Hi Guys,
Although the Pix is not on the R&S lab i am hoping someone can help me out.
I want to set up a Pix to Pix VPN (I admit this is a real lifer - I have a client that wants a VPN between Pixs to their client). I want traffic from all hosts on site A to be encrypted when destined for specific hosts at site B and vice versa, traffic from all hosts on site B to be encrypted when destined for specific hosts on site A. I'm having a bit of a blockage though when trying to prepare for the upcoming configs. I've looked all over CCO but can't seem to find the answer I'm looking for.
According to the docs, when you create tha access-list used for determing traffic to be encrypted, it is formed as thus:
The source address range (or host if desired) is derived from the network attached to the inside interface of the local Pix.
The destination address range (or host) is derived from the network attached to the inside interface of the remote Pix.
This is the important question.
What if you don't want to reveal your internal range to the remote site (assume the other end is untrusted and you are limiting their inbound traffic to one port/one host via a conduit). Can you specify the destination in your access-list as the external (statically translated) address that is configured within the Pix for that host??
Also, and this is not the case in this scenario but a spin off question, what if both sites are running the same internal ranges are non-routable and overlapping - i.e. they both are using 10.1.1.x internally (I realize there are some configuration steps for overlapping addresses within IOS NAT but can the same be applied to a Pix??). I guess I'm having problems comprehending how a packet can cross the Internet to a private nonroutable address. Or am I on the wrong track - is maybe all traffic destined for that range actually sent to the peer address which is the external address of the Pix - but then wouldn't that cause a problem if both internal ranges were the same?
Hopefully someone can help out - but be warned, I'm keen to get a good grasp on this so the thread may drag out :) Reply to me personally if you like rather than to the group.
Thanks
Jamie
