09-22-2004 04:53 AM - edited 02-21-2020 01:21 PM
I have a network 10.0.0.0 network over here which is connected to internet through a PIX Firewall and Cisco Router.
The other remote branch has a network 172.168.0.0 which connects to internet through Cisco Router.
Now i want to create an IPSec Tunnel between 2 offices. I want to create it between 2 routers since both the routers has VPN 3DES sofware.
I dont want to use the PIX Firewall in my main office for VPN.
I have got the config examples of creating ipsec tunnel b/w 2 routers.
But i have to know whether the PIX on my main site will allow the traffic from 10.x.x.x n/w to 172.x.x.x network to reach the router for the tunnel creation.
And also i have to make sure that the traffic coming from 172.x.x.x network comes inside my network through the firewall.
what are the necessary things to be taken care while doing a setup like this...
Plz check this link for network diagram
09-22-2004 05:32 AM
I am not clear from your message whether the PIX is on the outside and the router is between it and the 10.0.0.0 network or whether the router is on the outside and the PIX is between it and the 10.0.0.0 network. The answer of how it would work would be different depending on the placement of the PIX.
If the PIX is on the outside then there are a couple of requirements for the IPSec VPN to work:
- the two routers must have IP connectivity between each other. The PIX must allow traffic sourced from one router to get to the destination of the other router.
- If the PIX is doing address translation it will need a static entry for translating the address of the router.
- the PIX must permit UDP port 500 traffic between the two routers for ISAkmp negotiation.
- the PIX must permit the encapsulated traffic which will be IP protocol 50 for ESP or 51 for AH.
HTH
Rick
09-22-2004 09:31 PM
09-23-2004 06:08 AM
In this case there is no interaction between the PIX and the IPSec tunnel. Configuration of the IPSec tunnel would be a normal configuration which is well described in the Cisco documentation and would not be impacted by the presence of the PIX.
The PIX will see 10.0.0.0 as its inside network and 202.1.1.0 as its outside network. It would see traffic from 182.168.1.0 as coming from some network beyond the public interface and will not be aware of the VPN at all.
HTH
Rick
09-23-2004 09:41 PM
So will I have to open the traffic in the pix for the traffic coming from 182.168.x.x network to 10.x.x.x network ??.
And for not natting the traffic from 10.x.x.x n/w to 186.x.x.x n/w , should i put nat 0 ??.
Any routes to be given on the pix saying that 182.x.x.x network is on outside. ??
09-28-2004 02:39 AM
I think you did not understand what you are going to do?
first let us clear
r u going to make tunnel between your edge router 2 router. if yes then you does not need to worried about PIX firewall. If you want to build tunnel between PIX and router then you will have to open requried ports like UDP 500 and tcp 50 or 51 whatever encaptulation you are using.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide