Re: IPsec tunnel Router to Router

Shobith K · ‎09-22-2004

I have a network 10.0.0.0 network over here which is connected to internet through a PIX Firewall and Cisco Router.

The other remote branch has a network 172.168.0.0 which connects to internet through Cisco Router.

Now i want to create an IPSec Tunnel between 2 offices. I want to create it between 2 routers since both the routers has VPN 3DES sofware.

I dont want to use the PIX Firewall in my main office for VPN.

I have got the config examples of creating ipsec tunnel b/w 2 routers.

But i have to know whether the PIX on my main site will allow the traffic from 10.x.x.x n/w to 172.x.x.x network to reach the router for the tunnel creation.

And also i have to make sure that the traffic coming from 172.x.x.x network comes inside my network through the firewall.

what are the necessary things to be taken care while doing a setup like this...

Plz check this link for network diagram

http://www.shobithk.id.au

Richard Burts · ‎09-22-2004

I am not clear from your message whether the PIX is on the outside and the router is between it and the 10.0.0.0 network or whether the router is on the outside and the PIX is between it and the 10.0.0.0 network. The answer of how it would work would be different depending on the placement of the PIX.

If the PIX is on the outside then there are a couple of requirements for the IPSec VPN to work:

- the two routers must have IP connectivity between each other. The PIX must allow traffic sourced from one router to get to the destination of the other router.

- If the PIX is doing address translation it will need a static entry for translating the address of the router.

- the PIX must permit UDP port 500 traffic between the two routers for ISAkmp negotiation.

- the PIX must permit the encapsulated traffic which will be IP protocol 50 for ESP or 51 for AH.

HTH

Rick

HTH

Rick

Shobith K · ‎09-22-2004

The scenario is router is on outside and pix is between the router and 10.x.x.x network . i am attatching the network diagram here.

Richard Burts · ‎09-23-2004

In this case there is no interaction between the PIX and the IPSec tunnel. Configuration of the IPSec tunnel would be a normal configuration which is well described in the Cisco documentation and would not be impacted by the presence of the PIX.

The PIX will see 10.0.0.0 as its inside network and 202.1.1.0 as its outside network. It would see traffic from 182.168.1.0 as coming from some network beyond the public interface and will not be aware of the VPN at all.

HTH

Rick

HTH

Rick

Shobith K · ‎09-23-2004

So will I have to open the traffic in the pix for the traffic coming from 182.168.x.x network to 10.x.x.x network ??.

And for not natting the traffic from 10.x.x.x n/w to 186.x.x.x n/w , should i put nat 0 ??.

Any routes to be given on the pix saying that 182.x.x.x network is on outside. ??

jahilnt · ‎09-28-2004

I think you did not understand what you are going to do?

first let us clear

r u going to make tunnel between your edge router 2 router. if yes then you does not need to worried about PIX firewall. If you want to build tunnel between PIX and router then you will have to open requried ports like UDP 500 and tcp 50 or 51 whatever encaptulation you are using.