02-25-2001 05:42 PM - edited 02-21-2020 11:17 AM
I'm designing a hub and spoke VPN network. I have a headquarters with a PIX 515 and 5 remote offices with 1720's running IPSec and IOS firewall. My question is can Remote 1 talk to Remote 2, 3, 4, and 5 by going through it's tunnel to the PIX, or does Remote 1 need to have a direct tunnel to Remote 2, 3, etc... I realize that the PIX for the most part does not route, but can the remote networks talk to each other through the PIX? Any ideas or reference to configs would be very much appreciated. Thanks in advance.
03-01-2001 10:30 AM
You need to have direct tunnels between each site. Refer to http://www.cisco.com/warp/public/707/ios_hub-spoke.html
The easiest way to fully mesh IOS devices is to use Tunnel Endpoint Discovery (TED) - see http://www.cisco.com/warp/public/707/tedpreshare.html as this minimises the amount of configurate needed.
I'm not sure if the pix supports TED so you may need to define a normal crypto map to get to the traffic to behind the pix. And they use dynamic crypto maps with the discovery keywords for all your remote sites.
03-05-2001 08:23 AM
He is right about the solution. Only the problem with tunnel end point discovery is it doesn't work with NAT. You have to have legal ip on each desktop since TED uses destination IP address to discover tunnel end point.
Sam Munzani
CCIE # 6479
03-01-2001 10:33 AM
The Pix acting as the hub will not route traffic between spokes. All spokes will require their own tunnels configured to allow communications to a peer spoke.
03-01-2001 01:13 PM
I think this link will help you out:
http://www.cisco.com/cpropart/salestools/cc/so/neso/sqso/eqso/iptoc_dg.htm
Bill
03-01-2001 07:17 PM
Hi,
One to one tunnel is required to establish the VPN between remote routers. It's like meshed tunnels.
Thanks & Regards,
Selva
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide