Newbie Pix to Pix hardware VPN

Unanswered Question

I have just finished the initial install of three new Pix 506E's at three different offices. I want to create a site to site VPN between the office(s), but I am having some problems. I have worked with Cisco products for years, but never had to deal with VPN's. I setup the a VPN with the PDN using the VPN Wizard, but it seems like it is missing something. DO I just need to setup the VPN, then add a static route to the internal network of the other PIX?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 06/28/2007 - 23:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi John


You don't need a static route on your pix for the VPN to work.


When you create the VPN you create crypto access-lists which define which traffic on the pix needs to be encrypted so in your example


Pix A


access-list vpntraffic permit ip 192.168.0.x 255.255.255.0 10.10.0.x 255.255.255.0


Pix B


access-list vpntraffic permit ip 10.10.0.x 255.255.255.0 192.168.0.x 255.255.255.0


These access-lists tell the pix which traffic is to be encrypted. When a packet that matches this access-list is received the pix encrypts it and then sends it to the remote peer IP address. In other words


Pix A knows the remote address of Pix B's outside interface.


Pix A receives a packet destined for 10.10.0.x and sees that it needs to be encrypted. It encrypts it and then sends the packet to Pix B's outside interface.


Pix B decrypts the packet and forwards it on to the 10.10.0.x host.


If you cannot get your VPN working could you post the pix configs minus any sensitive information.


HTH


Jon

Actions

This Discussion