[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-wizards
Subject: Re: [fw-wiz] PIX to Router IPSec
From: Brian Ford <brford () cisco ! com>
Date: 2004-06-09 17:12:17
Message-ID: 4.3.2.7.2.20040609130553.02ae39f0 () sj-email ! cisco ! com
[Download RAW message or body]
Tony,
The most important concept in IPSec VPN implementation is staying focused
on creating a tunnel from interface to interface. If IP traffic can get
from point A to point B for a variety of ports (a ping tool that allows IP
port selection is a good thing); forget about the intermediate hops.
Many PIX users stumble over one of two common issues.
#1 - Your ACLs that define traffic selection and forwarding on either side
on the VPN have to match. They can't be close. They have to match.
#2 - don't try to re-use an ACL that you built for something else on the
PIX in order to match VPN. Even if it is a near duplicate ACL; make sure
that a VPN ACL is in there.
CLI is great. PDM (PIX Device Manager - GUI) is good for configuring (via
menus) and troubling shooting (it shows you recent Syslog) VPN connectivity.
Hope this helps.
Liberty for All,
Brian
At 07:33 AM 6/8/2004 -0400, firewall-wizards-request@honor.icsalabs.com wrote:
>Date: Mon, 7 Jun 2004 16:17:41 -0700 (PDT)
>From: ghideon@ghideon.com
>To: firewall-wizards@honor.icsalabs.com
>Subject: [fw-wiz] PIX to Router IPSec
>
>Need some advice on the following:
>
>I'm going to establish a PIX to Router IPSec tunnel between two locations.
> The PIX has a public IP and a private IP, and the router has two public
>IPs.
>
>I'm having trouble wrapping my mind around this. Since the router has
>public IPs, I will need to pass the traffic to another PIX that sits
>behind the router, since that second PIX has a public IP and a private IP.
> Is this making any sense? Or is what I'm trying to do not possible? If
>worse comes to worse, I can just go from PIX to PIX.
>
>Thanks
>Tony
Brian Ford
Consulting Engineer, Security & Integrity Specialist
Office of Strategic Technology Planning
Cisco Systems Inc.
http://www.cisco.com/go/safe/
The opinions expressed in this message are those of the author and not
necessarily those of Cisco Systems, Inc..
This email address is transmitted from San Jose, California, U.S.A..
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic