01-18-2007 03:16 AM - edited 02-21-2020 02:49 PM
Hi,
Two Pix firewalls connected with a site-to-site VPN. PIX A has several subnets behind - A1, A2, A3.
Pix B has only one inside subnet. I need to access all subnets at Site A from Site B.
1.Do I need to include all Site A subnets into a crypto map on Pix B?
So it would be something like this:
access-list outside_20_cryptomap extended permit ip NetworkB NetworkA1
access-list outside_20_cryptomap extended permit ip NetworkB NetworkA2
access-list outside_20_cryptomap extended permit ip NetworkB NetworkA3
2. Do I have to add routes to A1, A2, A3 on Pix B?
route outside networkA1 Router_Behind_Pix_A
3. Will a separate IPSec SA be coming up for traffic from B to subnets A1, A2, A3 ?
4. What mode of IPSec would it be - transport or tunnel?
Thank you very much.
Regards,
Alex
01-18-2007 04:31 AM
3. I think it should be a separate SA per ACL
4. it must be tunnel mode for site-to-site VPN
01-19-2007 04:43 AM
Alex
1) Yes you do. You include all subnets that you need to access.
2) No you don't. The crypto map access-list will match the traffic and know it has to be sent down the VPN tunnel. As long as traffic for site A subnets from site B end up at Site B's pix you don't need to add routes on site B's pix.
3) Each line with your crypto map access-list will create a separate SA.
4) Tunnel mode.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide