cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
367
Views
0
Helpful
3
Replies

PIX VPN Configuration LAN to LAN

okaPee
Level 1
Level 1

PC1 PC2

| |

------LAN1--- --LAN2-----

| |

|[10.16.1.1/24] |[10.16.2.1/24]

PIX515E-1 PIX515E-2

|[122.1.1.2/30] |[122.1.2.2/30]

| |

-----------Internet-(VPN)------

|

|[122.1.3.2/30]

PIX515E-3

|[10.16.3.1/24]

|

-------LAN3-------------------

| |

PC3 |[10.16.3.99]

DMZ----- Firewall (HQ office)

|[?.?.?.?]

|

-----------Internet----------

I am trying to connect VPN on PIX515Es(ver.6.3).

I could connect VPN for PC1, PC2, PC3 each other,

but not connect PC1,PC2 -> PIX515E-1 -> PIX515E-3 -> Firewall -> Internet.

(I can connect PC3 -> Firewall -> Internet.)

I want to know how to configure PIX515Es.

PIX515E-3 CONFIGURATION

PIX Version 6.3(5)

access-list nat0_acl permit ip 10.16.3.0 255.255.255.0 10.16.1.0 255.255.255.0

access-list nat0_acl permit ip 10.16.3.0 255.255.255.0 10.16.2.0 255.255.255.0

access-list crypt_10 permit ip 10.16.3.0 255.255.255.0 10.16.1.0 255.255.255.0

access-list crypt_20 permit ip 10.16.3.0 255.255.255.0 10.16.2.0 255.255.255.0

nat (inside) 0 access-list nat0_acl

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.x.x.1.3.1 1

sysopt connection permit-ipsec

crypto map outside_map 10 ipsec-isakmp

crypto map outside_map 10 match address crypt_10

crypto map outside_map 10 set pfs group5

crypto map outside_map 10 set peer 122.1.1.2

crypto map outside_map 10 set transform-set ESP-AES-128-SHA

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address crypt_20

crypto map outside_map 20 set pfs group5

crypto map outside_map 20 set peer 122.1.2.2

crypto map outside_map 20 set transform-set ESP-AES-128-SHA

crypto map outside_map interface outside

isakmp enable outside

:

3 Replies 3

rajbhatt
Level 3
Level 3

Hi,

Not able to fully comprehend the diagram

"but not connect PC1,PC2 -> PIX515E-1 -> PIX515E-3 -> Firewall -> Internet. "

From PC 1 u need to connect to internet ?

Please refer to this link for configuring site to site tunnels :

http://www.ciscosystems.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

This document describes a hub and spoke example :

http://www.ciscosystems.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

Raj

Hi,

From PC1, i want to web-access to internet via proxy on DMZ (HQ office).

PC1 default-gateway is 10.16.1.1

PC1 proxy is 192.168.1.1

i want to connect the VPN from 10.16.1.xxx to 192.168.1.1 that is behind PIX515E-3.

(Simply route to other private-net through the VPN)

Hi,

You mean to say that the crypto acl should be like :

access-list cry 10.16.1.0 255.255.255.0 host 192.168.1.1 on the first pix ?

Along with the identical nat 0 and the access list with it

Raj

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: