Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix interface need to in encryption domain?

I was trying to implement a pix to pix lan to lan tunnel over the weekend. I found traffic in one direction was encrypting/decrypting ok. But the reply packets were not getting encrypted. Hoping to avoid labbing this out by asking a question here. Does the inside interface of the Pix need to be included in the encryption domain of the tunnel to be established? For example on Pix B the encryption domain is defined as say..

access-list 110 permit ip

But the inside interface of this Pix had an address of and the hosts were one hop away separated by another Pix.

Normally when I have setup the pix lan to lan tunnels it has been a remote office with just one VLAN whereby the inside interface of the Pix is part of the VLAN/subnet.

Thanks for any thoughts on this.


Re: Pix interface need to in encryption domain?

New Member

Re: Pix interface need to in encryption domain?

Thanks for the example. That example is of the more common situation where the interface belongs to the the subnet of the defined encryption domain. And that I've implemented fine dozens of times. If you look at the graphic - the Maui router 01 say - you would have a subnet say behind a router with one interface on the 10.1.1.x network and the other on the 192.168.100.x. Then there would be a mirror situation on the other site - say 192.168.101.x behind the 172.16.1.x network. The encryption domain would say "encrypt all traffic from 192.168.100.x to 192.168.101.x".

I'll get around to labbing this out one of these days. For our production I punted and changed the topology to include the interface in the encryption domain and that got the traffic encrypting.

CreatePlease login to create content