PIX and ASA Site-to-Site Connections

In this chapter I'll discuss how to configure IPsec LAN-to-LAN (L2L) sessions on the PIX and ASA security appliances. The first part of the chapter focuses on the components you'll need to configure the management connection, much of which applies to remote access sessions, and the second part will focus on configuring the components of the data connections. At the end of the chapter I'll illustrate an example of an L2L session between PIXs/ASAs.

In April 2005, Cisco introduced a new version of the Finesse Operating System (FOS) for the PIX security appliances, called 7.0. Currently this is supported only on the 515/515E PIXs and higher. Likewise, in May 2005, Cisco introduced the new Adapter Security Appliance (ASA) devices, which support PIX, VPN concentrator, router, and IDS features all in one box. Fortunately, much of the code and commands found in the 7.0 PIX security appliances are the same as those found in the ASA devices. However, the 501 and 506/506E PIXs only support the FOS 6.3 software. Because the 7.0 software is new, and the 6.x software is still in wide use, I'll point out differences in the configurations of both operating systems throughout the chapter where appropriate.


In version 7.0, the PIX/ASA supports VPN only in single mode, commonly called routed mode. VPNs are not supported when your PIX/ASA is configured for multiple security contexts (multi-mode) or in an Active/Active stateful failover configuration. In FOS 6.3 and earlier, the stateful failover feature of the PIXs did not provide stateful failover for VPN sessions; in FOS 7.0, this enhancement has been added. The configuration of failover and stateful failover on the PIX/ASA, however, is beyond the scope of this book. Topics such as tunnel groups, which were added in FOS 7.0, I'll address in Chapter 22, "PIX and ASA Remote Access Connections," where it is more appropriate.

Part I: VPNs

Overview of VPNs

VPN Technologies




Part II: Concentrators

Concentrator Product Information

Concentrator Remote Access Connections with IPsec

Concentrator Remote Access Connections with PPTP, L2TP, and WebVPN

Concentrator Site-to-Site Connections

Concentrator Management

Verifying and Troubleshooting Concentrator Connections

Part III: Clients

Cisco VPN Software Client

Windows Software Client

3002 Hardware Client

Part IV: IOS Routers

Router Product Information

Router ISAKMP/IKE Phase 1 Connectivity

Router Site-to-Site Connections

Router Remote Access Connections

Troubleshooting Router Connections

Part V: PIX Firewalls

PIX and ASA Product Information

PIX and ASA Site-to-Site Connections

PIX and ASA Remote Access Connections

Troubleshooting PIX and ASA Connections

Part VI: Case Study

Case Study


The Complete Cisco VPN Configuration Guide
The Complete Cisco VPN Configuration Guide
ISBN: 1587052040
EAN: 2147483647
Year: 2006
Pages: 178
Authors: Richard Deal

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net