06-06-2005 03:45 AM - edited 02-21-2020 01:48 PM
Hi All,
I'm pulling my hair out trying to get a really basic vpn running between 2 pix 501's on my work-bench. The PIX's are connected by a cross-over cable on their outside ports and I have followed the following protocol to get it up and running:-
Firstly, is a cross-over cable ok between 2 501's or should I shove a switch in?
Secondly, I believe the VPN becomes active once data starts flowing, is that right? So, a silly question I know, but is it enough just to have a pix on the other end, or should I have some other device such as a laptop on the inside of the remote network to connect to?
thridly, thanks for all your help on this as I've spent a week pulling hair out and not getting anywhere with a deadline looming fast! I'm on msn at webstyleinternet@hotmail.com is anyone is feeling particularly charitable :-)
cheers
Rob
06-06-2005 05:48 AM
Hi Rob,
without seeing your configs, it is difficult to comment, but if you are implementing the configs presented in your cisco link, then a crossover will not work because the two outside interfaces are on different networks and require a router to communicate.
Have your verified basic connectivity before trying a vpn config?
06-06-2005 06:26 AM
Duhh, no I didn't! See what you're saying about a router. If I changed the two outside interfaces to be say 192.168.0.1 and 192.168.0.2 then I guess that should allow me to verify connectivity and then have another go with the vpn config from the cisco link?
cheers again, from a absolute novice! (we all gotta start somewhere I guess ;-)
Rob
06-06-2005 06:28 AM
By the way, should a cross over cable work if the two outside interfaces are on the same network?
06-06-2005 06:49 AM
Nothing in principle, provided you adjust your configs - Although I don't think the Internet has been this small since it was called the ALOHA network in the late 60s :)
06-06-2005 06:56 AM
Hi,
Yes a crossover will work.
The addressing of the interface doesnt affect the need for certain types of cable, its the physical make up of the port that dictates what kind of cable you need.
The interface on a PIX is much the same as a PC, if you put a PIX back to back with another PIX, the send and receive pairs will be matched i.e. the send wire on the PIX will meet the send wire on the other PIX, and the receive wire on the PIX will meet the receive wire on the other PIX and thus data won't be able to flow as one PIX should send and the other should receive.
This is why you need to use a cross over cable, which has the affect of moving the send/receive wires from one device to the receive/send wires of the other device.
So you will find that:
PC to PC requires a crossover cable
PC to switch is straight through cable
switch to switch is a crossover cable
PIX to PIX requires a crossover cable
PIX to switch is straight through cable
etc.
HTH
Paddy
06-06-2005 07:16 AM
That's great guys, thanks very much for your help!
Will the VPN become active once data starts flowing? So, a silly question I know, but is it enough just to have a pix on the other end, or should I have some other device such as a laptop on the inside of the remote network to connect to to enable the VPN connection?
cheers again! :-)
Rob
06-06-2005 07:29 AM
Hi,
It depends how your VPN is structured.
I am not that familiar with PIX to PIX VPN but on router to router you have crypto access-lists that specific which traffic is to be encrypted/decrypted, this must be the same on the PIX.
So, if you are specifying that trafic to and from your internal networks (inside interface of the PIX) at each site is to be encrypted/decrypted then yes you will need a device on the inside of your network to bring up the tunnel.
On a router you can do an extended ping that allows you choose the source interface of your echo request, so in fact you can simulate a device on the inside of your network by sending echo requests from the internal interface, unfortunately you can't do this on a PIX, you may be able to using PIX OS7 but i'm not sure.
HTH
Paddy
06-06-2005 11:19 AM
06-07-2005 12:03 AM
You are an absolute life saver, nice one wsitu!
Just on another note, I noticed you have 2 routers in there on the diagram. I have 2 old 2500's, what's the best way to connect these? By serial cable or by ethernet?
If I were to do it without the routers, would just having the outside interface of pix 1 as 172.16.0.1 and outside interface of pix 2 as 172.16.0.2 do the trick?
cheers very much!
Rob
06-07-2005 10:10 AM
you would connect the 2500 ethernet interface to the pix outside and serial int to the other 2500.
i suppose you can connect the pix back to back. the purpose of having two routers in the topology is to simulate the internet, and i highly recommend it as it's more realistic of what you wanted to test.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide