Cisco Cisco ASA 5520 Adaptive Security Appliance 정보 가이드
PIX/ASA 7.x and later : Dynamic IPsec Between a
Statically addressed PIX and a Dynamically
addressed IOS Router with NAT Configuration
Example
Statically addressed PIX and a Dynamically
addressed IOS Router with NAT Configuration
Example
Document ID: 81883
Contents
Introduction
Prerequisites
Requirements
Components Used
Related Products
Conventions
Background Information
Configure
Network Diagram
Configurations
Prerequisites
Requirements
Components Used
Related Products
Conventions
Background Information
Configure
Network Diagram
Configurations
Clear Security Associations (SAs)
Verify
PIX Security Appliance − show Commands
Remote IOS Router − show Commands
Troubleshoot
PIX Security Appliance − debug Outputs
Remote IOS Router − debug Outputs
Related Information
Verify
PIX Security Appliance − show Commands
Remote IOS Router − show Commands
Troubleshoot
PIX Security Appliance − debug Outputs
Remote IOS Router − debug Outputs
Related Information
Introduction
This document provides a sample configuration for how to enable the PIX/ASA Security Appliance to accept
dynamic IPsec connections from the IOS® router. The remote router performs Network Address Translation
(NAT) if private network 10.1.1.x accesses the Internet. Traffic from 10.1.1.x to private network 10.2.2.x
behind the PIX Security Appliance is excluded from the NAT process. The IPsec tunnel establishes only if the
traffic (10.1.1.x) initates the connection from the router with the PIX Security Appliance that has a remote
network (10.2.2.x). The router can initiate connections to the PIX, but the PIX cannot initiate connections to
the router.
dynamic IPsec connections from the IOS® router. The remote router performs Network Address Translation
(NAT) if private network 10.1.1.x accesses the Internet. Traffic from 10.1.1.x to private network 10.2.2.x
behind the PIX Security Appliance is excluded from the NAT process. The IPsec tunnel establishes only if the
traffic (10.1.1.x) initates the connection from the router with the PIX Security Appliance that has a remote
network (10.2.2.x). The router can initiate connections to the PIX, but the PIX cannot initiate connections to
the router.
This configuration enables the PIX Security Appliance to create a dynamic IPsec LAN−to−LAN (L2L) tunnel
with a remote VPN router. This router dynamically recieves its outside public IP address from its Internet
service provider. Dynamic Host Configuration Protocol (DHCP) provides this mechanism in order to allocate
IP addresses dynamically from the provider. This allows IP addresses to be reused when hosts no longer need
them.
with a remote VPN router. This router dynamically recieves its outside public IP address from its Internet
service provider. Dynamic Host Configuration Protocol (DHCP) provides this mechanism in order to allocate
IP addresses dynamically from the provider. This allows IP addresses to be reused when hosts no longer need
them.
Refer to Configuring PIX−to−Router Dynamic−to−Static IPSec With NAT for more information on the
scenario where the PIX 6.x accepts dynamic IPsec connections from the router.
scenario where the PIX 6.x accepts dynamic IPsec connections from the router.
Refer to Router−to−PIX Dynamic−to−Static IPsec with NAT Configuration Example for more information on
a scenario where the router accepts dynamic IPsec connections from a PIX Firewall that runs 6.x.
a scenario where the router accepts dynamic IPsec connections from a PIX Firewall that runs 6.x.