Re: site-to-site VPN with multiple subnets onone side

augnevenok · ‎01-18-2007

Hi,

Two Pix firewalls connected with a site-to-site VPN. PIX A has several subnets behind - A1, A2, A3.

Pix B has only one inside subnet. I need to access all subnets at Site A from Site B.

1.Do I need to include all Site A subnets into a crypto map on Pix B?

So it would be something like this:

access-list outside_20_cryptomap extended permit ip NetworkB NetworkA1

access-list outside_20_cryptomap extended permit ip NetworkB NetworkA2

access-list outside_20_cryptomap extended permit ip NetworkB NetworkA3

2. Do I have to add routes to A1, A2, A3 on Pix B?

route outside networkA1 Router_Behind_Pix_A

3. Will a separate IPSec SA be coming up for traffic from B to subnets A1, A2, A3 ?

4. What mode of IPSec would it be - transport or tunnel?

Thank you very much.

Regards,

Alex

augnevenok · ‎01-18-2007

3. I think it should be a separate SA per ACL

4. it must be tunnel mode for site-to-site VPN

Jon Marshall · ‎01-19-2007

Alex

1) Yes you do. You include all subnets that you need to access.

2) No you don't. The crypto map access-list will match the traffic and know it has to be sent down the VPN tunnel. As long as traffic for site A subnets from site B end up at Site B's pix you don't need to add routes on site B's pix.

3) Each line with your crypto map access-list will create a separate SA.

4) Tunnel mode.

HTH