In article < XXXX@XXXXX.COM >,
|> Just to cross-check: you have a specific or default route on the
|> PIX that would send packets for 192.168.21 towards the outside interface?
|> The PIX needs the packets to be routed towards the interface the VPN
|> is active on, and then it sort of redirects the packets at the last moment.
|Hmm, how would that look?
|route inside 192.168.21.0 255.255.255.0 192.168.20.1 1?
|192.168.20.1 being the PIX inside
If you are using specific routes,
route outside 192.168.21.0 255.255.255.0 PIXOUTSIDEIP 1
That's a little unusual, though, in that a lot of the time you will have
a default route,
route outside 0.0.0.0 0.0.0.0 PIXOUTSIDEIP 1
because you normally want all traffic destined for outside IPs to
head out the PIX outside interface. 192.168.21/24 falls within
0.0.0.0 0.0.0.0 so automatically 192.168.21/24 would be sent towards
the outside interface, which is all that is needed in this instance:
the PIX will grab the 192.168.21/24 destined packets and stuff them
into the IPSec tunnel like you want. So most of the time you
don't even need to think about it -- you just use an IP pool that
isn't part of your inside subnet and the rest happens without you
thinking about it.
Other ways of getting a default route include:
ip address outside dhcp setroute
rip outside passive version 1 (or version 2)
Strange but true: there are entire WWW pages devoted to listing
programs designed to obfuscate HTML.