Pix-toPix (501's) VPN - PLEASE HELP!

Oh I forgot, one more warning: I am pretty much a newbie, and only know about enough to get myself into trouble. I DO, however, understand the basics of TCP/IP and routing.

In article , wrote: :I am having trouble figuring out how to set up a simple Pix-to-Pix VPN :(both 501's with 6.3 and 3DES). I have a co-lo with one PIX, and my :office with the other. Each PIX has its own LAN address. :Co-Lo: 10.1.1.x (fixed external IP) :Office: 10.1.0.x (dynamic external IP)

:What I would REALLY like to do is build a 3DES VPN tunnel between these :PIXes, and be able to transparently ping hosts on the peer's LAN as if :they were all local.

:Is this possible?

No.

When one of the PIXes has a dynamic IP address, then you have to configure that PIX with a standard VPN tunnel definition, but on the other end (which then *must* have a static IP) would have to be configured with a crypto dynamic map.

When the configuration is set up, then the side that has the dynamic IP can always get to the other side (barring configuration errors or network interruptions or ISP port filtering), but the side that has the fixed IP address can only reach the dynamic-addressed side if there is -already- a connection between the two.

For emphasis: the side with the dynamic IP *must* build the connection, and it is not possible for the side with the static IP to build the connection to the side with the dynamic IP (PIX will not do DNS lookup either.)

If you compare this to what you are asking for, the difference is that though from your office to your co-lo would be transparent like you want, but from your co-lo to your office would *not* be transparent if the link happened to be down.

If that situation is acceptable, then follow the instructions in the Cisco PIX reference documentation, user guide, or FAQs.

It is certainly possible to do it through PDM, but it's kind of boring to type in a bunch of "click there", "put in this number", "use the third menu item down" instructions.

Donald -

Thanks for the assurance, what you propose is fine, the co-lo will serve as my "head office" and will not ever need to really access the other LAN anyway. The office can always establish the connection.

I have tried every possible combination for setting up the VPN using the PDM, and I guess I just don't get it. I have used the VPN Wizard on the co-lo side, setting it up as a "remote access VPN" since I don't have a fixed peer address, and THEN use the VPN Wizard at the office PIX to set up a "site-to-site" VPN, specifying the external fixed IP of the co-lo as the "peer." But the PIX establishes a tunnel, maintains it for a little less than a minute, drops the tunnel, and then re-establishes the tunnel immediately and keeps repeating this process. I suppose this is the effect of not having any traffic flowing. BUT, while the tunnel is established, I am unable to ping or access anything at the co-lo, AND my office PIX does not route anything to the Internet at all for me. The only way to get the Internet back, or any traffic at all, is to remove the VPN config from the office PIX.

Am I missing an ACL or something? I suspect this is it, but I don't know where to start to make it work right.

In know this sounds lazy, but can you point me to an example config on the Cisco site that will help get me started solving this problem, even if I have to do it all by hand?

Thanks again.

LOL, sorry, I meant WALTER, your quote threw me!

Don't set one up as "remote access." These are both "site to site", just one is dynamic.

Problem is, the VPN wizard does not allow me to set up a "site-to-site" VPN without a specific peer IP address. Since the remote site (the office) is a dynamic IP, I can't really do that.

In article , Morgan L wrote: :In know this sounds lazy, but can you point me to an example config on :the Cisco site that will help get me started solving this problem, even :if I have to do it all by hand?

Walter, you're my hero! Works great with that example (modified slightly, of course).

Thanks for your unselfish help.