---Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Price, Jamie
Sent: Wednesday, August 23, 2000 3:36 PM
To: [EMAIL PROTECTED]
Subject: Pix VPNHi Guys,
Although the Pix is not on the R&S lab i am hoping someone can help me out.
I want to set up a Pix to Pix VPN (I admit this is a real lifer - I have a client that wants a VPN between Pixs to their client). I want traffic from all hosts on site A to be encrypted when destined for specific hosts at site B and vice versa, traffic from all hosts on site B to be encrypted when destined for specific hosts on site A. I'm having a bit of a blockage though when trying to prepare for the upcoming configs. I've looked all over CCO but can't seem to find the answer I'm looking for.
According to the docs, when you create tha access-list used for determing traffic to be encrypted, it is formed as thus:
The source address range (or host if desired) is derived from the network attached to the inside interface of the local Pix.
The destination address range (or host) is derived from the network attached to the inside interface of the remote Pix.
This is the important question.
What if you don't want to reveal your internal range to the remote site (assume the other end is untrusted and you are limiting their inbound traffic to one port/one host via a conduit). Can you specify the destination in your access-list as the external (statically translated) address that is configured within the Pix for that host??
Also, and this is not the case in this scenario but a spin off question, what if both sites are running the same internal ranges are non-routable and overlapping - i.e. they both are using 10.1.1.x internally (I realize there are some configuration steps for overlapping addresses within IOS NAT but can the same be applied to a Pix??). I guess I'm having problems comprehending how a packet can cross the Internet to a private nonroutable address. Or am I on the wrong track - is maybe all traffic destined for that range actually sent to the peer address which is the external address of the Pix - but then wouldn't that cause a problem if both internal ranges were the same?
Hopefully someone can help out - but be warned, I'm keen to get a good grasp on this so the thread may drag out :) Reply to me personally if you like rather than to the group.
Thanks
Jamie
Title: Pix VPN
Hi. I
am interested in helping you with your problem.
To
address the point of revealing internal address ranges... well if the traffic is
destined for the remote network then they already know the remote address range
dont they? In order to do a VPN the address needs to be the inside address
of the pix. Of course you could toss a router behind the pix and do NAT
after the VPN address leaves the pix, but a good acl and security polciy could
be used to tighten down the access.
IPSEC
encapsulates the packet before it leaves the outside interface of the pix, so
for example, IF a packet form 10.101.0.2 is traveling over an IPSEC VPN to
10.102.0.4, the entire packet is encapsulated and sent outside of the public
interface of the pix to the remote peer. At this point the packet is then
decapsulated and forwarded out the clean interface of the pix to its
destination. The problem you would run into if both networks are the same
is if you have a device active on both sides of the network with the same IP
address. You could however, set up a router to do NAT before the packets
are encapsulated.
I hope
this helps.. if you have any questions go ahead and e-mail
me.
--
Kevin Welch
- Pix VPN Price, Jamie
- Kevin Welch
