08-15-2007 11:14 PM
PC1 PC2
| |
------LAN1--- --LAN2-----
| |
|[10.16.1.1/24] |[10.16.2.1/24]
PIX515E-1 PIX515E-2
|[122.1.1.2/30] |[122.1.2.2/30]
| |
-----------Internet-(VPN)------
|
|[122.1.3.2/30]
PIX515E-3
|[10.16.3.1/24]
|
-------LAN3-------------------
| |
PC3 |[10.16.3.99]
DMZ----- Firewall (HQ office)
|[?.?.?.?]
|
-----------Internet----------
I am trying to connect VPN on PIX515Es(ver.6.3).
I could connect VPN for PC1, PC2, PC3 each other,
but not connect PC1,PC2 -> PIX515E-1 -> PIX515E-3 -> Firewall -> Internet.
(I can connect PC3 -> Firewall -> Internet.)
I want to know how to configure PIX515Es.
PIX515E-3 CONFIGURATION
PIX Version 6.3(5)
access-list nat0_acl permit ip 10.16.3.0 255.255.255.0 10.16.1.0 255.255.255.0
access-list nat0_acl permit ip 10.16.3.0 255.255.255.0 10.16.2.0 255.255.255.0
access-list crypt_10 permit ip 10.16.3.0 255.255.255.0 10.16.1.0 255.255.255.0
access-list crypt_20 permit ip 10.16.3.0 255.255.255.0 10.16.2.0 255.255.255.0
nat (inside) 0 access-list nat0_acl
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.x.x.1.3.1 1
sysopt connection permit-ipsec
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address crypt_10
crypto map outside_map 10 set pfs group5
crypto map outside_map 10 set peer 122.1.1.2
crypto map outside_map 10 set transform-set ESP-AES-128-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address crypt_20
crypto map outside_map 20 set pfs group5
crypto map outside_map 20 set peer 122.1.2.2
crypto map outside_map 20 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
isakmp enable outside
:
08-16-2007 03:04 AM
Hi,
Not able to fully comprehend the diagram
"but not connect PC1,PC2 -> PIX515E-1 -> PIX515E-3 -> Firewall -> Internet. "
From PC 1 u need to connect to internet ?
Please refer to this link for configuring site to site tunnels :
This document describes a hub and spoke example :
Raj
08-16-2007 05:54 PM
Hi,
From PC1, i want to web-access to internet via proxy on DMZ (HQ office).
PC1 default-gateway is 10.16.1.1
PC1 proxy is 192.168.1.1
i want to connect the VPN from 10.16.1.xxx to 192.168.1.1 that is behind PIX515E-3.
(Simply route to other private-net through the VPN)
08-16-2007 11:31 PM
Hi,
You mean to say that the crypto acl should be like :
access-list cry 10.16.1.0 255.255.255.0 host 192.168.1.1 on the first pix ?
Along with the identical nat 0 and the access list with it
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide