Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
0
Helpful
5
Replies

Site-to-Site VPN

Go to solution
jacquesd
Level 1
Level 1

‎05-03-2006 09:10 AM - edited ‎02-21-2020 02:23 PM

Hi all,

I need to set up a site-to-site vpn over the internet with private addresses on both ends and pix 515 7.0. We do not want to use NAT.

Phase 1 and 2 completes, using the private addresses at both ends in the crypto maps.

According to some docs, the only config I need to do now is 'nat 0 access-list'.

My question is now, how does the routing work? Should I read in another post that I should have an explicit static route for the remote private network which points to my perimiter router. Is this correct? Will the perimiter router see a destination of the remote peer or the remote private network?

Thanks!

Jacques

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jsawa
Level 1
Level 1

‎05-03-2006 09:24 AM

If you are using nat on the pix then you will need to excluded the those in your nat 0 access-list. As for the routing if your perimeters routers are sending all traffic to the pix then you will not need a static route, as the pix will see the destination and route it over the tunnel because it was included in the encryption domain.

Hope this helps. -John

View solution in original post

0 Helpful

Go to solution
atif.awan
Level 3
Level 3
In response to jsawa

‎05-04-2006 12:24 AM

Basically you need two configurations (other than the IPSec parameters) to make this work. First you need to tell PIX which traffic it should consider as 'interesting' and consequently encrypt it. You do that by creating an access-list, something like this:

access-list 100 permit ip

Then you bind this access-list to the crypto map.

The second configuration you have to do is to tell the PIX not to NAT the site-to-site traffic. You can do this via:

nat (inside) 0 access-list 100

where 100 is the number of the access-list that identifies the traffic between two sites. Note that you can use the same access-list for both the crypto-map and the no nat configurations.

Please go through the following link for further explanation and configuration examples.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

And to answer your question on whether the perimter routers need to be aware of any routes to the private subnets; No it is not required as long as the VPN tunnel is between the two PIXes.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jsawa
Level 1
Level 1

‎05-03-2006 09:24 AM

If you are using nat on the pix then you will need to excluded the those in your nat 0 access-list. As for the routing if your perimeters routers are sending all traffic to the pix then you will not need a static route, as the pix will see the destination and route it over the tunnel because it was included in the encryption domain.

Hope this helps. -John

0 Helpful

Go to solution
atif.awan
Level 3
Level 3
In response to jsawa

‎05-04-2006 12:24 AM

Basically you need two configurations (other than the IPSec parameters) to make this work. First you need to tell PIX which traffic it should consider as 'interesting' and consequently encrypt it. You do that by creating an access-list, something like this:

access-list 100 permit ip

Then you bind this access-list to the crypto map.

The second configuration you have to do is to tell the PIX not to NAT the site-to-site traffic. You can do this via:

nat (inside) 0 access-list 100

where 100 is the number of the access-list that identifies the traffic between two sites. Note that you can use the same access-list for both the crypto-map and the no nat configurations.

Please go through the following link for further explanation and configuration examples.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

And to answer your question on whether the perimter routers need to be aware of any routes to the private subnets; No it is not required as long as the VPN tunnel is between the two PIXes.

0 Helpful

Go to solution
jacquesd
Level 1
Level 1
In response to atif.awan

‎05-04-2006 08:14 AM

Hi Atif,

The VPN setup works fine, I was just a bit unsure about how the pix will know how to route to the destination private network (the ones I have done so far all used NAT). I see that the crypto maps identify how to reach the destination.

Thanks for your help!

Jacques

0 Helpful

Go to solution
atif.awan
Level 3
Level 3
In response to jacquesd

‎05-04-2006 09:49 AM

Yes the crypto map define the interesting traffic to be encapsulate and the tunnel takes care of the delivery. Glad to hear that your VPN is working for you.

Atif

0 Helpful

Go to solution
jacquesd
Level 1
Level 1
In response to jsawa

‎05-04-2006 08:09 AM

Hi John,

I was hoping the crypto map would identify how to reach the destination private networks. I tried it and it works fine.

Thanks for your help!

Jacques

0 Helpful
Customers Also Viewed These Support Documents