Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
362
Views
0
Helpful
3
Replies

Newbie Pix to Pix hardware VPN

johns
Level 1
Level 1

‎06-28-2007 07:34 AM - edited ‎02-21-2020 03:07 PM

I have just finished the initial install of three new Pix 506E's at three different offices. I want to create a site to site VPN between the office(s), but I am having some problems. I have worked with Cisco products for years, but never had to deal with VPN's. I setup the a VPN with the PDN using the VPN Wizard, but it seems like it is missing something. DO I just need to setup the VPN, then add a static route to the internal network of the other PIX?

Labels:
0 Helpful
3 Replies 3

weales
Level 1
Level 1

‎06-28-2007 10:05 AM

You may need to also add the access-lists to enable the traffic between remote networks.

I don't think you need to add the static route, however my experience is primarily with the ASA devices.

0 Helpful

johns
Level 1
Level 1
In response to weales

‎06-28-2007 10:19 AM

I wasn't sure about the static route. What I don't understand is how the PIX will know how route the traffic from one network to the other (192.168.0.x to 10..10.0.x) over the VPN since PIX A will not know the internal IP address of PIX B.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to johns

‎06-28-2007 11:21 PM

Hi John

You don't need a static route on your pix for the VPN to work.

When you create the VPN you create crypto access-lists which define which traffic on the pix needs to be encrypted so in your example

Pix A

access-list vpntraffic permit ip 192.168.0.x 255.255.255.0 10.10.0.x 255.255.255.0

Pix B

access-list vpntraffic permit ip 10.10.0.x 255.255.255.0 192.168.0.x 255.255.255.0

These access-lists tell the pix which traffic is to be encrypted. When a packet that matches this access-list is received the pix encrypts it and then sends it to the remote peer IP address. In other words

Pix A knows the remote address of Pix B's outside interface.

Pix A receives a packet destined for 10.10.0.x and sees that it needs to be encrypted. It encrypts it and then sends the packet to Pix B's outside interface.

Pix B decrypts the packet and forwards it on to the 10.10.0.x host.

If you cannot get your VPN working could you post the pix configs minus any sensitive information.

HTH

Jon

0 Helpful
Customers Also Viewed These Support Documents