site-to-site multiple vpn tunnels with pix

Answered Question
Oct 28th, 2007
User Badges:

Hi,


I have a site-to-site vpn tunnel between two PIX Firewalls.

Is possible to build on one side another site-to-site vpn tunnel with the third PIX ?


Thanks


Robert

Correct Answer by Jon Marshall about 9 years 6 months ago

Robert


You can only use one crypto map on an interface but you can have sequence numbers within your crypto map so from your config



The existing tunnel


crypto map mykink1 1 ipsec-isakmp

crypto map mykink1 1 match address 101

crypto map mykink1 1 set peer 21.21.21.21

crypto map mykink1 1 set transform-set aesonly


Your new tunnel


crypto map mykink1 2 ipsec-isakmp

crypto map mykink1 2 match address "acl number"

crypto map mykink1 2 set peer "new peer address"

crypto map mykink1 2 set transform-set "new transform set"

crypto map mykink1 2 set security association lifetime seconds "number of seconds"


You need to fill in the right values within the "" marks.


Note the sequence number has incremented from 1 in your first entry to 2 in the second entry.


You can specify the security association lifetime within the crypto map config which overrides the global settings.


Adding this config should not affect your existing tunnel.


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rwawrig Mon, 10/29/2007 - 16:02
User Badges:

thanks for the link.

still i will need a little bit more help.


my config right now is this:


sysopt connection permit-ipsec

crypto ipsec transform-set aesonly esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600 kilobytes 500000

crypto map mykink1 1 ipsec-isakmp

crypto map mykink1 1 match address 101

crypto map mykink1 1 set peer 21.21.21.21

crypto map mykink1 1 set transform-set aesonly

crypto map mykink1 interface outside


isakmp enable outside

isakmp key ******** address 21.21.21.21 netmask 255.255.255.255

isakmp identity key-id mykey1

isakmp keepalive 60 5

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 3600



For the second tunnel I have to use the following parameters:


IPSec (Phase I) Parameter


Encryption Algorithm 3 DES

Hash Algorithm SHA-1

Diffie-Hellman Group 2

Authentication Pre-shared key

Livetime default 86400s


__________________________

IPSec (Phase II) Parameter


ESP Algorithm 3 DES

Hash Algorithm SHA-1

PFS

D-H Group 2

Livetime default 28800s



So, I can create another crypto map for the new connection, but how the second part will look like?


Thanks again


Robert

JORGE RODRIGUEZ Mon, 10/29/2007 - 20:41
User Badges:
  • Green, 3000 points or more

I assume for your second tunnel you have a new peer IP, also how does the new peer want you to come as, static Public IP?


I think the easiest way is to create a second crypto map for additional tunnel through pdm, you already have existing crypto map mykink1 with isakmp policy1, in pix pdm vpn create a new one.



e.g.


assume second peer IP :20.20.20.1 and

you will access remote host behind peer with IP 199.200.154.12 for RDP services. you inside host at local site is 192.168.1.1 with static nat public IP x.y.x.y


For your second tunnel you would have something similar to this assuming the new remote peer wants you to come with public IP:


crypto ipsec transform-set NEW_SET_SITE2 esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800 kilobytes 86400

crypto map mykink2 2 ipsec-isakmp

crypto map mykink1 2 match address 102

crypto map mykink2 2 set peer 20.20.20.1

crypto map mykink2 2 set transform-set NEW_SET_SITE2

crypto map mykink2 interface outside



isakmp key XXXXX address 20.20.20.1 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 2 authen pre-share

isakmp policy 2 encrypt 3des

isakmp policy 2 hash sha

isakmp policy 2 group 2

isakmp policy 2 lifetime 28800



static (inside,outside) x.y.x.y 192.168.1.1 255.255.255.255 0 0

access-list outside_cryptomap_2 permit tcp host x.y.x.y host 199.200.154.12 eq 3389





rwawrig Tue, 10/30/2007 - 15:01
User Badges:

yes, i got it up to here.


my problem is with this lines:


crypto map mykink2 interface outside

will overwrite

crypto map mykink1 interface outside


crypto ipsec security-association lifetime seconds 28800 kilobytes 86400

will overwrite

crypto ipsec security-association lifetime seconds 3600 kilobytes 500000


my question is if the first tunnel, that I have now active, will work if I add this two lines.


thanks again


Robert



Correct Answer
Jon Marshall Tue, 10/30/2007 - 15:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Robert


You can only use one crypto map on an interface but you can have sequence numbers within your crypto map so from your config



The existing tunnel


crypto map mykink1 1 ipsec-isakmp

crypto map mykink1 1 match address 101

crypto map mykink1 1 set peer 21.21.21.21

crypto map mykink1 1 set transform-set aesonly


Your new tunnel


crypto map mykink1 2 ipsec-isakmp

crypto map mykink1 2 match address "acl number"

crypto map mykink1 2 set peer "new peer address"

crypto map mykink1 2 set transform-set "new transform set"

crypto map mykink1 2 set security association lifetime seconds "number of seconds"


You need to fill in the right values within the "" marks.


Note the sequence number has incremented from 1 in your first entry to 2 in the second entry.


You can specify the security association lifetime within the crypto map config which overrides the global settings.


Adding this config should not affect your existing tunnel.


HTH


Jon

JORGE RODRIGUEZ Tue, 10/30/2007 - 19:55
User Badges:
  • Green, 3000 points or more

Thanks Jon for the info you're always a great resource, this is good to know that only one crypto map can be used when adding additional tunnels.


Rgds

Jorge

rwawrig Mon, 11/12/2007 - 04:29
User Badges:

Hi,


I have now this config:


sysopt connection permit-ipsec

crypto ipsec transform-set aesonly esp-aes esp-md5-hmac

crypto ipsec transform-set tripledes esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600 kilobytes 500000

crypto map mymap1 1 ipsec-isakmp

crypto map mymap1 1 match address 101

crypto map mymap1 1 set peer x.x.x.x

crypto map mymap1 1 set transform-set aesonly

crypto map mymap1 2 ipsec-isakmp

crypto map mymap1 2 match address 102

crypto map mymap1 2 set peer y.y.y.y

crypto map mymap1 2 set transform-set tripledes

crypto map mymap1 2 set security-association lifetime seconds 86400 kilobytes 500000

crypto map mymap1 interface outside



isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp key ******** address y.y.y.y netmask 255.255.255.255

isakmp identity key-id xxx

isakmp keepalive 60 5

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 3600

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption 3des

isakmp policy 2 hash sha

isakmp policy 2 group 2

isakmp policy 2 lifetime 28800




I don't know why, for the second tunnel I get encryption aes on the other side and should be 3des.

The phase 1 of the tunnel building is not completed.


What i'm missing ?


Thanks


Robert

rwawrig Sat, 11/17/2007 - 14:15
User Badges:

sorry, my mistake

it is working


thanks for the help


Robert

fabiossilva Mon, 11/19/2007 - 08:31
User Badges:

Hi, i have a scenario like your, i have 3 cisco ASA, two of them is a 5505 and one 5510, i have configured the VPN ipsec and from the CORE (5510) i can ping the remote1-network and remote2-network, But, i cant ping anything or access any service from remote1-network directly to remote2-network.


See the deployment that i create in attached file, and if you know what can be the problem, and can tell me.. Any hint i thank.


Best Regards,

Fabio


Here is a small sh run of the appliances...


Sh run - ASA Remote1 - 5505


object-group network DM_INLINE_NETWORK_1

network-object remote2-network 255.255.255.0

network-object core-network 255.255.255.0

access-list outside_1_cryptomap extended permit ip 11.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list inside_nat0_outbound extended permit ip 11.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 192.168.0.5

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal




Sh run - ASA Remote2 - 5505


object-group network DM_INLINE_NETWORK_1

network-object remote1-network 255.255.255.0

network-object core-network 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 192.168.0.5

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal



Sh run - ASA CORE - 5510


same-security-traffic permit inter-interface

object-group network DM_INLINE_NETWORK_1

network-object remote2-network 255.255.255.0

network-object 12.0.0.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object remote1-network 255.255.255.0

network-object 12.0.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 remote1-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 remote1-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 remote2-network 255.255.255.0

access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 remote2-network 255.255.255.0


global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 192.168.0.3

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 192.168.0.4

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal





rwawrig Wed, 11/28/2007 - 14:50
User Badges:

hi,


have u told to 192.168.0.3 that all the packets for 11.0.0.0/24 have to go to 192.168.0.5 ?

static routing...


and also - the other way around...

fabiossilva Thu, 11/29/2007 - 02:04
User Badges:

Hi rwawring, i achieved it.. i need to configure the

same-security-traffic permit intra-interface


And all works fine.


Thanks!


Fabio

Actions

This Discussion