cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
625
Views
0
Helpful
10
Replies

501 site to site vpn....PLEASE HELP!!!

rob
Level 1
Level 1

Hi All,

I'm pulling my hair out trying to get a really basic vpn running between 2 pix 501's on my work-bench. The PIX's are connected by a cross-over cable on their outside ports and I have followed the following protocol to get it up and running:-

http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/products_configuration_example09186a0080094497.shtml#configs

Firstly, is a cross-over cable ok between 2 501's or should I shove a switch in?

Secondly, I believe the VPN becomes active once data starts flowing, is that right? So, a silly question I know, but is it enough just to have a pix on the other end, or should I have some other device such as a laptop on the inside of the remote network to connect to?

thridly, thanks for all your help on this as I've spent a week pulling hair out and not getting anywhere with a deadline looming fast! I'm on msn at webstyleinternet@hotmail.com is anyone is feeling particularly charitable :-)

cheers

Rob

rob@webstyleinternet.com

10 Replies 10

Hi Rob,

without seeing your configs, it is difficult to comment, but if you are implementing the configs presented in your cisco link, then a crossover will not work because the two outside interfaces are on different networks and require a router to communicate.

Have your verified basic connectivity before trying a vpn config?

Duhh, no I didn't! See what you're saying about a router. If I changed the two outside interfaces to be say 192.168.0.1 and 192.168.0.2 then I guess that should allow me to verify connectivity and then have another go with the vpn config from the cisco link?

cheers again, from a absolute novice! (we all gotta start somewhere I guess ;-)

Rob

By the way, should a cross over cable work if the two outside interfaces are on the same network?

Nothing in principle, provided you adjust your configs - Although I don't think the Internet has been this small since it was called the ALOHA network in the late 60s :)

Hi,

Yes a crossover will work.

The addressing of the interface doesn’t affect the need for certain types of cable, it’s the physical make up of the port that dictates what kind of cable you need.

The interface on a PIX is much the same as a PC, if you put a PIX back to back with another PIX, the send and receive pairs will be matched i.e. the send wire on the PIX will meet the send wire on the other PIX, and the receive wire on the PIX will meet the receive wire on the other PIX and thus data won't be able to flow as one PIX should send and the other should receive.

This is why you need to use a cross over cable, which has the affect of moving the send/receive wires from one device to the receive/send wires of the other device.

So you will find that:

PC to PC requires a crossover cable

PC to switch is straight through cable

switch to switch is a crossover cable

PIX to PIX requires a crossover cable

PIX to switch is straight through cable

etc.

HTH

Paddy

That's great guys, thanks very much for your help!

Will the VPN become active once data starts flowing? So, a silly question I know, but is it enough just to have a pix on the other end, or should I have some other device such as a laptop on the inside of the remote network to connect to to enable the VPN connection?

cheers again! :-)

Rob

Hi,

It depends how your VPN is structured.

I am not that familiar with PIX to PIX VPN but on router to router you have crypto access-lists that specific which traffic is to be encrypted/decrypted, this must be the same on the PIX.

So, if you are specifying that trafic to and from your internal networks (inside interface of the PIX) at each site is to be encrypted/decrypted then yes you will need a device on the inside of your network to bring up the tunnel.

On a router you can do an extended ping that allows you choose the source interface of your echo request, so in fact you can simulate a device on the inside of your network by sending echo requests from the internal interface, unfortunately you can't do this on a PIX, you may be able to using PIX OS7 but i'm not sure.

HTH

Paddy

vpn tunnel will become active when data starts to flow. attach a pc to the private interface for testing is probably the best. you need to have interesting traffic, going through the pix. see attachment.

You are an absolute life saver, nice one wsitu!

Just on another note, I noticed you have 2 routers in there on the diagram. I have 2 old 2500's, what's the best way to connect these? By serial cable or by ethernet?

If I were to do it without the routers, would just having the outside interface of pix 1 as 172.16.0.1 and outside interface of pix 2 as 172.16.0.2 do the trick?

cheers very much!

Rob

you would connect the 2500 ethernet interface to the pix outside and serial int to the other 2500.

i suppose you can connect the pix back to back. the purpose of having two routers in the topology is to simulate the internet, and i highly recommend it as it's more realistic of what you wanted to test.