Cisco PIX to PIX VPN in a Window NT 4.0 environment

Unanswered Question
Jun 21st, 2002
User Badges:

Hello All,

I am working on a project plan that will enable a site to site VPN connection with our "sister" company. I believe that I understand the concept of interesting traffic between the peer sites, but I am still wondering how a user on the remote site will access a file or a folder on my Network. I have an NT Domain and my sister site does as well. Is some sort of Trusting needed here? Do some of my remote users need to exist in my SAM database? Is there a WINS issue ? Etc. Etc.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
yusuff Fri, 06/21/2002 - 22:29
User Badges:
  • Cisco Employee,

From a LAN perspective, you have to fulfill all the requirments as you would setup in a tradional way without the VPN.

Only when the packet has to traverse through the PIX it will be encrypted (IPSec) and then forwarded. Rest of the picture remains same, with or without IPSec



matthew.malone Fri, 06/28/2002 - 07:21
User Badges:

Thanks for the information. So in recap, both ends of the VPN connection have to have WINS/DNS set up and configured properly for the "seamless" desktops that I desire between the two sites. Is there any hidden gotchas or any other special PIX command that I would need to allow this scenario to happen ??? ie. some special static, conduit permit statements etc. for any NT server on either end ?

paqiu Sat, 06/29/2002 - 18:00
User Badges:

No special commands you need to open any special services for NT stuff.

"sysopt connection permit-ipsec" will open necessary ports for IPSEC.

If you are using PIX to PIX Lan to Lan VPN tunnel, the match address access-list " access-list 101 permit ip x.x.x.x y.y.y.y" has defined that all IP traffic between two Lans will be passed through.

All the WINS, DNS, PDC trust and trusted and other NT stuff all belong to IP traffic.

So it will be working fine for sure without do anything special in the PIX.

matthew.malone Sun, 07/28/2002 - 13:29
User Badges:

Hello all again,

I have just completed phase 2 of my project which comprised of setting up the Pix to Pix tunnel between my Pix Firewall and my sister sites PIX 515E. I am successful in picking up "interesting" traffic on my side (Dallas Texas) and the sister site (Tulsa OK.) - both ways - ping; telnet; map a network drive and so forth. Seems to be pretty sweet. However, I have effectually "killed" the "once working" client dial-up remote VPN ability that I had on my Dallas PIX. I have looked at the configurations on the PIX and have made changes to no avail. I must be missing something. PPTP works but IPSEC does not. Help.................!!! There must be a way to have both site to site and remote dialup access as well.


Matthew B. Malone

matthew.malone Sun, 08/04/2002 - 19:08
User Badges:

Hello all,

I figured out what the problem was on the Dallas PIX firewall not being able to make the dial-up portion of the VPN work. I had to make my crypto map names the same for everything (site to site and dial up) since you can only map/bind one crypto to the outside interface of the Pixfirewall. It is pretty sweet. However, when I tried to use the same configurtion syntax on the Tulsa PIX that I used on the Dallas Pix, no good. I have used various dial up clients to no avail. When I dial up, I get the message that I have a "secured connection" and I notice the little Lock and Key on my systems tray, however, I can not ping or telnet accross the tunnel ??! Again, I must be missing something here.



matthew.malone Thu, 08/15/2002 - 07:30
User Badges:

Hello all again,

My TAC engineer assisted me in the resolution of this issue. Simply put, my "ip local pool" for my inside clients had a subnet range that conflicted with another internal subnet - ie. -- I made the necessary changes in the client pool and the isakmp settings. After that - Shazam --- it worked. Now my question is this - what is actually encrypted ??? The data; the source / dest. address; etc. etc.



This Discussion