I was trying to implement a pix to pix lan to lan tunnel over the weekend. I found traffic in one direction was encrypting/decrypting ok. But the reply packets were not getting encrypted. Hoping to avoid labbing this out by asking a question here. Does the inside interface of the Pix need to be included in the encryption domain of the tunnel to be established? For example on Pix B the encryption domain is defined as say..
access-list 110 permit ip 18.104.22.168 255.255.252.0 10.0.0.0 255.0.0.0
But the inside interface of this Pix had an address of 10.50.1.2 and the 22.214.171.124/22 hosts were one hop away separated by another Pix.
Normally when I have setup the pix lan to lan tunnels it has been a remote office with just one VLAN whereby the inside interface of the Pix is part of the VLAN/subnet.
Thanks for the example. That example is of the more common situation where the interface belongs to the the subnet of the defined encryption domain. And that I've implemented fine dozens of times. If you look at the graphic - the Maui router 01 say - you would have a subnet say 192.168.100.0/24 behind a router with one interface on the 10.1.1.x network and the other on the 192.168.100.x. Then there would be a mirror situation on the other site - say 192.168.101.x behind the 172.16.1.x network. The encryption domain would say "encrypt all traffic from 192.168.100.x to 192.168.101.x".
I'll get around to labbing this out one of these days. For our production I punted and changed the topology to include the interface in the encryption domain and that got the traffic encrypting.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...