Route Based VPN with Cisco PIX

Sorry guys, I may have overlooked this completely. But is it possible to specify route based VPN on PIX. As in, i have a destination network i want to reach at one site, but i want all of this traffic to be routed through a specific VPN link.

Thanks,

Find more posts tagged with

Comments

dtlokee

That is accomplished based on the ACL you're using in the crypto map statements, when the PIX receives traffic from a permitted network in the ACL going to a permitted network in the ACL then it is encrypted and sent to the coresponding peer.

Pash

dtlokee wrote:

That is accomplished based on the ACL you're using in the crypto map statements, when the PIX receives traffic from a permitted network in the ACL going to a permitted network in the ACL then it is encrypted and sent to the coresponding peer.

Thanks dt, im checking the crypto maps now, our VPN termination is at our specified peer. But the destination network is at a different site completely, the end point for the VPN knows about the other network, so im working out how to make sure all traffic for this site go's through the VPN.

Ahriakin

All you need to do is route the traffic out the interface you have the correct Crypto map applied to, add ACE's for the destination subnet to it's Match Address list and that's it for the PIX. Any routing from the other side to the remote network has to be done on their devices (best practice forces routers not to accept explicitly routed packets (sorry can't remember the exact term, but where the packet tries to force itself along a certain route and not abide by the Router's own table)).

So if you were trying to reach 192.168.100.0/24 on a VPN that terminated on the outside interface which in turn has a default gateway of 100.100.100.1 it'd be something like
Internal route 192.168.100.0/24 to your PIX inside interface

Now route the traffic to the outside:
route outside 192.168.100.0 255.255.255.0 100.100.100.1

Create (or add to) an ACL to define intersting traffic:
access-list vpn-somewhereovertherainbow permit ip any 192.168.100.0 255.255.255.0

Create a crypto-map (if you are doing a new tunnel) with the interesting traffic applied:
crypto map vpn-outside 10 match address vpn-somewhereovertherainbow
(rest of crypto map)

If you are going to keep the IP addressing intact add 192.168.100.0/255.25.255.0 to your NAT 0 ACL

If you are working with multiple subnets allowed to and as the destinations on a tunnel I find it handy to work with object groups and use these inside the ACLs. One big advantage is that you can use one object-group in both your interesting traffic and NAT access lists without messing up PDM access (you can't use one access list for 2 functions and run the GUI...). Also handy if you have strict Egress rules so you can definite exactly which private subnets should be seen on the interfaces with just a few object groups rather than a big list. lastly when you change your object group you automatically change all associated access lists.

Pash

Ahriakin, huge thanks!

I love these forums, i found a good link as well from cisco white papers regarding configuring crypto maps, as well as the white papers from juniper, because this isnt pix to pix, this is pix to netscreen. I will paste the links when im at work later!

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/ipsecint.html

Thanks again mate.

Pash

isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config

The no-xauth and no-config tags were required on the phase1 config line here. I assume because its not turned on, on the netscreen side.

Seems to all work now.

Cheers again,

jassoerick

Pash wrote:

Sorry guys, I may have overlooked this completely. But is it possible to specify route based VPN on PIX. As in, i have a destination network i want to reach at one site, but i want all of this traffic to be routed through a specific VPN link.

Thanks,

Well I am also working on this too. I have started a new project on the same. When you get that how to route the traffic through a VPN link. Then please do let me know. I will very much thankful to you.
==============================
jasso
http://www.minutetraders.com