PIX Routing issue - Multiple office bring up a tunnel?

funraps · ‎02-25-2005

Hi

Layout1:

companyA-VPN PEER-- Internet -- PIX1--Router1-Network1

All users from network1 are able to connect to companya through the VPN tunnel, however I have several other office inside that I need to go through the tunnel.

Layout2:

^Internet^

...Router1-MPLSVPN-router2-pix2^ ^--network2

how do I get users from network2 to bring up the tunnel in network1,pix1,companya?

I've tried routing on router1 and router2 with static routes, but they only get to the firewall...

ACL on the firewall and NAT is setup.

Any help will be appreciated.

I thank you in advance...

A

ehirsel · ‎02-25-2005

Is the PIX1 or the Router1 device acting as the other vpn gateway for your network?

In Layout 2, is the Router1 device the same device that is in Layout1, or are they different?

If they are different and the pix is your org's vpn gateway, then the main issue lies with the fact that the pix will not allow traffic received on an interface to be sent back out that same interface without sending it inside.

If they are the same, then the existing crypto map or nat entries may need to be adjusted to allow network2 to connect to the remote net over the IPSec tunnel.

Let me know what you find.

funraps · ‎02-26-2005

Thank you for the quick response...

Pix1 is the peer to companyA, it's the VPN gateway.

Router1 connects through MPLS to Router2,Pix2 network2.

Router2 also has a bunch of T-1's for remote sites.

Layout1 and layout 2 is the same... just added more components for the internal networks.

the NAT entries: access list has all the needed networks

Crypto map?