VPN With Pre-Shared Keys - Page 5

 By Cisco Press
Page 5 of 6   |  Back to Page 1
Print Article

First, access list 100 must allow hosts from the branch office through the PIX Firewall. Limiting who is allowed through on the branch office network or which hosts that the branch office hosts are allowed to see is controlled through this access list. For example, assume that everyone except the branch manager in the branch office is allowed to connect only to the hosts at,, and The branch manager, whose IP address is, is allowed to access all hosts on the main office network. In this case, your access list would be as follows:

 access-list 100 permit ip
 access-list 100 permit ip
 access-list 100 permit ip
 access-list 100 permit ip
Now take note of the use of the nat 0 command to prevent NAT from occurring. In some cases, you need to enable NAT because both sites are using the same nonroutable IP addresses. This is actually a common scenario. For example, without NAT enabled and both sites using the network, both PIX Firewalls will not know which network to respond to when a packet is received.

Next, you set up the Phase 2 connection. Use the sysopt command with the permit-ipsec parameter to allow packets associated with this SA through the PIX Firewall. Set up the transform set for IPSec, assign a map to the access list, and set the interface for the crypto connection. You also use the crypto map command to set the peer for this connection. As always, the IP address of the peer should be the outside interface of the remote PIX Firewall.

As with any ISAKMP key exchange, you need to ensure that the interface chosen is appropriate, that the key is exactly the same on both peers, and that the encryption and hash types are identical between peers.

PIX-to-PIX with Identical Internal IP Addresses
One of the issues raised by using a nonroutable IP address is the use of the IP address while another connected location is using that same address. This is a common issue when two companies connect to each other for the first time. Looking at Figure 4-13, notice that both the main and branch offices use the same internal IP address. In this situation, you will need to translate the addresses of both internal networks.

Figure 4-13 PIX-to-PIX with Identical Internal Network Addresses

(Click image for larger view in a new window)

On the PIX at the main office, you will use NAT to translate all data destined for the branch office to the network. The branch office translates all data destined for the main office to use addresses. Therefore, from the point of view of the main office, the branch office appears to use From the point of view of the branch office, the main office appears to use as its internal IP addresses. Each PIX Firewall needs to be configured in a similar manner. Figure 4-14 shows how each office sees the other.

Figure 4-14 PIX-to-PIX with Each Side Using NAT

(Click image for larger view in a new window)

This article was originally published on Oct 30, 2001
Get the Latest Scoop with Networking Update Newsletter