06-11-2007 06:37 PM - edited 02-21-2020 03:06 PM
I have a PIX 515 6.3(3) and I make connections between 2 remote sites A & B (A<->PIX515 & B<-> PIX 515
I would like to link 2 remote site (through our PIX 515) A<->PIX 515<->B
How I can do it?Add access-list? add routing in PIX
Thanks
---PIX 515 config
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
access-list VPN permit ip A.B.C.0 255.255.255.0 X.Y.Z.0 255.255.0.0
access-list VPN permit ip A.B.C.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list siteA permit ip A.B.C.0 255.255.255.0 x.y.z.0 255.255.0.0
access-list siteb permit ip A.B.C.0 255.255.255.0 192.168.0.0 255.255.255.0
no pager
mtu outside 00
mtu inside 00
mtu dmz 00
ip address outside A.A.A.A 255.255.255.240
ip address inside A.B.C.2 255.255.255.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
nat (inside) 0 A.B.C.0 255.255.255.0 0 0
static (inside,outside) A.B.C.0 A.B.C.0 netmask 255.255.255.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set common esp-des esp-sha-hmac
crypto ipsec transform-set common2 esp-des esp-md5-hmac
crypto dynamic-map dynamp 10 set transform-set common
crypto dynamic-map dynamp 20 set transform-set common2
crypto map test 10 ipsec-isakmp
crypto map test 10 match address siteA
crypto map test 10 set peer x.x.x.x
crypto map test 10 set transform-set common
crypto map test 95 ipsec-isakmp
crypto map test 95 match address site b
crypto map test 95 set peer y.y.y.y
crypto map test 95 set transform-set common
crypto map test 100 ipsec-isakmp dynamic dynamp
crypto map test client configuration address initiate
crypto map test client configuration address respond
crypto map test interface outside
isakmp enable outside
isakmp key ******** address y.y.y.y netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
06-13-2007 04:41 AM
Hi,
I'm not sure it is possible, since with 6.3 version the PIX does not allow to enter and go out from the same interface
You can do this, with PIX v7 using same-security-traffic permit intra-interface command....
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: