Cisco - Vpn Configuration
C H A P T E R
7
Site-to-Site VPN Configuration Examples
A site-to-site VPN protects the network resources on your protected networks from unauthorized use by users on an unprotected network, such as the public Internet. The basic configuration for this type of implementation has been covered in Chapter 6, “Configuring IPSec and Certification Authorities.” This chapter provides examples of the following site-to-site VPN configurations:
• • • • •
Using Pre-Shared Keys Using PIX Firewall with a VeriSign CA Using PIX Firewall with an In-House CA Using an Encrypted Tunnel to Obtain Certificates Manual Configuration with NAT
Note
Throughout the examples in this chapter, the local PIX Firewall unit is identified as PIX Firewall 1 while the remote unit is identified as PIX Firewall 2. This designation makes it easier to clarify the configuration required for each.
Using Pre-Shared Keys
This section describes an example configuration for using pre-shared keys. It contains the following topics:
• • •
Scenario Description Configuring PIX Firewall 1 with VPN Tunneling Configuring PIX Firewall 2 for VPN Tunneling
Scenario Description
In the example illustrated in Figure 7-1, the intranets use unregistered addresses and are connected over the public Internet by a site-to-site VPN. In this scenario, NAT is required for connections to the public Internet. However, NAT is not required for traffic between the two intranets, which can be transmitted using a VPN tunnel over the public Internet.
Cisco PIX Firewall and VPN Configuration Guide 78-13943-01
7-1
Chapter 7 Using Pre-Shared Keys
Site-to-Site VPN Configuration Examples
Note
If you do not need to do VPN tunneling for intranet traffic, you can use this example without the access-list or the nat 0 access-list commands. These commands disable NAT for traffic that matches the access list criteria. If you have a limited number of registered IP addresses and you cannot use PAT, you can
7
Site-to-Site VPN Configuration Examples
A site-to-site VPN protects the network resources on your protected networks from unauthorized use by users on an unprotected network, such as the public Internet. The basic configuration for this type of implementation has been covered in Chapter 6, “Configuring IPSec and Certification Authorities.” This chapter provides examples of the following site-to-site VPN configurations:
• • • • •
Using Pre-Shared Keys Using PIX Firewall with a VeriSign CA Using PIX Firewall with an In-House CA Using an Encrypted Tunnel to Obtain Certificates Manual Configuration with NAT
Note
Throughout the examples in this chapter, the local PIX Firewall unit is identified as PIX Firewall 1 while the remote unit is identified as PIX Firewall 2. This designation makes it easier to clarify the configuration required for each.
Using Pre-Shared Keys
This section describes an example configuration for using pre-shared keys. It contains the following topics:
• • •
Scenario Description Configuring PIX Firewall 1 with VPN Tunneling Configuring PIX Firewall 2 for VPN Tunneling
Scenario Description
In the example illustrated in Figure 7-1, the intranets use unregistered addresses and are connected over the public Internet by a site-to-site VPN. In this scenario, NAT is required for connections to the public Internet. However, NAT is not required for traffic between the two intranets, which can be transmitted using a VPN tunnel over the public Internet.
Cisco PIX Firewall and VPN Configuration Guide 78-13943-01
7-1
Chapter 7 Using Pre-Shared Keys
Site-to-Site VPN Configuration Examples
Note
If you do not need to do VPN tunneling for intranet traffic, you can use this example without the access-list or the nat 0 access-list commands. These commands disable NAT for traffic that matches the access list criteria. If you have a limited number of registered IP addresses and you cannot use PAT, you can