cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
527
Views
0
Helpful
4
Replies

Configuring a Simple PIX-to-PIX VPN Tunnel Using IPSec

travis0
Level 1
Level 1

Hello,

I have read the document ID: 6211 "Configuring a Simple PIX-to-PIX VPN Tunnel Using IPSec". I understand the commands used in the document but I don't understand how the PIX-to-PIX vpn tunnel is made.

On which pix is the connection initiation come from?

if a computer on 10.1.1.x network wants to connect to a computer on 172.16.1x network, is this when the vpn tunnel is established? or is this a permanent pix-to-pix tunnel.

thank you,

T.

4 Replies 4

abdel_n
Level 1
Level 1

Hi,

Both PIX?s can initiate traffic based on acl 101 on Maui-PIX-01 and Maui-PIX-02, note that traffic is mirrored on both access-lists. So IPSec tunnel is initiated when 10.1.1.x and 172.16.1.x try to communicate together.

The tunnel is established the time of IPSec lifetime (3600 sec or 4608000 kbytes) or if you clear SA using these commands:

clear crypto isakmp sa

clear crypto ipsec sa

I tried to present in another way the different steps of IPSec tunnel establishment and commands involved in each step, I hope this will help

Hello,

First of all, thank you for the swf file.

let just say, i have a computer-A1(on the LAN) behind MAUI-PIX-01 initiates a ftp connection to outside interface of MAUI-PIX-02 on port 21. all Traffic on port 21 is statically mapped to computer-B1(on the LAN) behind MAUI-PIX-02. Can this be achieved?

I am going to have 2 ftp servers runing behind MAUI-PIX-02 on 2 different computers. These ftp servers will use unique ports from each other. Can the PIX-to-PIX tunnel cater to more than 1 end-to-end session on different port?

Travis.

If the LAN traffic is between, say, 10.1.x.x and 172.16.x.x, then you can have unlimited sessions between hosts on these subnets, and it all goes through the same tunnel.

You can also do NAT across the VPN as you wish, it just makes the config more complex.

NAT occurs before traffic hits the VPN ACL, so the VPN ACL would refer to the NATed traffic.

It is possible to achieve such configuration just you have to pay attention to the order of operation for outbound and inbound packets when both NAT and IPSec encryption are used.

The attached figure ?PIX-order? shows the order of operations for incoming and outgoing traffic for the PIX.

Here is some point to pay attention to with the new configuration:

I)-Maui-PIX02 configuration:

-1- Define static command for one-to-one address translation:

static (inside, outside) tcp 172.22.112.10 80 172.16.1.10 80

static (inside, outside) tcp 172.22.112.11 80 172.16.1.11 80

static (inside, outside) tcp 172.22.112.12 80 172.16.1.12 80

static (inside, outside) tcp 172.22.112.13 80 172.16.1.13 80

-2- Define access list to enable inbound traffc to ftp servers this goes in pair with any static command:

access_list toftp permit tcp any host 172.22.112.10 80

access_list toftp permit tcp any host 172.22.112.11 80

access_list toftp permit tcp any host 172.22.112.12 80

access_list toftp permit tcp any host 172.22.112.13 80

-3- Define interesting traffic that will trigger the encryption process, and according to the the order of operation on the PIX and as grant.maynard mentioned it, the address will be translated then checked for encryption so you have to use ftp ip addresses after translation (inside global)172.22.112.x

Any session that will match these access list will be encrypted:

access_list 111 permit host 172.22.112.10 80 10.1.1.x 255.255.255.0

access_list 111 permit host 172.22.112.11 80 10.1.1.x 255.255.255.0

access_list 111 permit host 172.22.112.12 80 10.1.1.x 255.255.255.0

access_list 111 permit host 172.22.112.13 80 10.1.1.x 255.255.255.0

-4- The peer ip address for both ISAKMP and IPSec remain the same : 192.168.1.52

II)-Maui-PIX01 configuration:

-1- The access-list in the other side will work with the outside global ip addresses 172.22.112.x (192.16.1.x are not visible to Maui-PIX01)

If you want to reserve the tunnel only to ftp access from 10.1.1.x

access-list 101 permit ip 10.1.1.0 255.255.255.0 host 172.22.112.10 80

access-list 101 permit ip 10.1.1.0 255.255.255.0 host 172.22.112.11 80

access-list 101 permit ip 10.1.1.0 255.255.255.0 host 172.22.112.12 80

access-list 101 permit ip 10.1.1.0 255.255.255.0 host 172.22.112.13 80

access-list 101 permit ip 10.1.1.0 255.255.255.0 host 172.22.112.14 80