Newbie Pix to Pix hardware VPN

Unanswered Question

I have just finished the initial install of three new Pix 506E's at three different offices. I want to create a site to site VPN between the office(s), but I am having some problems. I have worked with Cisco products for years, but never had to deal with VPN's. I setup the a VPN with the PDN using the VPN Wizard, but it seems like it is missing something. DO I just need to setup the VPN, then add a static route to the internal network of the other PIX?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 06/28/2007 - 23:21

Hi John

You don't need a static route on your pix for the VPN to work.

When you create the VPN you create crypto access-lists which define which traffic on the pix needs to be encrypted so in your example

Pix A

access-list vpntraffic permit ip 192.168.0.x 255.255.255.0 10.10.0.x 255.255.255.0

Pix B

access-list vpntraffic permit ip 10.10.0.x 255.255.255.0 192.168.0.x 255.255.255.0

These access-lists tell the pix which traffic is to be encrypted. When a packet that matches this access-list is received the pix encrypts it and then sends it to the remote peer IP address. In other words

Pix A knows the remote address of Pix B's outside interface.

Pix A receives a packet destined for 10.10.0.x and sees that it needs to be encrypted. It encrypts it and then sends the packet to Pix B's outside interface.

Pix B decrypts the packet and forwards it on to the 10.10.0.x host.

If you cannot get your VPN working could you post the pix configs minus any sensitive information.

HTH

Jon

Actions

This Discussion