Ken, I don't know of a CCO document off hand (other than a PIX manual) but had a decent conversation with a TAC engineer a few weeks ago about NAT, VPN, PIX, a 3015 VPN Concentrator and the way the wo devices treat traffic that may help you some as it did me.
The catalyst for the conversation was the reasoning behind why you need to exclude inside addresses from being NAT-ted after defining what is interesting traffic via an access list applied to your crypto map. In my mind their should ave been no reason to exclude the traffic from NAT since it was detined for a tunnel. The answer I was given is that a PIX's point of reference vs. a VPN concentrator's point of reference are different. A PIX basically assumes that everything is going to the Internet whereas a 3000 Series Concentrator assumes everything will be tunneled. Consequently a PIX will want to NAT before deciding whether a packet should be sent thru a tunnel and a 3000 Series Concentrator will look to see if the traffic is tunnel bound before deciding to NAT. That doesn't really answer your question but it has helped me to conceptualize the way a PIX treats VPN's and has helped me troubleshoot one problem already. To answer your question more directly (and I may be wrong so the true gurus can please feel free to correct me): IPSec Phase 1 authentication will come to the PIX unencrypted but not pass to the inside network (since it only sets up the tunnel there is no reaso tio send it inside). Once the tunnel is set up (IKE Phase I authentication completes successfully), all traffic thru the tunnel will pass encrypted thru the outside interface of the PIX, be unencrypted, and sent into the inside network as normal packets. I hope that at least helps some. David Armstrong ""Ken Diliberto"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Does anyone happen to know a good CCO document describing the way the > VPN option on the PIX integrates with the firewall? I'm wondering if > the VPN traffic passes the firewall encrypted or if it is unencrypted > before the firewall. > > Now if only the PIX would transparent bridge... > > Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52757&t=52729 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
