Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN/IPSec L2L - Question?!

Hi!

I was recently doing some troubleshooting on a VPN/IPSec Lan-to-Lan connection between a Cisco PIX515E and a Linux firewall. My question is regarding the configuration and not the problem itself.

The interesting traffic (traffic to be encrypted) defined and configured is the local PIX LAN (inside) and the remote public IP?! Wich means that the IKE Peer and the remote interesting IP/LAN are the same... and it works!!!

Any ideas?

Thanks,

JP

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN/IPSec L2L - Question?!

As far as you source the packet from the Pix LAN to the remote Public IP, the tunnel will work fine and is working :-)

So, if you really look at the flow of traffic, you are sourcing the traffic from Pix LAN Destined to Remote Public IP which matches the access-list defined. So, the pix knows that it has to encrypt the traffic and now looks for the crypto endpoints (pix outside IP to remote public IP) and sends the encrypted packets. So, this set up will work fine.

In fact, Pix will not allow telnet to the outside interface of the pix unless the traffic is through an IPSEC Tunnel and this was one of the set up that gave telnet access to the outside interface of Pix, that is LAN to Public IP of Pix across an IPSEC Tunnel.

Regards,

Arul

** Please rate all helpful posts **

1 REPLY
Cisco Employee

Re: VPN/IPSec L2L - Question?!

As far as you source the packet from the Pix LAN to the remote Public IP, the tunnel will work fine and is working :-)

So, if you really look at the flow of traffic, you are sourcing the traffic from Pix LAN Destined to Remote Public IP which matches the access-list defined. So, the pix knows that it has to encrypt the traffic and now looks for the crypto endpoints (pix outside IP to remote public IP) and sends the encrypted packets. So, this set up will work fine.

In fact, Pix will not allow telnet to the outside interface of the pix unless the traffic is through an IPSEC Tunnel and this was one of the set up that gave telnet access to the outside interface of Pix, that is LAN to Public IP of Pix across an IPSEC Tunnel.

Regards,

Arul

** Please rate all helpful posts **

105
Views
0
Helpful
1
Replies