PIX VPN Configuration LAN to LAN

Unanswered Question

PC1 PC2

| |

------LAN1--- --LAN2-----

| |

|[10.16.1.1/24] |[10.16.2.1/24]

PIX515E-1 PIX515E-2

|[122.1.1.2/30] |[122.1.2.2/30]

| |

-----------Internet-(VPN)------

|

|[122.1.3.2/30]

PIX515E-3

|[10.16.3.1/24]

|

-------LAN3-------------------

| |

PC3 |[10.16.3.99]

DMZ----- Firewall (HQ office)

|[?.?.?.?]

|

-----------Internet----------



I am trying to connect VPN on PIX515Es(ver.6.3).

I could connect VPN for PC1, PC2, PC3 each other,

but not connect PC1,PC2 -> PIX515E-1 -> PIX515E-3 -> Firewall -> Internet.

(I can connect PC3 -> Firewall -> Internet.)


I want to know how to configure PIX515Es.



PIX515E-3 CONFIGURATION


PIX Version 6.3(5)

access-list nat0_acl permit ip 10.16.3.0 255.255.255.0 10.16.1.0 255.255.255.0

access-list nat0_acl permit ip 10.16.3.0 255.255.255.0 10.16.2.0 255.255.255.0


access-list crypt_10 permit ip 10.16.3.0 255.255.255.0 10.16.1.0 255.255.255.0

access-list crypt_20 permit ip 10.16.3.0 255.255.255.0 10.16.2.0 255.255.255.0


nat (inside) 0 access-list nat0_acl

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.x.x.1.3.1 1


sysopt connection permit-ipsec


crypto map outside_map 10 ipsec-isakmp

crypto map outside_map 10 match address crypt_10

crypto map outside_map 10 set pfs group5

crypto map outside_map 10 set peer 122.1.1.2

crypto map outside_map 10 set transform-set ESP-AES-128-SHA

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address crypt_20

crypto map outside_map 20 set pfs group5

crypto map outside_map 20 set peer 122.1.2.2

crypto map outside_map 20 set transform-set ESP-AES-128-SHA

crypto map outside_map interface outside


isakmp enable outside

:




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rajbhatt Thu, 08/16/2007 - 03:04
User Badges:



Hi,

Not able to fully comprehend the diagram

"but not connect PC1,PC2 -> PIX515E-1 -> PIX515E-3 -> Firewall -> Internet. "


From PC 1 u need to connect to internet ?


Please refer to this link for configuring site to site tunnels :


http://www.ciscosystems.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml


This document describes a hub and spoke example :


http://www.ciscosystems.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml



Raj

rajbhatt Thu, 08/16/2007 - 23:31
User Badges:



Hi,

You mean to say that the crypto acl should be like :

access-list cry 10.16.1.0 255.255.255.0 host 192.168.1.1 on the first pix ?


Along with the identical nat 0 and the access list with it



Raj

Actions

This Discussion