01-09-2005 11:17 PM - edited 02-21-2020 01:32 PM
Hi there,
Can I establish site to site vpn tunnel using only 1 fixed public IP? For Example:
My HQ Has 1 fixed public IP 218.xxx.xxx.161 (outside firewall address)
My other branch using Dynamic Public IP.
Can I do this with pix firewall and i have no idea to configure it...need your expertise to guide...
Thanks for helping beginner
Tonny
Solved! Go to Solution.
01-09-2005 11:28 PM
Hi,
Check these links out
thanks
Nadeem
01-09-2005 11:28 PM
Hi,
Check these links out
thanks
Nadeem
01-10-2005 11:37 PM
Hello There...
I just purchased one pix 501 yesterday and configure it using the documentation link above which is configuring pix to pix dynamic to static IPSec with NAT, but...still unable to establish the site to site vpn.
at the moment, I have 8 branches now using vpn client to dial up to pix 506e vpn at HQ which have Fixed IP, now I want to use site to site vpn..still testing it...but unsuccessful...
Here I attach my config for 506e and 501, Many mistakes I guess...please correct me...
thanks
your help is highly appreciated...
Tonny
01-11-2005 12:08 AM
and this is show crypto sa
interface: outside
Crypto map tag: mymap, local addr. 10.0.0.194
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 218.xxx.xxx.161:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 60, #recv errors 0
local crypto endpt.: 10.0.0.194, remote crypto endpt.: 218.xxx.xxx.161
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Thanks
Tonny
01-12-2005 10:37 PM
At last...my headache is over. The problem is solve. I want to ask final question on this topic,
What is the differences between:
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
and
access-list 100 permit ip host 192.168.1.0 192.168.2.0 255.255.255.0
because when i entered access-list permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
the PDM says PDM has encoutered a firewall configuration statement that PDM does not support.
Anyway thanks,
Tonny
01-12-2005 10:53 PM
Hi tonny,
when you give the source IP as a network like 192.168.1.0 255.255.255.0, any IP on that particular network can go through the firewall. When you want to restrict to a particular host, you give the "host" parameter, which is equivalent to a 255.255.255.255 subnet mask.
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
any host on the 192.168.1.0/24 network can access 192.168.2.0/24 subnet
access-list 100 permit ip host 192.168.1.1 192.168.2.0 255.255.255.0
access to 192.168.2.0/24 network is given only to the host 192.168.1.1
hope this helps.. all the best..
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide