08-15-2007 11:14 PM
PC1 PC2
| |
------LAN1--- --LAN2-----
| |
|[10.16.1.1/24] |[10.16.2.1/24]
PIX515E-1 PIX515E-2
|[122.1.1.2/30] |[122.1.2.2/30]
| |
-----------Internet-(VPN)------
|
|[122.1.3.2/30]
PIX515E-3
|[10.16.3.1/24]
|
-------LAN3-------------------
| |
PC3 |[10.16.3.99]
DMZ----- Firewall (HQ office)
|[?.?.?.?]
|
-----------Internet----------
I am trying to connect VPN on PIX515Es(ver.6.3).
I could connect VPN for PC1, PC2, PC3 each other,
but not connect PC1,PC2 -> PIX515E-1 -> PIX515E-3 -> Firewall -> Internet.
(I can connect PC3 -> Firewall -> Internet.)
I want to know how to configure PIX515Es.
PIX515E-3 CONFIGURATION
PIX Version 6.3(5)
access-list nat0_acl permit ip 10.16.3.0 255.255.255.0 10.16.1.0 255.255.255.0
access-list nat0_acl permit ip 10.16.3.0 255.255.255.0 10.16.2.0 255.255.255.0
access-list crypt_10 permit ip 10.16.3.0 255.255.255.0 10.16.1.0 255.255.255.0
access-list crypt_20 permit ip 10.16.3.0 255.255.255.0 10.16.2.0 255.255.255.0
nat (inside) 0 access-list nat0_acl
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.x.x.1.3.1 1
sysopt connection permit-ipsec
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address crypt_10
crypto map outside_map 10 set pfs group5
crypto map outside_map 10 set peer 122.1.1.2
crypto map outside_map 10 set transform-set ESP-AES-128-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address crypt_20
crypto map outside_map 20 set pfs group5
crypto map outside_map 20 set peer 122.1.2.2
crypto map outside_map 20 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
isakmp enable outside
:
08-16-2007 03:04 AM
Hi,
Not able to fully comprehend the diagram
"but not connect PC1,PC2 -> PIX515E-1 -> PIX515E-3 -> Firewall -> Internet. "
From PC 1 u need to connect to internet ?
Please refer to this link for configuring site to site tunnels :
This document describes a hub and spoke example :
Raj
08-16-2007 05:54 PM
Hi,
From PC1, i want to web-access to internet via proxy on DMZ (HQ office).
PC1 default-gateway is 10.16.1.1
PC1 proxy is 192.168.1.1
i want to connect the VPN from 10.16.1.xxx to 192.168.1.1 that is behind PIX515E-3.
(Simply route to other private-net through the VPN)
08-16-2007 11:31 PM
Hi,
You mean to say that the crypto acl should be like :
access-list cry 10.16.1.0 255.255.255.0 host 192.168.1.1 on the first pix ?
Along with the identical nat 0 and the access list with it
Raj
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: