Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
356
Views
5
Helpful
5
Replies

site to site vpn

Go to solution
tonny_ecmyy
Level 1
Level 1

‎01-09-2005 11:17 PM - edited ‎02-21-2020 01:32 PM

Hi there,

Can I establish site to site vpn tunnel using only 1 fixed public IP? For Example:

My HQ Has 1 fixed public IP 218.xxx.xxx.161 (outside firewall address)

My other branch using Dynamic Public IP.

Can I do this with pix firewall and i have no idea to configure it...need your expertise to guide...

Thanks for helping beginner

Tonny

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
5 Replies 5

Go to solution
tonny_ecmyy
Level 1
Level 1
In response to nkhawaja

‎01-10-2005 11:37 PM

Hello There...

I just purchased one pix 501 yesterday and configure it using the documentation link above which is configuring pix to pix dynamic to static IPSec with NAT, but...still unable to establish the site to site vpn.

at the moment, I have 8 branches now using vpn client to dial up to pix 506e vpn at HQ which have Fixed IP, now I want to use site to site vpn..still testing it...but unsuccessful...

Here I attach my config for 506e and 501, Many mistakes I guess...please correct me...

thanks

your help is highly appreciated...

Tonny

Preview file
3 KB
0 Helpful

Go to solution
tonny_ecmyy
Level 1
Level 1
In response to tonny_ecmyy

‎01-11-2005 12:08 AM

and this is show crypto sa

interface: outside

Crypto map tag: mymap, local addr. 10.0.0.194

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 218.xxx.xxx.161:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 60, #recv errors 0

local crypto endpt.: 10.0.0.194, remote crypto endpt.: 218.xxx.xxx.161

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Thanks

Tonny

0 Helpful

Go to solution
tonny_ecmyy
Level 1
Level 1
In response to tonny_ecmyy

‎01-12-2005 10:37 PM

At last...my headache is over. The problem is solve. I want to ask final question on this topic,

What is the differences between:

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

and

access-list 100 permit ip host 192.168.1.0 192.168.2.0 255.255.255.0

because when i entered access-list permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

the PDM says PDM has encoutered a firewall configuration statement that PDM does not support.

Anyway thanks,

Tonny

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to tonny_ecmyy

‎01-12-2005 10:53 PM

Hi tonny,

when you give the source IP as a network like 192.168.1.0 255.255.255.0, any IP on that particular network can go through the firewall. When you want to restrict to a particular host, you give the "host" parameter, which is equivalent to a 255.255.255.255 subnet mask.

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

any host on the 192.168.1.0/24 network can access 192.168.2.0/24 subnet

access-list 100 permit ip host 192.168.1.1 192.168.2.0 255.255.255.0

access to 192.168.2.0/24 network is given only to the host 192.168.1.1

hope this helps.. all the best..

Raj

Customers Also Viewed These Support Documents