«

Hi All!

I've got 4 site-to-site VPN tunnels to PIX 515E in my central office
(A). From this office I can ping branch offices B, C and D. From
offices B, C and D I can also ping my central office A. However, my
problem is that I can't ping office C from office B or office D from
office C so on.

He is the question: is there a way to configure vpn routing for
packets to travel from office B to office C via central office A? I
know I can configure a vpn link between B and C but it's not an ideal
scenario for me.

On 26 Feb, 13:13, "inventica" <vfedose...@f2s.com> wrote:
> Hi All!
>
> I've got 4 site-to-site VPN tunnels to PIX 515E in my central office
> (A). From this office I can ping branch offices B, C and D. From
> offices B, C and D I can also ping my central office A. However, my
> problem is that I can't ping office C from office B or office D from
> office C so on.
>
> He is the question: is there a way to configure vpn routing for
> packets to travel from office B to office C via central office A? I
> know I can configure a vpn link between B and C but it's not an ideal
> scenario for me.

I do not think this is possible without a B to C VPN. The problem is
in the fundamentals of VPNs. Your VPN is setup so that traffic from
Site B (say 2.2.2.0/24) goes through the IPSec tunnel to Site A (say
1.1.1.0). Let's say you have the same thing setup between Site C (say
3.3.3.0/24) and Site A. For starters, anything from 2.2.2.0 does not
know to take the 'A' Tunnel unless it is configured as a default
route. Second, when it arrives, it is automatically pushed onto the
local subnet of 'A', which even if there was another router there,
would not send traffic back into the same interface to route to 'B'.

You have to remember that VPNs are setup as tunnels from LAN to LAN,
and therefore traffic doesn't 'come out' of the tunnel until you are
on the local subnet. In short, I'm fairly certain you need to setup a
VPN directly from B to C. It might work if the VPNs were on different
routers at the HQ, but I'd need to think about that some more......

In article < .com>,
inventica <> wrote:
>I've got 4 site-to-site VPN tunnels to PIX 515E in my central office
>(A). From this office I can ping branch offices B, C and D. From
>offices B, C and D I can also ping my central office A. However, my
>problem is that I can't ping office C from office B or office D from
>office C so on.

>He is the question: is there a way to configure vpn routing for
>packets to travel from office B to office C via central office A? I
>know I can configure a vpn link between B and C but it's not an ideal
>scenario for me.

You need PIX 7.x for this;

http://www.cisco.com/en/US/products/...805734ae.shtml

On 26 Feb, 14:50, rober...@hushmail.com (Walter Roberson) wrote:
> In article <1172513635.767863.250...@p10g2000cwp.googlegroups .com>,
>
> inventica <vfedose...@f2s.com> wrote:
> >I've got 4 site-to-site VPN tunnels to PIX 515E in my central office
> >(A). From this office I can ping branch offices B, C and D. From
> >offices B, C and D I can also ping my central office A. However, my
> >problem is that I can't ping office C from office B or office D from
> >office C so on.
> >He is the question: is there a way to configure vpn routing for
> >packets to travel from office B to office C via central office A? I
> >know I can configure a vpn link between B and C but it's not an ideal
> >scenario for me.
>
> You need PIX 7.x for this;
>
> http://www.cisco.com/en/US/products/...roducts_config...

Very cool Walther. I'm more on the network side as opposed to vpn/
security, so I appreciate the link as well.

"Note: In PIX version 7.2 and later, the intra-interface keyword
allows all traffic to enter and exit the same interface, and not just
IPsec traffic."

Do previous versions allow IPsec traffic to do this, as it kind of
suggests that 'other traffic' is the addition in this version?

On 26 Feb, 14:50, rober...@hushmail.com (Walter Roberson) wrote:
> In article <1172513635.767863.250...@p10g2000cwp.googlegroups .com>,
>
> inventica <vfedose...@f2s.com> wrote:
> >I've got 4 site-to-site VPN tunnels to PIX 515E in my central office
> >(A). From this office I can ping branch offices B, C and D. From
> >offices B, C and D I can also ping my central office A. However, my
> >problem is that I can't ping office C from office B or office D from
> >office C so on.
> >He is the question: is there a way to configure vpn routing for
> >packets to travel from office B to office C via central office A? I
> >know I can configure a vpn link between B and C but it's not an ideal
> >scenario for me.
>
> You need PIX 7.x for this;
>
> http://www.cisco.com/en/US/products/...roducts_config...

Very cool Walter. I'm more on the network side as opposed to vpn/
security, so I appreciate the link as well.

"Note: In PIX version 7.2 and later, the intra-interface keyword
allows all traffic to enter and exit the same interface, and not just
IPsec traffic."

Do previous versions allow IPsec traffic to do this, as it kind of
suggests that 'other traffic' is the addition in this version?

In article <. com>,
Trendkill <> wrote:

>"Note: In PIX version 7.2 and later, the intra-interface keyword
>allows all traffic to enter and exit the same interface, and not just
>IPsec traffic."

>Do previous versions allow IPsec traffic to do this, as it kind of
>suggests that 'other traffic' is the addition in this version?

7.0 introduced the intra-interface facility. 6.x and below do NOT
allow traffic to go back out the same [logical] interface, even if
ipsec is involved.

Trendkill wrote:

>"Note: In PIX version 7.2 and later, the intra-interface keyword
>allows all traffic to enter and exit the same interface, and not just
>IPsec traffic."

Could this also solve my routing problem? Would PIX 7 be able to accept a
packet on the inside interface and build a VPN tunnel from the same interface?

Regards

fw

In article <>,
Frank Winkler <frank-> wrote:
>Trendkill wrote:

> >"Note: In PIX version 7.2 and later, the intra-interface keyword
> >allows all traffic to enter and exit the same interface, and not just
> >IPsec traffic."

>Could this also solve my routing problem? Would PIX 7 be able to accept a
>packet on the inside interface and build a VPN tunnel from the same interface?

That's an unusual requirement -- usually people want to be
able to accept a packet on an -outside- interface and have it go
through a VPN tunnel out that same interface (to a client host
or network.) But what can be done on one interface can -usually- be
done on another (not *always* though.)

PIX 7 is not supported on your PIX 501. It is supported on your PIX 515
but officially requires a memory upgrade beyond the memory that the
515 series shipped with. Some people have reported success in using
PIX 7.0 on a PIX 515 with relatively small configurations (e.g.,
don't use turbo ACLs.)

Walter Roberson wrote:

>> Could this also solve my routing problem? Would PIX 7 be able to accept a
>> packet on the inside interface and build a VPN tunnel from the same
interface?
>
>That's an unusual requirement -- usually people want to be
>able to accept a packet on an -outside- interface and have it go
>through a VPN tunnel out that same interface (to a client host

Yep - but in my setup, the PIX doesn't have the WAN link so I have to find
some workaround. All attempts failed so far.

>or network.) But what can be done on one interface can -usually- be
>done on another (not *always* though.)

I agree.

> PIX 7 is not supported on your PIX 501. It is supported on your PIX 515

I know. I was just wondering if it's worth getting an ASA 5505 for that
job. Is it?

Regards

fw