Re: [fw-wiz] PIX to Router IPSec
From: Brian Ford (brford_at_cisco.com)
To: email@example.com Date: Wed, 09 Jun 2004 13:12:17 -0400
The most important concept in IPSec VPN implementation is staying focused
on creating a tunnel from interface to interface. If IP traffic can get
from point A to point B for a variety of ports (a ping tool that allows IP
port selection is a good thing); forget about the intermediate hops.
Many PIX users stumble over one of two common issues.
#1 - Your ACLs that define traffic selection and forwarding on either side
on the VPN have to match. They can't be close. They have to match.
#2 - don't try to re-use an ACL that you built for something else on the
PIX in order to match VPN. Even if it is a near duplicate ACL; make sure
that a VPN ACL is in there.
CLI is great. PDM (PIX Device Manager - GUI) is good for configuring (via
menus) and troubling shooting (it shows you recent Syslog) VPN connectivity.
Hope this helps.
Liberty for All,
At 07:33 AM 6/8/2004 -0400, firstname.lastname@example.org wrote:
>Date: Mon, 7 Jun 2004 16:17:41 -0700 (PDT)
>Subject: [fw-wiz] PIX to Router IPSec
>Need some advice on the following:
>I'm going to establish a PIX to Router IPSec tunnel between two locations.
> The PIX has a public IP and a private IP, and the router has two public
>I'm having trouble wrapping my mind around this. Since the router has
>public IPs, I will need to pass the traffic to another PIX that sits
>behind the router, since that second PIX has a public IP and a private IP.
> Is this making any sense? Or is what I'm trying to do not possible? If
>worse comes to worse, I can just go from PIX to PIX.
Consulting Engineer, Security & Integrity Specialist
Office of Strategic Technology Planning
Cisco Systems Inc.
The opinions expressed in this message are those of the author and not
necessarily those of Cisco Systems, Inc..
This email address is transmitted from San Jose, California, U.S.A..
firewall-wizards mailing list