PIX VPN Configuration LAN to LAN

Unanswered Question

PC1 PC2

| |

------LAN1--- --LAN2-----

| |

|[10.16.1.1/24] |[10.16.2.1/24]

PIX515E-1 PIX515E-2

|[122.1.1.2/30] |[122.1.2.2/30]

| |

-----------Internet-(VPN)------

|

|[122.1.3.2/30]

PIX515E-3

|[10.16.3.1/24]

|

-------LAN3-------------------

| |

PC3 |[10.16.3.99]

DMZ----- Firewall (HQ office)

|[?.?.?.?]

|

-----------Internet----------

I am trying to connect VPN on PIX515Es(ver.6.3).

I could connect VPN for PC1, PC2, PC3 each other,

but not connect PC1,PC2 -> PIX515E-1 -> PIX515E-3 -> Firewall -> Internet.

(I can connect PC3 -> Firewall -> Internet.)

I want to know how to configure PIX515Es.

PIX515E-3 CONFIGURATION

PIX Version 6.3(5)

access-list nat0_acl permit ip 10.16.3.0 255.255.255.0 10.16.1.0 255.255.255.0

access-list nat0_acl permit ip 10.16.3.0 255.255.255.0 10.16.2.0 255.255.255.0

access-list crypt_10 permit ip 10.16.3.0 255.255.255.0 10.16.1.0 255.255.255.0

access-list crypt_20 permit ip 10.16.3.0 255.255.255.0 10.16.2.0 255.255.255.0

nat (inside) 0 access-list nat0_acl

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.x.x.1.3.1 1

sysopt connection permit-ipsec

crypto map outside_map 10 ipsec-isakmp

crypto map outside_map 10 match address crypt_10

crypto map outside_map 10 set pfs group5

crypto map outside_map 10 set peer 122.1.1.2

crypto map outside_map 10 set transform-set ESP-AES-128-SHA

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address crypt_20

crypto map outside_map 20 set pfs group5

crypto map outside_map 20 set peer 122.1.2.2

crypto map outside_map 20 set transform-set ESP-AES-128-SHA

crypto map outside_map interface outside

isakmp enable outside

:

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rajbhatt Thu, 08/16/2007 - 03:04

Hi,

Not able to fully comprehend the diagram

"but not connect PC1,PC2 -> PIX515E-1 -> PIX515E-3 -> Firewall -> Internet. "

From PC 1 u need to connect to internet ?

Please refer to this link for configuring site to site tunnels :

http://www.ciscosystems.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

This document describes a hub and spoke example :

http://www.ciscosystems.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

Raj

rajbhatt Thu, 08/16/2007 - 23:31

Hi,

You mean to say that the crypto acl should be like :

access-list cry 10.16.1.0 255.255.255.0 host 192.168.1.1 on the first pix ?

Along with the identical nat 0 and the access list with it

Raj

Actions

This Discussion