How do I securely setup PIX 501 site to site VPN for client network management

Hello Experts,

I have a PIX 501 at my office.  The clients I do network managment for have PIX 501's as their edge device.

I would like to setup permanent site to site VPNs with them but I would like to do the following:

Allow - All traffic originating from my subnet to the client networks
Deny - All traffic originating from client subnets to other client subnets

Basically I do not want to be a Hub allowing spoke to spoke communications.

Can this be done easily?

Please provide detailed pix configuration commands to make this happen.

Thanks in advance!

Who is Participating?
jamie177Author Commented:
Thanks Rajesh,  I've setup the peer to peer tunnel before.  I want to setup peer to peer tunnels from my PIX to multiple client PIXes and ensure that the client networks cannot talk to each other.

Is there anything special I need to do so far as access-lists?


No. you should be okay with the same set of configurations because your access-lists would be only opening up central to client1, central to client2 and so on. So client1 to client2 wouldn't be possible unless you configure it. Something like this;

Say your internal is 10.10.10.x, client1 is 10.10.20.x, client2 is 10.10.30.x

access-list 100 permit ip 10.10.10.x mask 10.10.20.x mask
access-list 100 permit ip 10.10.10.x mask 10.10.30.x mask

so client1 and client2 won't talk to each other.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.