Multiple Site to Site VPN

[efector]

I have multiple sites which I need to link via vpn. I have 506e's at each site and there are 4 sites(A/B/C/D). Setting site A to connect to site B is pretty easy. How difficult is it to configure the rest. What I want to do is to be able to connect to any of the remote sites from any of the others(a-c/b-d, etc.)Is this going to be difficult to do? The other issue is that they need to be on the same subnet(10.0.0.0). Is there any documentation on any of this?

Thanks in advance!

 

[chicocouk]

Pix cannot be the midpoint of a hub-spoke arrangement vpn (in other words, if you have this sort of arrangement;

Pix A --(vpn)-- Pix B --(vpn)-- Pix C

Then Pix A can communicate with Pix B, and Pix B can communicate with Pix C, but Pix A *cannot* communicate with Pix C. You would need to create a seperate vpn between Pix A and C, you can't "pass through" Pix B (you could do if you replaced Pix B with a concentrator for example)

So you'll have to set the pix up so each has a seperate vpn to each other, ie, a fully meshed vpn topology.

Why do the sites all have to be on the same subnet? If that's the case, then that's going to be a problem, as the Pix cannot properly NAT traffic and then pass it through a vpn, not without causing you problems with your internet access (I have an open issue with TAC at the moment about this very issue, if I get a resolution I'll post more details, but it seems that it cannot be done without a seperate NAT device)

Chico




CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP