Newbie Pix to Pix hardware VPN

Unanswered Question

I have just finished the initial install of three new Pix 506E's at three different offices. I want to create a site to site VPN between the office(s), but I am having some problems. I have worked with Cisco products for years, but never had to deal with VPN's. I setup the a VPN with the PDN using the VPN Wizard, but it seems like it is missing something. DO I just need to setup the VPN, then add a static route to the internal network of the other PIX?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 06/28/2007 - 23:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi John

You don't need a static route on your pix for the VPN to work.

When you create the VPN you create crypto access-lists which define which traffic on the pix needs to be encrypted so in your example

Pix A

access-list vpntraffic permit ip 192.168.0.x 10.10.0.x

Pix B

access-list vpntraffic permit ip 10.10.0.x 192.168.0.x

These access-lists tell the pix which traffic is to be encrypted. When a packet that matches this access-list is received the pix encrypts it and then sends it to the remote peer IP address. In other words

Pix A knows the remote address of Pix B's outside interface.

Pix A receives a packet destined for 10.10.0.x and sees that it needs to be encrypted. It encrypts it and then sends the packet to Pix B's outside interface.

Pix B decrypts the packet and forwards it on to the 10.10.0.x host.

If you cannot get your VPN working could you post the pix configs minus any sensitive information.




This Discussion