f



setting up site-2-site with PIX 506e VPN Wizard

Hi All: looking for an introduction on setting up a site-to-site vpn between 
two PIX 506e using the wizard.

Pix 1 has inside IF 192.168.0/24
Pix 2 has inside IF 192.168.1/24

I want to enable 192.168.0.10 to connect to 192.168.1.15

I tried to step through the wizard, but am stuck at what to configure for 
the remote IPSec Traffic Selector.

If I select the inside IF of PIX 2 and enter 192.168.1.15 as the termination 
point, I'm prompted to provide a static route. Am I setting it up correctly 
up to that point? If so, what IP/IF would I want to specify for the route?

TIA


0
cisco
2/16/2007 5:39:26 PM
comp.dcom.sys.cisco 25313 articles. 0 followers. Post Follow

3 Replies
394 Views

Similar Articles

[PageSpeed] 59

cisco wrote:

> Hi All: looking for an introduction on setting up a site-to-site vpn between 
> two PIX 506e using the wizard.
> 
> Pix 1 has inside IF 192.168.0/24
> Pix 2 has inside IF 192.168.1/24
> 
> I want to enable 192.168.0.10 to connect to 192.168.1.15

I could suggest you to set up a real LAN to LAN VPN based on IP traffic between 192.168.0.0/24 and 192.168.1.0/24.
Then you can manage which kind of traffic allow on the tunnel using traditional ACL list applied on incoming interface 
(usually "inside") from the starting device.

This way you don't have to re-build the tunnel each time you need more traffic to pass through it but just to adjust the 
filtering ACL (not that defines the interesting traffic of the VPN or better the encrypted one)

HTH Alex
0
AM
2/16/2007 6:40:31 PM
>> Hi All: looking for an introduction on setting up a site-to-site vpn 
>> between two PIX 506e using the wizard.
>>
>> Pix 1 has inside IF 192.168.0/24
>> Pix 2 has inside IF 192.168.1/24
>>
>> I want to enable 192.168.0.10 to connect to 192.168.1.15
>
> I could suggest you to set up a real LAN to LAN VPN based on IP traffic 
> between 192.168.0.0/24 and 192.168.1.0/24.
> Then you can manage which kind of traffic allow on the tunnel using 
> traditional ACL list applied on incoming interface (usually "inside") from 
> the starting device.
>
> This way you don't have to re-build the tunnel each time you need more 
> traffic to pass through it but just to adjust the filtering ACL (not that 
> defines the interesting traffic of the VPN or better the encrypted one)

Thanks, but I'm not sure I understand how a "lan-to-lan" VPN differs from 
what I'm doing? I barely grok the VPN Wizard as it is <g>.

I also don't understand "rebuilding the tunnel each time you need more 
traffic to pass through"...is the site-to-site VPN restricted in some way?

Allow me to clarify that this is to allow periodic connections between two 
SQL Servers, although the actual data being transfered is quite modest.

PIX 1 is on a 10-Mbit line, and PIX 2 is on a 3-Mbit static DSL connection.

Thanks again for your help! 


0
cisco
2/16/2007 11:19:02 PM
>> Hi All: looking for an introduction on setting up a site-to-site vpn 
>> between two PIX 506e using the wizard.
>>
>> Pix 1 has inside IF 192.168.0/24
>> Pix 2 has inside IF 192.168.1/24
>>
>> I want to enable 192.168.0.10 to connect to 192.168.1.15
>
> I could suggest you to set up a real LAN to LAN VPN based on IP traffic 
> between 192.168.0.0/24 and 192.168.1.0/24.
> Then you can manage which kind of traffic allow on the tunnel using 
> traditional ACL list applied on incoming interface (usually "inside") from 
> the starting device.
>
> This way you don't have to re-build the tunnel each time you need more 
> traffic to pass through it but just to adjust the filtering ACL (not that 
> defines the interesting traffic of the VPN or better the encrypted one)

I understand what you're saying, but I still am not clear on the initial 
configuration of the remote site in the wizard.

I add 192.168.0/24 for the local site (PIX 1), but which IF and IP address 
do I specify for the remote site (PIX 2)?

    192.168.1/24 and the inside IF?
or
    the public IP and outside IF? 


0
cisco
2/17/2007 3:30:17 PM
Reply: