I have implemented a site-to-site IPSec VPN for a client using two Pix 506E firewalls. IP traffic works fine, except for one detail. The "remote" side has a device which uses Bootp to obtain an IP and boot code from a host using TFTP. I have set DHCP relay on both 506E's, but it has not allowed the device to obtain an IP address and TFTP. I need to the 506's to either pass Bootp, or locate a Bootp server that allows you to specify another host than the address issuer.
Only set the dhcp relay on the remote PIX, to forward the reqeust from teh remote client ot the central PIX. Now, when the remote PIX forwards the DHCP packet, it is going to forward it from its outside interface address, so if you want this to be encrypted and go over the tunnel, you need to add this to the encryption ACL.
For example, let's say you have the following:
10.1.1.0/24 188.8.131.52 --- Internet --- 184.108.40.206 10.2.2.0/24
So you're encryption ACL currently is specifying traffic from/to the 10.1.1.0 and the 10.2.2.0 networks. When a host on the 10.2.2.0 network sends a DHCP request, the Remote PIX will grab it and forward it on to the DHCP server on the 10.1.1.0 network, it will do this from the outside IP address of 220.127.116.11 though. So, if your currentl ACL looks like this:
access-list encrypt permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list nonat
crypto map mymap 10 match address encrypt
then you need to add the following:
access-list encrypt permit ip host 18.104.22.168 10.1.1.0 255.255.255.0
access-list nonat permit ip host 22.214.171.124 10.1.1.0 255.255.255.0
and then add the opposite on the HQ PIX and you should be good to go.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :