01-16-2005 12:39 PM - edited 02-20-2020 11:52 PM
We have a main site with a Pix 506 and an fixed IP, 3 branch offices are connected via internet with that PIX in Ipsec with 837 routers in each branch office.
Each branch office is on a different subnet and is working like a charm, everybody can get the servers on the main site.
Now we want to connect hosts between subnets, as the Ipsec is terminated on the same PIX interface it is impossible.
Have you a way to add a router ( 831 for ex.) to connect the differents subnets and to correct the behaviour of the PIX.
The main site is 192.68.0.0/254
each branch office is 10.10.11.0
10.10.12.0
10.10.12.0
Waiting for any idea ( we dont want a VPN concentrator, we perfer to by a generic router )
regards
Loïc
01-17-2005 03:44 PM
The easiest way would be to just replace the hub PIX with the 837, as it will re-route traffic between the spoke sites. You can purchase the IOSFW feature set for the 837 and turn it into a firewall also for security of your main site.
The crypto ACL on each spoke site would then just be:
access-list 100 permit ip 10.10.11.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.10.11.0 0.0.0.255 192.168.0.0 0.0.255.255
and on the main hub 837 you'd have something like the following:
crypto map mymap 10 ipsec-isakmp
set peer spokeA
match address 100
...
crypto map mymap 20 ipsec-isakmp
set peer spokeB
match address 101
...
crypto map mymap 30 ipsec-isakmp
set peer spokeC
match address 102
...
access-list 100 permit ip 10.0.0.0 0.255.255.255 10.10.11.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.255.255 10.10.11.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 10.10.12.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.255.255 10.10.12.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.255.255.255 10.10.13.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.255.255 10.10.13.0 0.0.0.255
In other words, set up each spoke to encrypt traffic from its local network to the entire 10.0.0.0/8 net and to the 192.168.0.0 net. This way each spoke will route traffic for any other spoke (provided it's a 10.0.0.0 subnet) to the hub, and the hub will re-route it back out based on it's other acl's.
Also, if these 3 hub sites are generating a large amount of traffic then you might want to look at something beefier than an 837 for the hub, but then again if a 506 is currently handling the load OK, an 837 should have no problem. Keep in mind that it is going to be decrypting/encrypting spoke-to-spoke traffic twice so it will have extra load than the 506 currently has.
01-17-2005 11:45 PM
Thanks,
I have just ordered a 1712 for that purpose to our volume reseller. As it is equipped with VPN hardware, I think it will be enough and may be more appropriate than a 837. For a little time i had looked for a 2611 but our branch offices have 2/3 peoples per site and so i compromised with the model 1712.
I have a bit anticipated your response in crawling in Google, I found some indication about hub and spoke configs, and so i know already that i have to give up my 506 .
thanks for your config, i was a bit in trouble, I will test when i receive my 1712 and will give you the results.
best regards
Loïc
02-17-2005 11:46 AM
The spokes are not communicating each others
I supose that i have missed something
here is the hub 1710 config
sh conf
Using 2844 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router1700
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
!
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip cef
ip ids po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key xxxx address 0.x.x.x.x.0.0
crypto isakmp keepalive 10 5
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto dynamic-map rtpmap 10
set transform-set rtpset
match address 115
crypto dynamic-map rtpmap 20
set transform-set rtpset
match address 116
!
!
crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
!
!
!
interface Vif1
no ip address
!
interface BRI0
no ip address
shutdown
no cdp enable
!
interface FastEthernet0
ip address 100.100.100.205 255.255.255.248
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
crypto map rtptrans
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
no ip address
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.0.11 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 x.x.x.x.100.100.201
ip route 10.10.11.0 255.255.255.0 10.10.11.1
ip route 10.10.12.0 255.255.255.0 10.10.12.1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0 overload
!
!
!
access-list 115 permit ip 192.168.0.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 115 permit ip 10.0.0.0 0.255.255.255 10.10.11.0 0.0.0.255
access-list 116 permit ip 192.168.0.0 0.0.0.255 10.10.12.0 0.0.0.255
access-list 116 permit ip 10.0.0.0 0.255.255.255 10.10.12.0 0.0.0.255
access-list 120 deny ip 192.168.0.0 0.0.0.255 10.10.12.0 0.0.0.255
access-list 120 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
no cdp run
!
route-map nonat permit 10
match ip address 120
!
!
control-plane
!
banner login ^Config du 18/01/2005
^C
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
end
router1700#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide