PIX has site to site VPN's to as well.   Will I need to create 6 more site-to-site VPN's on my ASA to have access to those from my network?  Would I be able to somehow get to those other six networks just from the single VPN I will be creating tomorrow?  Thanks.
0
Comment
Question by:denver218
  • 7
  • 4
  • 2
13 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36944452
Depends on what OS version is running on the PIX. If >6 then it should support hairpinning.
0
 
LVL 2

Expert Comment

by:dslam24
ID: 36944568
You do not have to create new tunnels from your ASA.  You will have to put the remote subnets in your ACL's for NoNAT and interesting traffic, the interesting traffic ACL has to match at both ends of your tunnel.
You will probably need to add this command as well to the PIX "same-security-traffic permit intra-interface".  This will allow your VPN traffic to go in and out of the same interface, in this case the outside interface as it goes from your tunnel to the other.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36944581
@dslam24: As I said, it depends on the version of the pix.........
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Author Comment

by:denver218
ID: 36944854
I am using Pix version 6.3(5)
0
 
LVL 2

Expert Comment

by:dslam24
ID: 36944865
@erniebeek: Yep, give your self a pat on the back.  My guess is that they are not running 7yr old code.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36944886
@dslam24: Look up.

Pat, pat, pat, pat.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 36944960
@denver218: Sorry about that, some people..........

So I assume you meant them (the PIX on the other side).
In this case I am afraid you need to create all 7 tunnels :-~ Unless you can convince them to upgrade their software or, even better, get an ASA as well ;)
0
 
LVL 4

Author Comment

by:denver218
ID: 36945619
Yes when I say them, i mean the pix on the other side.  So unless I upgrade the Pix software I will have to create all 7 tunnels on the ASA?  What version would the Pix need upgraded to?  Its no big deal, but I would rather configure one VPN rather than 7:)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36948215
Got that :)

Well atleast 7.x to get the functionality you want (of course take the most recent version), or even better: go to 8.x. Keep in mind though that from 8.3 a lot of things changed, especially in NAT.
And do check first if the hardware of the PIX supports the newer versions: http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html
0
 
LVL 4

Author Comment

by:denver218
ID: 36948263
Thanks.  Version 7 is not supported on the Pix 506E.  I am going to try and see if they are willing to purchase an ASA, hopefully they will.  So If they got an ASA, I would only have to create 1 VPN, and I would have access to all 7 remote networks right.  I would just have to specify the interesting traffic for all networks correct?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36948285
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 36961531
Thanks.  I will be upgrading them to an ASA5510.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36961595
Good luck! And if any issues arise, you know where to find us ;)
Thx for the points.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question