Routing between VPNs on Concetrator platform

hancorp · ‎01-04-2006

We have a 3030 Series concentrator with a site-to-site VPN to a pix firewall and another site-to-site vpn to a Checkpoint firewall.

Is it possible to get one site to talk to the other another via the conentrator ?

If so how do i go about getting this to work ?

Wil the concentrator just route between the two remote sites if i had the correct routes at each end ?

gfullage · ‎01-08-2006

It will route between them, but you'll also need to add the approrpaite local/remote networks into the individual L2L tunnel configuration section for each tunnel. Without this the concentrator won't know that you want traffic destined for these subnets to go over the specific L2L tunnel.

For example, let's say the network behind the VPN concentrator is 1.0.0.0, the network behind the PIX is 2.0.0.0 and the network behind the CP is 3.0.0.0.

In the L2L config section on the concentrator for the PIX tunnel you would have defined a Local NW of 1.0.0.0 and a Remote NW of 2.0.0.0. You need to add another Local NW in here of 3.0.0.0 so that traffic source from 3.0.0.0 (behind the CP) will be routed over to the PIX.

Similarly in the L2L config section on the concentrator for the CP tunnel you would have defined a Local NW of 1.0.0.0 and a Remote NW of 3.0.0.0. You need to add another Local NW in here of 2.0.0.0.

To add more than one NW you need to create a Network List under Config - Policy Mgmt - Traffic Mgmt - NW List, then use those lists in the specific L2L config section for each tunnel.

You also need to modify the access-list on the PIX to include traffic FROM 2.0.0.0 TO 3.0.0.0 as IPsec traffic, and do a similar thing on the CP.