Question : Problem: Configure Site to site vpn to communicate within remote sites

Hello ALL

i Have Site to site VPN tunnel from corporate to 3 remote sites all sites have Pix 501E firewall, i need to allow direct access from one remote site to another vice versa., Right now i cant do it. I read couple of articles about this they said i need to make spoke tunnel for this.i am new to this VPN stuff. Can anyone help me to implement this

Thanks in advance

Suresh

Answer : Problem: Configure Site to site vpn to communicate within remote sites

Since you are using PIX 501's at all of the sites (I'm assuming you have a total of 4 PIX 501's...one at corporate and the other 3 at the remote sites), you will not be able to implement a hub and spoke configuration since this is a limitation of the 6.x code that runs on the PIX 501. They have implemented this ability in the new 7.x code, but that only runs on ASA's or a PIX 515 or higher with 64MB of RAM or higher. See the following text from the following URL:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

"This configuration allows a central Cisco Secure PIX Firewall to communicate with networks behind two other PIX Firewall boxes through VPN tunnels over the Internet or any public network using IPsec. The two outlying networks have no need to communicate with each other, but there is connectivity to the central network. The two outlying networks are not able to communicate with each other by going through the central PIX because the PIX does not route traffic received on one interface back out the same interface. If there is a need for the outlying networks to communicate with each other, you need a fully meshed configuration, instead of the hub and spoke configuration shown in this document."

Having said that, to implement a fully meshed configuration, you will need to make sure of the following things:

1) No overlapping networks exist at any of the sites
2) All of the sites have public static IP addresses for their Internet-facing interfaces

You will have to create tunnels between all sites for this to work, meaning you will have a total of 6 VPN tunnels. If the sites are labeled as A, B, C, and D, then here is the tunnel list:

A <---> B
A <---> C
A <---> D
B <---> C
B <---> D
C <---> D

You will then need to follow the instructions in the following URL for setting up a simple IPSEC tunnel between the sites (you should be able to follow this examples for all 6 tunnels):

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

You may run into some performance issues on the 501 with each one having 3 site-to-site VPN tunnels up all the time, but it all depends on how much traffic you'll be passing through them to the sites.

I would stick with 3DES-SHA for phase I ISAKMP negotiation and the Phase II transform set (the examples uses DES-MD5, but they are less secure than 3DES-SHA).

You can always use the PDM VPN wizard to set up the VPN tunnels. See the below link for this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052d450.shtml

Don't let the word "redundant" in the title of document fool you. The procedure looks the same. I would make sure you have the latest PDM version, 3.04 installed on the PIX 501's before you use the PDM for the VPN tunnel creation.

Hopefully this will give you a place to start...

Random Solutions

Problem: Computer Hangs after BOIS (not software)

Problem: Treo 650 fails to view PDF

Problem: SBS2003 WITH EXCHANGE SERVER -CONFIGURE FOR WINDOWS MOBILE DEVICE

Problem: Do I need additional software for this type of network

Problem: Moving a hard drive is giving me the BSOD.

Problem: Dual Graphics Cards :: 8800GTX & 5200FX - BSOD DRIVER_IRQL_NOT_LESS_OR_EQ<wbr />UAL

Problem: iPod and iTunes sync question

Problem: Vista 64+ & 8GB OCZ 5-5-5-12.2

Problem: Netmeeting Configuration help

Problem: Should I use Windows Storage Server or just stick with Server 2003?