Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
858
Views
0
Helpful
6
Replies

Routing Between IPSec Tunnels - Please Help

Go to solution
ryandibble
Level 1
Level 1

‎11-26-2007 01:55 PM - edited ‎03-11-2019 04:35 AM

Okay guys, here's the situation:

I have three sites (sites A, B, and C). There is a site-to-site IPsec tunnel between PIXs from an internal LAN on site A (172.30.10.0 /24) to an internal LAN on site B (192.168.20.0 /24), and another tunnel from site B to site C (172.30.20.0). How can I route traffic from site A to C across the existing tunnels without creating another tunnel between sites A and C? Many thanks in advance.

-Ryan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
elparis
Cisco Employee
Cisco Employee

‎11-26-2007 02:02 PM

Hi Ryan,

What you want to do is called hairpinning or u-turn VPN.

Here's a technical tip on cisco.com that goes over the configuration details:

PIX/ASA 7.x Enhanced Spoke-to-Spoke VPN Configuration Example

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

The key command is "same-security-traffic permit intra-interface" on the PIX on site B.

Hope this helps.

Eloy.-

View solution in original post

0 Helpful
6 Replies 6

Go to solution
elparis
Cisco Employee
Cisco Employee

‎11-26-2007 02:02 PM

Hi Ryan,

What you want to do is called hairpinning or u-turn VPN.

Here's a technical tip on cisco.com that goes over the configuration details:

PIX/ASA 7.x Enhanced Spoke-to-Spoke VPN Configuration Example

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

The key command is "same-security-traffic permit intra-interface" on the PIX on site B.

Hope this helps.

Eloy.-

0 Helpful

Go to solution
srue
Level 7
Level 7
In response to elparis

‎11-26-2007 03:35 PM

I don't think hairpinning will solve the problem. Perhaps some simple static routes to get from A->C, and C->A. Also, update your crypto acl's at each point to allow the traffic to get from A->C, and C->A, as well as normal acl's.

0 Helpful

Go to solution
timkaye
Level 1
Level 1
In response to srue

‎11-26-2007 05:37 PM

Agreed with srue.

0 Helpful

Go to solution
elparis
Cisco Employee
Cisco Employee
In response to srue

‎11-27-2007 02:53 PM

Actually the setup requires hairpinning/u-turn VPN. I didn't make this up.

You are right in that routing needs to be taken care of, i.e. the PIX in site A needs to know that to get to site C it needs to send traffic out the outside interface, and the crypto ACLs need to be taken care of as you describe.

What I meant by "the same-security-traffic permit intra-interface command is key" is that this command is necessary so the PIX in site B can send traffic out on the same interface it was originally received (traffic from site A arrives on the outside interface and needs to be sent out the same interface so it can reach site C). Without this command in the PIX on site B u-turn VPN won't work, even if routing and the crypto ACLs are taken care of.

I didn't go into details when I first replied to Ryan because I thought that all the details, including routing, crypto ACLs, and the same-security-traffic command, are well presented in the tech. tip I mentioned in that original reply yesterday.

Ryan got it to work so everything is good, though :-)

Cheers,

Eloy.-

0 Helpful

Go to solution
ryandibble
Level 1
Level 1
In response to elparis

‎11-27-2007 02:36 PM

Eloy,

The hairpinning worked like a charm! Many, many thanks for your help.

-Ryan

0 Helpful

Go to solution
elparis
Cisco Employee
Cisco Employee
In response to ryandibble

‎11-27-2007 02:46 PM

Awesome! Glad it worked Ryan. Very cool.

Cheers,

Eloy.-

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card