Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
240
Views
0
Helpful
1
Replies

Can 2 LAN 2 LAN Remotes Sites Communicate Hub and Spoke Through a PIX

bbeal
Level 1
Level 1

‎01-03-2005 02:26 PM - edited ‎02-20-2020 11:50 PM

We are moving a customer from PPTP to LAN 2 LAN VPN with all PIX’s. This was a recommendation based on a security audit. So, the problem is that most of the remote sites have dynamic addresses (DSL with DHCP). I can’t build a full mesh of LAN 2 LAN VPN tunnels. They have some remote sites(L2L) that want to have access to other LAN to LAN sites. Do you know if that is possible? I cannot find an example of a PIX config that addresses this problem. I know how to do this with all fixed address (full mesh) and I believe you can do this with a router (not a PIX). Any help would be appreciated.

0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎01-03-2005 02:47 PM

The PIX won't route traffic back out the same interface it came in on, this includes IPSec traffic coming in from one tunnel and being routed back out another. This will work with a router as your hub, but not a PIX.

Note that in the upcoming v7 release (currently in beta), this restriction will be lifted and you'll be able to use the PIX as a VPN hub.

For spokes with dynamic addresses just define a dynamic crypto map as usual. The spoke's crypto ACL should include all traffic to the hub and to other spokes, this way the hub PIX will create the inverse of this for it's own crypto ACL and the traffic from spoke to spoke should be sent correctly (only in v7 though).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card