Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
0
Helpful
7
Replies

Routing between Branch office VPN

rcrevier
Level 1
Level 1

‎06-17-2004 11:53 AM - edited ‎02-21-2020 01:12 PM

I have two branch office with PIX 6.3.3 connected to our central VPN 3005. I want these branch office to talk togheter. Is there any special configuration to make this work ?

Tx

Labels:
0 Helpful
7 Replies 7

pcomeaux
Cisco Employee
Cisco Employee

‎06-18-2004 06:16 AM

Many of my customers have a similar setup to what you describe and traffic can flow between the 2 branch sites.

You need to make sure the ACLs that define the traffic to be tunnelled includes the remote branch sites on both of the Pixen.

Please let us know if you try this and do not have success. We can take a look at your config and provide further assistance.

thanks

peter

0 Helpful

ramr
Level 1
Level 1
In response to pcomeaux

‎06-18-2004 06:59 AM

Are they using the EasyVPN feature on the PIX units? We have several remote PIXes dialing in using the EasyVPN configuration commands. The remote sites CANNOT communicate with each other, only the central site.

0 Helpful

rcrevier
Level 1
Level 1
In response to ramr

‎06-18-2004 07:19 AM

No they are connecting with a L2L VPN connection.

0 Helpful

steven.wilson
Level 1
Level 1

‎06-18-2004 06:20 AM

there is a document at

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

This is the basic way to do it. I have used it with muliple remote site PIX to VPN3000. The complicated bit is when you want the remote sites to be able to communicate with each other via the centre. On the Concentrator you need to specify the exact network lists for each tunnel and on the PIX this is done using an access-list.

ip address inside 192.168.5.1 255.255.255.0

access-list 150 permit ip inside-network 255.255.255.0 192.168.1.0 255.255.255.0

access-list 150 permit ip inside-network 255.255.255.0 192.168.2.0 255.255.255.0

access-list 150 permit ip inside-network 255.255.255.0 192.168.4.0 255.255.255.0

access-list 150 permit ip inside-network 255.255.255.0 192.168.3.0 255.255.255.0

crypto ipsec transform-set glasgow esp-3des esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 150

crypto map newmap 10 set peer aaa.bbb.ccc.ddd

crypto map newmap 10 set transform-set glasgow

crypto map newmap interface outside

The above allows one remote network 192.168.5.0 to connect to four other networks via the ipsec tunnel to the centre.

Cheers

Steve

0 Helpful

rcrevier
Level 1
Level 1
In response to steven.wilson

‎06-18-2004 07:14 AM

Thank you for this quick answer. My settings is almost the same for my PIX's. Do you have a special settings for the VPN3000 ? The routing don't seem to work between the PIX. How the 3000 route the packets from one VPN tunnel to another one ?

0 Helpful

steven.wilson
Level 1
Level 1
In response to rcrevier

‎06-18-2004 08:46 AM

The way that I configured it was to ensure that the network list associated with each particular tunnel contains the correct list of subnets. I do not use network autodiscovery. If network 1 is down tunnel 1 then network 0,2,3 are listed as being available to network 1 back up tunnel 1.

I hope that this makes sense.

Cheers

Steve.

0 Helpful

rcrevier
Level 1
Level 1
In response to steven.wilson

‎06-18-2004 09:00 AM

It Does make sense.

Thank you for your help. My settings that was not working was the tunnel default gateway that i use for for the VPN client. When the tunnel default is set to 0.0.0.0 everything was working fine.

0 Helpful
Customers Also Viewed These Support Documents