Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Newbie Pix to Pix hardware VPN

I have just finished the initial install of three new Pix 506E's at three different offices. I want to create a site to site VPN between the office(s), but I am having some problems. I have worked with Cisco products for years, but never had to deal with VPN's. I setup the a VPN with the PDN using the VPN Wizard, but it seems like it is missing something. DO I just need to setup the VPN, then add a static route to the internal network of the other PIX?

New Member

Re: Newbie Pix to Pix hardware VPN

You may need to also add the access-lists to enable the traffic between remote networks.

I don't think you need to add the static route, however my experience is primarily with the ASA devices.

New Member

Re: Newbie Pix to Pix hardware VPN

I wasn't sure about the static route. What I don't understand is how the PIX will know how route the traffic from one network to the other (192.168.0.x to 10..10.0.x) over the VPN since PIX A will not know the internal IP address of PIX B.

Hall of Fame Super Blue

Re: Newbie Pix to Pix hardware VPN

Hi John

You don't need a static route on your pix for the VPN to work.

When you create the VPN you create crypto access-lists which define which traffic on the pix needs to be encrypted so in your example

Pix A

access-list vpntraffic permit ip 192.168.0.x 10.10.0.x

Pix B

access-list vpntraffic permit ip 10.10.0.x 192.168.0.x

These access-lists tell the pix which traffic is to be encrypted. When a packet that matches this access-list is received the pix encrypts it and then sends it to the remote peer IP address. In other words

Pix A knows the remote address of Pix B's outside interface.

Pix A receives a packet destined for 10.10.0.x and sees that it needs to be encrypted. It encrypts it and then sends the packet to Pix B's outside interface.

Pix B decrypts the packet and forwards it on to the 10.10.0.x host.

If you cannot get your VPN working could you post the pix configs minus any sensitive information.