Re: [fw-wiz] PIX to Router IPSec

From: Brian Ford (brford_at_cisco.com)
Date: 06/09/04

  • Next message: Vin McLellan: "[fw-wiz] Re: Home/SOHO "Firewall" Routers" 
    To: firewall-wizards@honor.icsalabs.com
Date: Wed, 09 Jun 2004 13:12:17 -0400

    Tony,

    The most important concept in IPSec VPN implementation is staying focused
    on creating a tunnel from interface to interface. If IP traffic can get
    from point A to point B for a variety of ports (a ping tool that allows IP
    port selection is a good thing); forget about the intermediate hops.

    Many PIX users stumble over one of two common issues.

    #1 - Your ACLs that define traffic selection and forwarding on either side
    on the VPN have to match. They can't be close. They have to match.

    #2 - don't try to re-use an ACL that you built for something else on the
    PIX in order to match VPN. Even if it is a near duplicate ACL; make sure
    that a VPN ACL is in there.

    CLI is great. PDM (PIX Device Manager - GUI) is good for configuring (via
    menus) and troubling shooting (it shows you recent Syslog) VPN connectivity.

    Hope this helps.

    Liberty for All,

    Brian

    At 07:33 AM 6/8/2004 -0400, firewall-wizards-request@honor.icsalabs.com wrote:
    >Date: Mon, 7 Jun 2004 16:17:41 -0700 (PDT)
    >From: ghideon@ghideon.com
    >To: firewall-wizards@honor.icsalabs.com
    >Subject: [fw-wiz] PIX to Router IPSec
    >
    >Need some advice on the following:
    >
    >I'm going to establish a PIX to Router IPSec tunnel between two locations.
    > The PIX has a public IP and a private IP, and the router has two public
    >IPs.
    >
    >I'm having trouble wrapping my mind around this. Since the router has
    >public IPs, I will need to pass the traffic to another PIX that sits
    >behind the router, since that second PIX has a public IP and a private IP.
    > Is this making any sense? Or is what I'm trying to do not possible? If
    >worse comes to worse, I can just go from PIX to PIX.
    >
    >Thanks
    >Tony

    Brian Ford
    Consulting Engineer, Security & Integrity Specialist
    Office of Strategic Technology Planning
    Cisco Systems Inc.
    http://www.cisco.com/go/safe/

    The opinions expressed in this message are those of the author and not
    necessarily those of Cisco Systems, Inc..

    This email address is transmitted from San Jose, California, U.S.A..

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Vin McLellan: "[fw-wiz] Re: Home/SOHO "Firewall" Routers"

    Relevant Pages

    • Re: PIX 501 VPN - I can ping but cant map a drive
      ... packets between the one inside host 192.168.0.250 and the "outside" ... was not coming in via VPN. ... the inside_outbound_nat0_acl ACL, ... >I'm trying to set up a VPN connection from a PC outside the PIX 501 into ...
      (comp.dcom.sys.cisco)
    • Re: Internet access for VPN client
      ... No, you could keep the upper topology with one difference: currently, the VPN tunnel terminated at the PIX and form there on, it's pure IP through the LAN. ... What you need is an IPsec tunnel through the PIX right to the router, connecting to a different IP address from the client. ... >About the other way, setting up a proxy server inside the local lan, I ...
      (comp.dcom.sys.cisco)
    • Re: PIX to PIX VPN problem
      ... I am trying to establish a VPN tunnel between 2 PIX 506E's. ... Crypto map tag: CRYPTO_MAP, local addr. ... fixup protocol dns maximum-length 700 ...
      (comp.dcom.sys.cisco)
    • Re: Dump 2620 config to a 1721
      ... If I swap out the 2620 router with the 1721 I know from experience that ... PIX and the VPN box will not be able to talk to the 1721 until they are ... I know this is related to the ARP cache. ...
      (comp.dcom.sys.cisco)
    • Re: Dump 2620 config to a 1721
      ... If I swap out the 2620 router with the 1721 I know from experience that ... PIX and the VPN box will not be able to talk to the 1721 until they are ... I know this is related to the ARP cache. ...
      (comp.dcom.sys.cisco)