Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

806 to pix 506 VPN

I have two sites both with 806 routers needing to connect back to a central office pix 506. I would like to setup a VPN from the sites to the central office using IPSEC 3des. The devices and pix are already upgraded to handle 3des. The remote sites (806) are connected to cable modems using DHCP for their WAN addresses. The central office and both remote sites have different internal private address schemes. I would like to have all non VPN traffic flow to the internet bypassing the IPSEC tunnel. Both remote sites need full access to the central office's internal network. I'm not sure wether to use NAT or not for the VPN. Can someone assist ? Possibly a sample config ? I would also like to know if it's possible to route all remote traffic through the central office (including Internet traffic) for management. Thank you.

1 REPLY
Cisco Employee

Re: 806 to pix 506 VPN

If the 806's don't have a static IP address, then you cna simply set the 506 up as though it's receiving connections from VPN clients. The access-list on the 806 will decide the traffic to be encrypted, so just add lines in the ACL for the particular traffic and everything else will go straight out onto the Internet unencrypted.

With a PIX at the head-end it is not possible to have traffic from one 806 site rerouted to teh other 806 via the PIX. The PIX won't route a packet back out the same interface it came in on.

A sample config (sort of what you want to do) is here:

http://www.cisco.com/warp/public/110/dynamicpix.html

your PIX will be configured like "Lion", although don't worry about the vpngroup stuff, that's for the VPN clients coming in which you don't need. The 806 routers will be configured just like a standard LAN-to-LAN tunnel, and the PIX will simply accept the connection and encrypt whatever the 806 tells it to. Note in this configuration (and any config where the IP address of the device may change), traffic will have to be initiated from behind the 806's for the tunnel to come up.

95
Views
0
Helpful
1
Replies
CreatePlease to create content