Hey guys, I've never run into this before so I thought I'd ask before wrapping up the config. I've got 2 firewalls (PIX 501) that are going to be purely point-to-point VPN devices. I want them to pass no traffic that isn't encrypted and destined for the subnets at the end of the tunnel. (no NAT for inside hosts or anything else, just the encrypted traffic)
My question is: do I need to define NAT and then put an ACL on the interfaces to block all other traffic, or will the firewalls pass the encrypted traffic through the tunnel without any NAT statements?
You don't have an access-list allowing the traffic on your outside interface so once the traffic is decrypted it will be dropped because you need an acl to go from a lower to higher security interface.
You have 2 options, bit like last time :-),
1) add an access-list to the outside interface of each pix allowing the traffic
2) add this command to each pix "sysopt connection permit-ipsec"
It is important to understand what this command does. It allows IPSEC traffic to bypass any acl's configured on your interfaces.