Re: [fw-wiz] PIX to Router IPSec

From: Brian Ford (
Date: 06/09/04

  • Next message: Vin McLellan: "[fw-wiz] Re: Home/SOHO "Firewall" Routers"
    Date: Wed, 09 Jun 2004 13:12:17 -0400


    The most important concept in IPSec VPN implementation is staying focused
    on creating a tunnel from interface to interface. If IP traffic can get
    from point A to point B for a variety of ports (a ping tool that allows IP
    port selection is a good thing); forget about the intermediate hops.

    Many PIX users stumble over one of two common issues.

    #1 - Your ACLs that define traffic selection and forwarding on either side
    on the VPN have to match. They can't be close. They have to match.

    #2 - don't try to re-use an ACL that you built for something else on the
    PIX in order to match VPN. Even if it is a near duplicate ACL; make sure
    that a VPN ACL is in there.

    CLI is great. PDM (PIX Device Manager - GUI) is good for configuring (via
    menus) and troubling shooting (it shows you recent Syslog) VPN connectivity.

    Hope this helps.

    Liberty for All,


    At 07:33 AM 6/8/2004 -0400, wrote:
    >Date: Mon, 7 Jun 2004 16:17:41 -0700 (PDT)
    >Subject: [fw-wiz] PIX to Router IPSec
    >Need some advice on the following:
    >I'm going to establish a PIX to Router IPSec tunnel between two locations.
    > The PIX has a public IP and a private IP, and the router has two public
    >I'm having trouble wrapping my mind around this. Since the router has
    >public IPs, I will need to pass the traffic to another PIX that sits
    >behind the router, since that second PIX has a public IP and a private IP.
    > Is this making any sense? Or is what I'm trying to do not possible? If
    >worse comes to worse, I can just go from PIX to PIX.

    Brian Ford
    Consulting Engineer, Security & Integrity Specialist
    Office of Strategic Technology Planning
    Cisco Systems Inc.

    The opinions expressed in this message are those of the author and not
    necessarily those of Cisco Systems, Inc..

    This email address is transmitted from San Jose, California, U.S.A..

    firewall-wizards mailing list

  • Next message: Vin McLellan: "[fw-wiz] Re: Home/SOHO "Firewall" Routers"