01-21-2004 03:39 AM
I have 3 sites. All sites have PIX 501. Central Site has static IP, 2 remote sites has dynamic IP.
I have no problem with the remote sites connecting to the central site using their dynamic IP in a hub and spoke connection.
Is it possible for the 2 remote sites communicate? There are some data that needs to be transfered between the remote sites. I've read somewhere in cisco web site that its possible via Full-mesh on demand.
Anybody has a sample config on a Site-to-Site VPN where Central site has static IP, and remote sites having dynamic IP? Remote sites learns dynamic IP of other remote sites from central server.
Thanks.
Solved! Go to Solution.
01-22-2004 03:21 PM
With IOS as your hub and spokes then yes, the spokes can dynamically learn the address of other spokes using NHRP. This type of setup is called Dynamic Multipoint VPN (DMVPN), you can read everything you ever wanted to know about it here:
http://www.cisco.com/warp/public/105/dmvpn.html
Even with EzVPN (not DMVPN) the spokes won't learn the address of other spokes, all communication is still via the hub. Calling another spoke would work, but as I said, the packets will go spoke-hub-spoke.
01-21-2004 05:10 PM
If these were IOS routers you could use DMVPN, but this is not supported on a PIX (this is the "full-mesh on demand" you mention I believe).
Similarly with IOS and VPN3000's, you could route the spoke-to-spoke traffic via the hub and everything would work, but the PIX won't route a packet back out the same interface it came in on, which includes IPSec traffic from one spoke going back out to another.
In short, I don't see any way to do this with a PIX as your hub. Sorry.
01-21-2004 06:10 PM
If I replace the hub(PIX) with an IOS Router, will this work? Can the PIX that are spoke be able to learn info about other spokes and intiate an on-demand tunnel?
Or the only solution is to have a static IP on 2 sites and only 1 site with dynamic?
01-21-2004 07:48 PM
If you replace the hub with a router then you'll be able to get spoke-to-spoke commnication, but it will still go via the hub. There is no way for one spoke PIX to learn the IP address of the other spoke.
01-21-2004 11:51 PM
Does it also apply to IOS? I mean the spoke can't learn the IP address of other spoke?
On one of the Cisco University I attended, we had a lab exercise where we created EZVPN.The 3600 Routers was configured as the server, with 1760 as the spokes. We were told that the 1760 learned the IP of the other 1760 from the EZVPN Server and created an on-demand vpn tunnel. It was tested by calling the IP Phone on the other router running CME.
Was this possible, I can't seem to remember much, it was almost a year ago.
Is it possible to have a full-mesh even with dynamic IPs on some of the PIX? IOS-based?
Thanks.
01-22-2004 03:21 PM
With IOS as your hub and spokes then yes, the spokes can dynamically learn the address of other spokes using NHRP. This type of setup is called Dynamic Multipoint VPN (DMVPN), you can read everything you ever wanted to know about it here:
http://www.cisco.com/warp/public/105/dmvpn.html
Even with EzVPN (not DMVPN) the spokes won't learn the address of other spokes, all communication is still via the hub. Calling another spoke would work, but as I said, the packets will go spoke-hub-spoke.
01-22-2004 06:15 PM
Thanks.
I guess I'll be getting 806 router to replace one of the PIX501.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide