cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
724
Views
0
Helpful
7
Replies

Routing between Branch office VPN

rcrevier
Level 1
Level 1

I have two branch office with PIX 6.3.3 connected to our central VPN 3005. I want these branch office to talk togheter. Is there any special configuration to make this work ?

Tx

7 Replies 7

pcomeaux
Cisco Employee
Cisco Employee

Many of my customers have a similar setup to what you describe and traffic can flow between the 2 branch sites.

You need to make sure the ACLs that define the traffic to be tunnelled includes the remote branch sites on both of the Pixen.

Please let us know if you try this and do not have success. We can take a look at your config and provide further assistance.

thanks

peter

Are they using the EasyVPN feature on the PIX units? We have several remote PIXes dialing in using the EasyVPN configuration commands. The remote sites CANNOT communicate with each other, only the central site.

No they are connecting with a L2L VPN connection.

steven.wilson
Level 1
Level 1

there is a document at

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

This is the basic way to do it. I have used it with muliple remote site PIX to VPN3000. The complicated bit is when you want the remote sites to be able to communicate with each other via the centre. On the Concentrator you need to specify the exact network lists for each tunnel and on the PIX this is done using an access-list.

ip address inside 192.168.5.1 255.255.255.0

access-list 150 permit ip inside-network 255.255.255.0 192.168.1.0 255.255.255.0

access-list 150 permit ip inside-network 255.255.255.0 192.168.2.0 255.255.255.0

access-list 150 permit ip inside-network 255.255.255.0 192.168.4.0 255.255.255.0

access-list 150 permit ip inside-network 255.255.255.0 192.168.3.0 255.255.255.0

crypto ipsec transform-set glasgow esp-3des esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 150

crypto map newmap 10 set peer aaa.bbb.ccc.ddd

crypto map newmap 10 set transform-set glasgow

crypto map newmap interface outside

The above allows one remote network 192.168.5.0 to connect to four other networks via the ipsec tunnel to the centre.

Cheers

Steve

Thank you for this quick answer. My settings is almost the same for my PIX's. Do you have a special settings for the VPN3000 ? The routing don't seem to work between the PIX. How the 3000 route the packets from one VPN tunnel to another one ?

The way that I configured it was to ensure that the network list associated with each particular tunnel contains the correct list of subnets. I do not use network autodiscovery. If network 1 is down tunnel 1 then network 0,2,3 are listed as being available to network 1 back up tunnel 1.

I hope that this makes sense.

Cheers

Steve.

It Does make sense.

Thank you for your help. My settings that was not working was the tunnel default gateway that i use for for the VPN client. When the tunnel default is set to 0.0.0.0 everything was working fine.