Site to Site VPN between two Cisco Pix 506E and ASA5510

denver218
denver218 used Ask the Experts™
on
I have a new customer who has a pix 506E.  They have 6 site-to-site VPN's configured on this pix.   I have a Cisco ASA5510.  I am creating a site-to-site VPN from my ASA to their Pix tomorrow.  I also need VPN access to the other 6 locations that the PIX has site to site VPN's to as well.   Will I need to create 6 more site-to-site VPN's on my ASA to have access to those from my network?  Would I be able to somehow get to those other six networks just from the single VPN I will be creating tomorrow?  Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ernie BeekExpert
Top Expert 2012

Commented:
Depends on what OS version is running on the PIX. If >6 then it should support hairpinning.

Commented:
You do not have to create new tunnels from your ASA.  You will have to put the remote subnets in your ACL's for NoNAT and interesting traffic, the interesting traffic ACL has to match at both ends of your tunnel.
You will probably need to add this command as well to the PIX "same-security-traffic permit intra-interface".  This will allow your VPN traffic to go in and out of the same interface, in this case the outside interface as it goes from your tunnel to the other.
Ernie BeekExpert
Top Expert 2012

Commented:
@dslam24: As I said, it depends on the version of the pix.........
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

Author

Commented:
I am using Pix version 6.3(5)

Commented:
@erniebeek: Yep, give your self a pat on the back.  My guess is that they are not running 7yr old code.
Ernie BeekExpert
Top Expert 2012

Commented:
@dslam24: Look up.

Pat, pat, pat, pat.
Expert
Top Expert 2012
Commented:
@denver218: Sorry about that, some people..........

So I assume you meant them (the PIX on the other side).
In this case I am afraid you need to create all 7 tunnels :-~ Unless you can convince them to upgrade their software or, even better, get an ASA as well ;)

Author

Commented:
Yes when I say them, i mean the pix on the other side.  So unless I upgrade the Pix software I will have to create all 7 tunnels on the ASA?  What version would the Pix need upgraded to?  Its no big deal, but I would rather configure one VPN rather than 7:)
Ernie BeekExpert
Top Expert 2012

Commented:
Got that :)

Well atleast 7.x to get the functionality you want (of course take the most recent version), or even better: go to 8.x. Keep in mind though that from 8.3 a lot of things changed, especially in NAT.
And do check first if the hardware of the PIX supports the newer versions: http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html

Author

Commented:
Thanks.  Version 7 is not supported on the Pix 506E.  I am going to try and see if they are willing to purchase an ASA, hopefully they will.  So If they got an ASA, I would only have to create 1 VPN, and I would have access to all 7 remote networks right.  I would just have to specify the interesting traffic for all networks correct?
Ernie BeekExpert
Top Expert 2012

Commented:

Author

Commented:
Thanks.  I will be upgrading them to an ASA5510.
Ernie BeekExpert
Top Expert 2012

Commented:
Good luck! And if any issues arise, you know where to find us ;)
Thx for the points.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial