07-11-2012 02:40 PM
I need two branch routers 192.168.48.x and 192.168.49.x to be able to pass traffic to each other without a dedicated vpn tunnel between the two branches.
HQ LAN is 172.16.x.x and 172.17.x.x
Branch Routers use 192.168.x.x
***PIX***
access-list nonat permit ip 172.16.0.0 255.255.0.0 192.168.48.0 255.255.255.0
access-list nonat permit ip 172.17.0.0 255.255.0.0 192.168.48.0 255.255.255.0
access-list mtl01rt01ec permit ip 172.16.0.0 255.255.0.0 192.168.48.0 255.255.255.0
access-list mtl01rt01ec permit ip 172.17.0.0 255.255.0.0 192.168.48.0 255.255.255.0
route outside 192.168.48.0 255.255.255.0 "Internet Router"
**************************************************************************
***Spoke router 1***
crypto map nolan 18 ipsec-isakmp
set peer "HUB PIX"
set transform-set sharks
match address 121
access-list 110 deny ip 192.168.48.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 deny ip 192.168.48.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 110 permit ip 192.168.48.0 0.0.0.255 any
access-list 121 permit ip 192.168.48.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 121 permit ip 192.168.48.0 0.0.0.255 172.17.0.0 0.0.255.255
!
route-map nonat permit 10
match ip address 110
ip nat inside source route-map nonat interface Ethernet0 overload
**************************************************************************
***Spoke router 2***
crypto map nolan 18 ipsec-isakmp
set peer "HUB PIX"
set transform-set sharks
match address 121
access-list 110 deny ip 192.168.49.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 deny ip 192.168.49.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 110 permit ip 192.168.49.0 0.0.0.255 any
access-list 121 permit ip 192.168.49.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 121 permit ip 192.168.49.0 0.0.0.255 172.17.0.0 0.0.255.255
!
route-map nonat permit 10
match ip address 110
ip nat inside source route-map nonat interface Ethernet0 overload
07-11-2012 11:07 PM
What version is your PIX? if it's 7.x and above, you can make it work as follows:
PIX:
same-security-traffic permit intra-interface
access-list mtl01rt01ec permit ip 192.168.49.0 255.255.255.0 192.168.48.0 255.255.255.0
access-list
Spoke 1:
access-list 121 permit ip 192.168.48.0 0.0.0.255 192.168.49.0 0.0.0.255
ip access-list extended 110
1 deny ip 192.168.48.0 0.0.0.255 192.168.49.0 0.0.0.255
Spoke 2:
access-list 121 permit ip 192.168.49.0 0.0.0.255 192.168.48.0 0.0.0.255
ip access-list extended 110
1 deny ip 192.168.49.0 0.0.0.255 192.168.48.0 0.0.0.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide