PIX -> VPN3000 -> PIX

[Morrack]

Ok this one is driving me nuts. Can I not use a VPN concentrator as the hub in a hub and spoke network with PIX's as the spokes? I've had no problem getting the PIX's to forward traffic bound for another PIX to the concentrator, but the concentrator refuses to forward the packet because "no policy defined for source:x dest:x"

I've created a filter that should allow such packets, and applied it to the groups in question. Where else should I be looking to define a policy to allow this traffic?

Any help on this is greatly appreciated.




Peter Sherwood

Morrack Consulting

http://www.morrack.com

 

[Morrack]

Solved my own problem again

The answer was to include the remote subnets in the list of local networks, on a per VPN basis. For example:

VPN to site A

Remote network: site A's subnet

Local network: instead of just local subnet, include local subnet and all remote subnets EXCEPT site A's subnet.

VPN to site B

Remote network: remote network subnet

Local network: instead of just local subnet, include local subnet and all remote subnets EXCEPT site B's subnet.



And so on and so forth. Of course this means creating lots of network lists if you have a lot of sites. If anyone know an easier way I'm certainly open to hearing it




Peter Sherwood

Morrack Consulting

http://www.morrack.com