Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
0
Helpful
1
Replies

Spoke to Spoke Communication through PIX

bfpnetworking
Level 1
Level 1

‎07-11-2012 02:40 PM

I need two branch routers 192.168.48.x and 192.168.49.x to be able to pass traffic to each other without a dedicated vpn tunnel between the two branches.


HQ LAN is 172.16.x.x and 172.17.x.x

Branch Routers use 192.168.x.x


***PIX***

access-list nonat permit ip 172.16.0.0 255.255.0.0 192.168.48.0 255.255.255.0
access-list nonat permit ip 172.17.0.0 255.255.0.0 192.168.48.0 255.255.255.0

access-list mtl01rt01ec permit ip 172.16.0.0 255.255.0.0 192.168.48.0 255.255.255.0
access-list mtl01rt01ec permit ip 172.17.0.0 255.255.0.0 192.168.48.0 255.255.255.0

route outside 192.168.48.0 255.255.255.0 "Internet Router"


**************************************************************************

***Spoke router 1***

crypto map nolan 18 ipsec-isakmp
set peer "HUB PIX"
set transform-set sharks
match address 121


access-list 110 deny   ip 192.168.48.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 deny   ip 192.168.48.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 110 permit ip 192.168.48.0 0.0.0.255 any
access-list 121 permit ip 192.168.48.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 121 permit ip 192.168.48.0 0.0.0.255 172.17.0.0 0.0.255.255
!
route-map nonat permit 10
match ip address 110


ip nat inside source route-map nonat interface Ethernet0 overload
**************************************************************************

***Spoke router 2***


crypto map nolan 18 ipsec-isakmp
set peer "HUB PIX"
set transform-set sharks
match address 121


access-list 110 deny   ip 192.168.49.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 deny   ip 192.168.49.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 110 permit ip 192.168.49.0 0.0.0.255 any
access-list 121 permit ip 192.168.49.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 121 permit ip 192.168.49.0 0.0.0.255 172.17.0.0 0.0.255.255
!
route-map nonat permit 10
match ip address 110


ip nat inside source route-map nonat interface Ethernet0 overload

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-11-2012 11:07 PM

What version is your PIX? if it's 7.x and above, you can make it work as follows:

PIX:

same-security-traffic permit intra-interface

access-list mtl01rt01ec permit ip 192.168.49.0 255.255.255.0 192.168.48.0 255.255.255.0

access-list permit ip 192.168.48.0 255.255.255.0 192.168.49.0 255.255.255.0

Spoke 1:

access-list 121 permit ip 192.168.48.0 0.0.0.255 192.168.49.0 0.0.0.255

ip access-list extended 110

  1 deny ip 192.168.48.0 0.0.0.255 192.168.49.0 0.0.0.255

Spoke 2:

access-list 121 permit ip 192.168.49.0 0.0.0.255 192.168.48.0 0.0.0.255

ip access-list extended 110

  1 deny ip 192.168.49.0 0.0.0.255 192.168.48.0 0.0.0.255

0 Helpful
Customers Also Viewed These Support Documents