tailieunhanh - Site-to-Site VPN Configuration Examples
A site-to-site VPN protects the network resources on your protected networks from unauthorized use by users on an unprotected network, such as the public Internet. The basic configuration for this type of implementation has been covered in Chapter 6, “Configuring IPSec and Certification Authorities.” This chapter provides examples of the following site-to-site VPN configurations: | CHAPTER Site-to-Site VPN Configuration Examples A site-to-site VPN protects the network resources on your protected networks from unauthorized use by users on an unprotected network such as the public Internet. The basic configuration for this type of implementation has been covered in Chapter 6 Configuring IPSec and Certification Authorities. This chapter provides examples of the following site-to-site VPN configurations Using Pre-Shared Keys Using PIX Firewall with a VeriSign CA Using PIX Firewall with an In-House CA Using an Encrypted Tunnel to Obtain Certificates Manual Configuration with NAT Note Throughout the examples in this chapter the local PIX Firewall unit is identified as PIX Firewall 1 while the remote unit is identified as PIX Firewall 2. This designation makes it easier to clarify the configuration required for each. Using Pre-Shared Keys This section describes an example configuration for using pre-shared keys. It contains the following topics Scenario Description Configuring PIX Firewall 1 with VPN Tunneling Configuring PIX Firewall 2 for VPN Tunneling Scenario Description In the example illustrated in Figure 7-1 the intranets use unregistered addresses and are connected over the public Internet by a site-to-site VPN. In this scenario NAT is required for connections to the public Internet. However NAT is not required for traffic between the two intranets which can be transmitted using a VPN tunnel over the public Internet. Cisco PIX Firewall and VPN Configuration Guide I 78-13943-01 7-1 Chapter 7 Site-to-Site VPN Configuration Examples Using Pre-Shared Keys Note If you do not need to do VPN tunneling for intranet traffic you can use this example without the access-list or the nat 0 access-list commands. These commands disable NAT for traffic that matches the access list criteria. If you have a limited number of registered IP addresses and you cannot use PAT you can configure PIX Firewall to use NAT for connections to the public Internet but avoid
đang nạp các trang xem trước