VPN between CP and PIX

1q2w3e · #1 (**permalink**) 2006-02-22

I need to set up a VPN between out CP Site London and a Cisco PIX Site USA.

1st Scenario

USA (Ua and Ub) need to access 2 servers ( a and b) in London

2nd Scenario

London servers ( a and b) needs to access 2 other server ( U1 and U2 ) in USA

I have created 6 nodes and put nodes a and b into group ab and nodes Ua and Ub into Grp Uab and nodes U1 and U2 into group U12

The following rule base have been set up

source <> dest

Uab <>ab<>xvpn<>svc<>accept
ab<>U12<>xvpn<>svc<>accept

In creating the Interoperable devices for USA FW, I put the groups Uab and U12 into yet another group ( USAgrp) and place this as the vpn domain.

Question 1?

Is this allowed and is it correct?.

This is because I need the FW to work for both set of USA grps.

Question 2?

As at now that the above has been configured with just one group in the VPN domain, the VPN is not being formed at all. I have enabled ping and I can see ping from ab getting to the U12 but being dropped.

What am I doing wrong?

Encryption being used are
IKE - 3DES, MD5
IPSEC - AES128, MD5
IPSEC (Phase 2) - se PFS, Group 2, 1024 bits

Thanks for your help.

melipla · #2 (**permalink**) 2006-02-22

Answer to Question 1: Yes that is good.

Answer to Question 2: Need more information. Is the tunnel being formed or do you see SA errors? Are the pings being encrypted? What is the drop message exactly?

Sergej · #3 (**permalink**) 2006-02-22

Do you use Cisco samples from http://www.cisco.com/en/US/tech/tk58...800ef796.shtml ?
That one is straight forward.

1q2w3e · #4 (**permalink**) 2006-02-23

Thanks

The tunnel is not being formed at all.
We are NOT using the traditional mode so on the Checkpint NG FW1/VPN1 AI, there is no where for me to specify that I am connecting to a PIX FW.

I am using a Site to Site Star configuration.

The ping is from a default deny all inthe last rule.

Thanks

Sergej · #5 (**permalink**) 2006-02-23

Sorry, did you solve the problem? I can't decode you last statements. :)

1q2w3e · #6 (**permalink**) 2006-02-24

Thanks

No I still have not solved the problem. What I meant was the ping was being denied and it does not go out through the tunnel at all or cause the vpn tunnel to be formed.

Thanks

Sergej · #7 (**permalink**) 2006-02-24

I advise you to use Subnet to Subnet encryption rules instead of host to host. This type of rules are easy to maintain and troubleshoot.
Use Access-Lists (or PIX) and rule base on CP to restrict communication to host-to host.

PIX to CP vpn definitely works. A lot of peoples already did it (simplified or traditional mode). Use demo stand to test it. It is not hard to find $500 worth PIX501
What version of PIX you are using?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode