Re: [fw-wiz] PIX to Router IPSec

From: Brian Ford (brford_at_cisco.com)
Date: 06/09/04

  • Next message: Vin McLellan: "[fw-wiz] Re: Home/SOHO "Firewall" Routers"
    To: firewall-wizards@honor.icsalabs.com
    Date: Wed, 09 Jun 2004 13:12:17 -0400
    
    

    Tony,

    The most important concept in IPSec VPN implementation is staying focused
    on creating a tunnel from interface to interface. If IP traffic can get
    from point A to point B for a variety of ports (a ping tool that allows IP
    port selection is a good thing); forget about the intermediate hops.

    Many PIX users stumble over one of two common issues.

    #1 - Your ACLs that define traffic selection and forwarding on either side
    on the VPN have to match. They can't be close. They have to match.

    #2 - don't try to re-use an ACL that you built for something else on the
    PIX in order to match VPN. Even if it is a near duplicate ACL; make sure
    that a VPN ACL is in there.

    CLI is great. PDM (PIX Device Manager - GUI) is good for configuring (via
    menus) and troubling shooting (it shows you recent Syslog) VPN connectivity.

    Hope this helps.

    Liberty for All,

    Brian

    At 07:33 AM 6/8/2004 -0400, firewall-wizards-request@honor.icsalabs.com wrote:
    >Date: Mon, 7 Jun 2004 16:17:41 -0700 (PDT)
    >From: ghideon@ghideon.com
    >To: firewall-wizards@honor.icsalabs.com
    >Subject: [fw-wiz] PIX to Router IPSec
    >
    >Need some advice on the following:
    >
    >I'm going to establish a PIX to Router IPSec tunnel between two locations.
    > The PIX has a public IP and a private IP, and the router has two public
    >IPs.
    >
    >I'm having trouble wrapping my mind around this. Since the router has
    >public IPs, I will need to pass the traffic to another PIX that sits
    >behind the router, since that second PIX has a public IP and a private IP.
    > Is this making any sense? Or is what I'm trying to do not possible? If
    >worse comes to worse, I can just go from PIX to PIX.
    >
    >Thanks
    >Tony

    Brian Ford
    Consulting Engineer, Security & Integrity Specialist
    Office of Strategic Technology Planning
    Cisco Systems Inc.
    http://www.cisco.com/go/safe/

    The opinions expressed in this message are those of the author and not
    necessarily those of Cisco Systems, Inc..

    This email address is transmitted from San Jose, California, U.S.A..

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Vin McLellan: "[fw-wiz] Re: Home/SOHO "Firewall" Routers"