Solved: Site A to Site C, possible?

radwayscisco · ‎11-20-2006

Hi there,

I am sure the answer to this is very easy for most of you but I am finding it hard to find a 100% definite answer on this.

We basically have around 8 remote sites that connect to [Head Office] using IPSec rules and security policies. These tunnels work fine and the VPN sessions stay up without too many problems.

For this problem, picture a simple scenario like this:

[Site A] ---- > [Head Office] < ---- [Site B]

[Site A] and [Site B] connect to the [Head Office] via their own VPN tunnel, this works fine.

Question: Is is possible to make [Site A] see all of the devices on [Site B]? For example, we have a network printer on [Site B] that we would like a user in [Site A] to see and use.

I have created all of the IPSec Rules and added the security policies but it is not working. I have a fear that you cannot route traffic on the Incoming device of the PIX to out to another device that is connected to the same interface, is this true?

If so, would it be possible by using some sort of bridge between the two or something?

The [Head Office] PIX is a 515E.

Thanks in advance, it's much appreciated.

Regards

Wilson Samuel · ‎11-20-2006

Hi,

PIX 515E with upto 6.3 OS have a restriction which states that, "Any packet that has entered from one interface WILL NEVER come out from the very same interface", hence you have some options as below:-

1. Add one more port to the PIX 515E and then terminate Site A and Site B to different interfaces and enable the routing (ONLY static Routes) in between.

2. Update the PIX OS 6.x to 7.x and enable the DMVPN and it would work (Static Route ONLY)

3. Update the PIX OS 6.x to 7.x and enable IPSec in GRE Tunnel and enable DMVPN and it would work smoothly.

Also, if you can shift the Tunnels to a IPSec Router, with IPSEC GRE Tunnels, it should work fine.

REgards,

Wilson Samuel

View solution in original post

Sureshdank · ‎11-20-2006

What you can do is, use another system in your head-office and enable routing on that. oK.

packet will flow in below fashion,

SiteB --- > HO-PIX --->>> Routing Enbaled Machine --->> HO-PIX ---->> SiteA.

You need to write acls in such a way that, allow siteA in your VPN. Then try to forward those packets with source ips of siteA by writing a route in PIX to Routing enabled machine.

Then from here try to forward the packets recived to PIX. In PIX write acls for allowing SiteB to SiteA.

Hope you understand.

Regards,

Suresh Jain

Richard Burts · ‎11-20-2006

In traditional PIX code there is a restriction that prevents the PIX from forwarding traffic out the same interface it was received on. And the traditional solution is the one that Suresh has pointed out to have some device inside the head end network receive the traffic and forward it back.

In release version 7 of PIX code Cisco has provided an enhancement that does allow the PIX to forward back out the same interface. So if you upgrade the code in your PIX to version 7 you should be able to accomplish site A to site B without needing the extra machine inside the PIX.

HTH

Rick

HTH

Rick

Wilson Samuel · ‎11-20-2006

Hi,