I have just finished the initial install of three new Pix 506E's at three different offices. I want to create a site to site VPN between the office(s), but I am having some problems. I have worked with Cisco products for years, but never had to deal with VPN's. I setup the a VPN with the PDN using the VPN Wizard, but it seems like it is missing something. DO I just need to setup the VPN, then add a static route to the internal network of the other PIX?
I wasn't sure about the static route. What I don't understand is how the PIX will know how route the traffic from one network to the other (192.168.0.x to 10..10.0.x) over the VPN since PIX A will not know the internal IP address of PIX B.
You don't need a static route on your pix for the VPN to work.
When you create the VPN you create crypto access-lists which define which traffic on the pix needs to be encrypted so in your example
access-list vpntraffic permit ip 192.168.0.x 255.255.255.0 10.10.0.x 255.255.255.0
access-list vpntraffic permit ip 10.10.0.x 255.255.255.0 192.168.0.x 255.255.255.0
These access-lists tell the pix which traffic is to be encrypted. When a packet that matches this access-list is received the pix encrypts it and then sends it to the remote peer IP address. In other words
Pix A knows the remote address of Pix B's outside interface.
Pix A receives a packet destined for 10.10.0.x and sees that it needs to be encrypted. It encrypts it and then sends the packet to Pix B's outside interface.
Pix B decrypts the packet and forwards it on to the 10.10.0.x host.
If you cannot get your VPN working could you post the pix configs minus any sensitive information.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...