Configuring a VPN Between HQ and Remote Sites
The two remote sites communicate with the Reston location (HQ-PIX) using VPN
connections that traverse the Internet. To enable these VPNs, you must define the VPN
characteristics at the headquarters location, as well as at the remote sites. Configuring the
VPN connections between HQ-PIX and the two remote sites (MN-PIX and HOU-PIX)
involves the following tasks:
¦ Configuring the central PIX Firewall, HQ-PIX, for VPN tunneling
¦ Configuring the Houston PIX Firewall, HOU-PIX, for VPN tunneling
¦ Configuring the Minneapolis PIX Firewall, MN-PIX, for VPN tunneling
Configuring the Central PIX Firewall, HQ-PIX, for VPN Tunneling
Both remote sites connect to the Reston location using VPN tunneling. The VPN protects the
traffic coming from the remote sites. The following steps define the VPN characteristics on
HQ-PIX:
Step 1 Configure an Internet Security Association and Key Management
Protocol (ISAKMP) policy:
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
NOTE Sending logging information from Houston and Minneapolis to the actual logging
server IP address (172.16.31.7) prevents the logging traffic from traversing the Internet in
the clear. Sending the logging traffic through the VPN tunnel prevents the logging
information from being observed on the Internet, but the real IP address (172.16.31.7) is
reachable only when the VPN tunnel is active.
NOTE The VPN tunnels shown in this example enable the two remote sites (Houston
and Minneapolis) to communicate with the main location at Reston. If the two remote sites
also must be able to communicate with each other, you would also need to establish a VPN
tunnel from HOU-PIX to MN-PIX. This example assumes that the two remote sites need
to communicate only with the main location and not with each other.