cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
332
Views
0
Helpful
2
Replies

Pix interface need to in encryption domain?

mmedwid
Level 3
Level 3

I was trying to implement a pix to pix lan to lan tunnel over the weekend. I found traffic in one direction was encrypting/decrypting ok. But the reply packets were not getting encrypted. Hoping to avoid labbing this out by asking a question here. Does the inside interface of the Pix need to be included in the encryption domain of the tunnel to be established? For example on Pix B the encryption domain is defined as say..

access-list 110 permit ip 210.1.108.0 255.255.252.0 10.0.0.0 255.0.0.0

But the inside interface of this Pix had an address of 10.50.1.2 and the 210.1.108.0/22 hosts were one hop away separated by another Pix.

Normally when I have setup the pix lan to lan tunnels it has been a remote office with just one VLAN whereby the inside interface of the Pix is part of the VLAN/subnet.

Thanks for any thoughts on this.

2 Replies 2

Thanks for the example. That example is of the more common situation where the interface belongs to the the subnet of the defined encryption domain. And that I've implemented fine dozens of times. If you look at the graphic - the Maui router 01 say - you would have a subnet say 192.168.100.0/24 behind a router with one interface on the 10.1.1.x network and the other on the 192.168.100.x. Then there would be a mirror situation on the other site - say 192.168.101.x behind the 172.16.1.x network. The encryption domain would say "encrypt all traffic from 192.168.100.x to 192.168.101.x".

I'll get around to labbing this out one of these days. For our production I punted and changed the topology to include the interface in the encryption domain and that got the traffic encrypting.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: