Hey guys, my knowledge of Cisco VPN spec is pretty weak so was hoping someone could say a yes or no or give tips on how to get some routing working if possible.

Both of the sites are connected by IPSec tunnels
The devices on 10.32.x.x and 10.0.x.x PIX 500 series on 7.x software

As in the below image, if I am on the 10.32.x.x is there a way for me to access resources on 10.80.x.x? The way the guys at 10.0.x.x acess 10.80.x.x resources is that they get assigned a 10.0.200.x IP address and work with no issues

But if I try to do the same on my end and add a persistent route into 10.80.x.x it just doesnt work. The feeling I get is that I may not be able to travel from 10.32.x.x to 10.80.x.x because I am going over two VPN tunnels could that be a reason?

Have also setup a VPN gateway on 10.32.0.0 for testing which gives me a 10.0.200.x address and done a "route -p add 10.80.0.0 mask 255.255.0.0 10.0.0.1 which is the deice that would route me to the 10.80.x.x subnet but that wouldnt work either.

http://img245.imageshack.us/img245/2684/image001rs6.jpg

oh yeah this is whats going through my head right now

The feeling I get is that I may not be able to travel from 10.32.x.x to 10.80.x.x because I am going over two VPN tunnels could that be a reason?

nope, it's entirely possible to do what you want to do

aside from that, I can't get enough info from your post to see what's going wrong other than to make wild guesses

That's absolutely possible, you just need to make sure the routing etc is all good. Most of the Cisco VPN devices I've worked with use ACLs to label traffic to go through a VPN.

would look something like this on a cisco 5510 :-

access-list NONAT extended permit ip 10.32.0.0 255.255.0.0 10.88.0.0 255.255.0.0
access-list VPN_32_to_88 extended permit ip 10.32.0.0 255.255.0.0 10.88.0.0 255.255.0.0


nat (inside) 0 access-list NONAT

crypto ipsec transform-set TRANSFORM_SET_AAA esp-aes-256 esp-sha-hmac
crypto map IPSEC_MAP_VGH 50 match address VPN_32_to_88
crypto map IPSEC_MAP_VGH 50 set peer x.x.x.x
crypto map IPSEC_MAP_VGH 50 set transform-set TRANSFORM_SET_AAA ESP-3DES-SHA

you may also need a route to let it know which interface to dump it out of

route outside 10.88.0.0 255.255.0.0 ext.ip.addr.ess 100

Edit - i just read you are using version 7.x to the below is irrelivent.
-------------------------------
What model of cisco pix are you using?

What version of the ios you using?

If you are using 6.x pix ios and both vpn's are terminating on the same interface you cannot do what you are trying to do.

Cisco PIX 6.x ios has a problem where you cannot route between 2 vpn's terminating on the same interface.

We have the same problem with one of our customers that has international officers all terminating their vpn's on the outside interface of the pix. The offices cannot route between eachother. We got around this by creating a loop.

so we have 3 vpn's

Head office to overseas 1
head office to overseas 2
overseas 1 to overseas 2

You can fix this problem by using an asa or pix 7.x
---------------------------------

Alternatively make sure that your crypto's match the correct traffic and your routes to the other networks are set correct via the interface the vpn terminates on.

Also make sure your crypto's are identical both ends fo the vpn

Check for the sysopt permit or no sysopt permit to determine whether you need acl's on the terminating interface or not.



last edited by CaPt0 at 09:23:28 17/Apr/08

Assuming that all VPN's are terminating on the same interface at 10.0.0.0 you need to add the command same-security-traffic permit intra-interface which allows vpn traffic to enter and exit the same interface. This command is only available on 7.x software.

If its over 2 different interfaces then you just need to makesure that your network is part of the interesting traffic marked for encryption between 10.0.0.0 and 10.80.0.0 and that all NAT0 rules are setup properly.



last edited by huntz at 09:29:09 17/Apr/08

Further to my reply are you trying to do vpn hairpinning or vpn U-turning or vpn hub-and-spoke.

They are all the correct terminologies for routing between vpn's that terminate on the same interface.

if you have the Cisco pix/asa 7.x manual it is in section 24-20

Obvious question time, why not create another VPN to go between the two sites? Would stop you routing through another office and wasting their bandwidth.

Obvious question time, why not create another VPN to go between the two sites? Would stop you routing through another office and wasting their bandwidth.

Exactly was going to ask the same thing. Seems a bit silly to have to get from A to C via B if you can just connect to C directly. Unless of course it's a set up issues.

http://stevescars.digitaloutsider.org/captain_obvious.jpg

That was the first thing I wanted to do since there already are bandwidth issues in the middle peer but it was going to take a very long time to setup a vpn between 10.32.x.x and 10.80.x.x directly, like months

Anyway cheers for the pointers guys, really appreciate it. I thought the routing on 10.0.x.x was good enough but it seems I have missed a lot of stuff on my side.

The thing confusing me was that if I was physically at 10.0.x.x I could get to both sites without worries but if I had a remote VPN session into 10.0.x.x I couldnt get to either. I guess its the specific routing commands I need to add in like in stinky's example.

I'm scared to ask.. but why does creating a VPN take months or is the VPNs under someone elses control?

the guys at 10.80.x.x are a different company and have slow IT processes

They sound like cool dudes, slow IT processes FTW :)

SLOW RIDE *air guitar* TAKE IT EEEASY

For simplicity, below I'll refer to the gateways for the 10.32/16, 10.0/16 and 10.80/16 networks as A, B and C respectively...

I'm not really a network guy, but neither is anyone else at my work and somehow I end up doing all the network admin. Anyhow, I've tried to do something similar to you twice, except in my cases I had a Cisco router on the 10.0/16 gateway and Linux routers at the 10.32/16 and 10.80/16 gateways. I too kept getting stuck at this stage:

But if I try to do the same on my end and add a persistent route into 10.80.x.x it just doesnt work.

The route wouldn't go in because the gateway IP wasn't physically accessible; and using the accessible public IP of course meant it wouldn't go through the ipsec tunnel. Tried a few SNAT/DNAT/address mapping tricks but didn't get anywhere.

In one case I was able to take the easy option and just make another tunnel directly between 10.0/16 and 10.80/16 over the internet between A and C, which you can't do in your case (at least not quickly).

The other solution, which I needed to use the other time and which should help you and be very easy to set up is to set a second tunnel between A and B with the left hand side net being 10.0/16 and the right hand side net being 10.80/16. That is, two tunnels on the A<->B link and one on the B <-> C link:

VPN1: LHS=A, RHS=B, LHS_Net=10.0/16, RHS_Net=10.32/16
VPN2: LHS=A, RHS=B, LHS_Net=10.0/16, RHS_Net=10.80/16
VPN3: LHS=B, RHS=C, LHS_Net=10.32/16, RHS_Net=10.80/16

Works on a little Cisco 800 SHDSL router, so I imagine it works on the thing you're using?

Habib, thanks for that! I think that will be the best for my situation till I can 'un-noob' myself about cisco routing!