Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX to Router IPSec

From: Brian Ford <brford () cisco com>
Date: Wed, 09 Jun 2004 13:12:17 -0400
Tony,
The most important concept in IPSec VPN implementation is staying focused on creating a tunnel from interface to interface. If IP traffic can get from point A to point B for a variety of ports (a ping tool that allows IP port selection is a good thing); forget about the intermediate hops. 

Many PIX users stumble over one of two common issues.
#1 - Your ACLs that define traffic selection and forwarding on either side on the VPN have to match. They can't be close. They have to match.
#2 - don't try to re-use an ACL that you built for something else on the PIX in order to match VPN. Even if it is a near duplicate ACL; make sure that a VPN ACL is in there.
CLI is great. PDM (PIX Device Manager - GUI) is good for configuring (via menus) and troubling shooting (it shows you recent Syslog) VPN connectivity. 

Hope this helps.

Liberty for All,

Brian


At 07:33 AM 6/8/2004 -0400, firewall-wizards-request () honor icsalabs com wrote:

Date: Mon, 7 Jun 2004 16:17:41 -0700 (PDT)
From: ghideon () ghideon com
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] PIX to Router IPSec

Need some advice on the following:

I'm going to establish a PIX to Router IPSec tunnel between two locations.
 The PIX has a public IP and a private IP, and the router has two public
IPs.

I'm having trouble wrapping my mind around this.  Since the router has
public IPs, I will need to pass the traffic to another PIX that sits
behind the router, since that second PIX has a public IP and a private IP.
 Is this making any sense?  Or is what I'm trying to do not possible?  If
worse comes to worse, I can just go from PIX to PIX.

Thanks
Tony



Brian Ford
Consulting Engineer, Security & Integrity Specialist
Office of Strategic Technology Planning
Cisco Systems Inc.
http://www.cisco.com/go/safe/
The opinions expressed in this message are those of the author and not necessarily those of Cisco Systems, Inc.. 

This email address is transmitted from San Jose, California, U.S.A..


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: