I have following questions before I apply IPSec configuration to both PIXes:
1. The ACL for VPN Remote access traffic is:
Access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
NAT (inside) 0 access-list 102
The ACL for IPSec traffic is:
access-list 101 permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.0.0
nat (inside) 0 access-list 101
Should I use the same ALC number or different ALC number on "nat (inside) 0" for both traffic?
2. Do I have to open any port on both routers to let IPSec traffic go through? and How?
3. What is the procedure to configure IPSec on both PIXes? Can I configure PIX1 first then do IPSec on PIX2? Or I have to finish ISAKMP part on both PIXes first then do CRYPTO part on both PIXes later?
4. Do I miss any important point when configuration PIX for Site-to-Site VPN and Remote Access VPN?
Re: Configure PIX for Site-to-Site VPN and Remote Access VPN
1. you can have multiple nat (0) statements, without issue.
2. "sysopt connection permit ipsec" will magically allow all ipsec related traffic to pass the ASA setup.
3. It really doesn't matter - just think about how you are doing it though - how are you connecting to the 2 pixen - I recommend using ssh from a 3rd party host, that is not going to be included in the tunnel (meaning, won't be in a crypto ACL, etc). This way, if you do something stupid (like writing your crypto acl backwards, not that I could *possibly* speak from first time experience ;-) ), you limit how much havoc you can cause, and avoid cutting off your communication methods.
4. I can't think of anything in particular here. Maybe someone else can think of something
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...