reverse site to site vpn

**ps3cheats** · 26-Mar-2007, 12:55 AM

Question: Pix 515e on a 1st network has 2 sites to site configuration 2nd & 3rd networks -pix 506-. can it allow 2nd and 3rd networks to talk to each other as if it is from the 1st network. if so please provide references links or commands.
Same thing with vpn clients that connects to 1st network, is there a configuration that allows them to find hosts on the 2nd or 3rd vpn networks?

Note I know I can site to site from 2nd to 3rd network.

Also what do these lines means, and are they necessary?

access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any unreachable

**ps3cheats** · 26-Mar-2007, 12:55 AM

Unless you are running version 7.x code on the 515e then you can not go in and out on the same interface which the VPN tunnels would be

However in the 7x code and ASA IOS you can enable

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Which will allow you to go in and out on multiple vpn tunnels and also to talk to other same level security interfaces.

However to do this you will also have to add networks 2 and 3 etc to each of the acls for the IPsec policy

Ie crypto map xyz 10 match address 102

access-list 102 permit ip site1 net 255.255.255.0 site 2 255.255.255.0
acess-list 102 permit ip site 3 net 255.255.255.0 site 2 255.255.255.0

and so on.

BUT on the 506 you can not mesh the network since they cant run 7.x code

As for yuor other question

That access list permits ping responses m TTL exceeded and unreachable messages to be returned to be passed across the interface its applied to

26-Mar-2007, 12:55 AM	#1 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	reverse site to site vpn Question: Pix 515e on a 1st network has 2 sites to site configuration 2nd & 3rd networks -pix 506-. can it allow 2nd and 3rd networks to talk to each other as if it is from the 1st network. if so please provide references links or commands. Same thing with vpn clients that connects to 1st network, is there a configuration that allows them to find hosts on the 2nd or 3rd vpn networks? Note I know I can site to site from 2nd to 3rd network. Also what do these lines means, and are they necessary? access-list acl_out permit icmp any any echo-reply access-list acl_out permit icmp any any time-exceeded access-list acl_out permit icmp any any unreachable

26-Mar-2007, 12:55 AM	#2 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	Re: reverse site to site vpn Unless you are running version 7.x code on the 515e then you can not go in and out on the same interface which the VPN tunnels would be However in the 7x code and ASA IOS you can enable same-security-traffic permit inter-interface same-security-traffic permit intra-interface Which will allow you to go in and out on multiple vpn tunnels and also to talk to other same level security interfaces. However to do this you will also have to add networks 2 and 3 etc to each of the acls for the IPsec policy Ie crypto map xyz 10 match address 102 access-list 102 permit ip site1 net 255.255.255.0 site 2 255.255.255.0 acess-list 102 permit ip site 3 net 255.255.255.0 site 2 255.255.255.0 and so on. BUT on the 506 you can not mesh the network since they cant run 7.x code As for yuor other question That access list permits ping responses m TTL exceeded and unreachable messages to be returned to be passed across the interface its applied to

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)