10-28-2007 11:35 AM - edited 02-21-2020 03:20 PM
Hi,
I have a site-to-site vpn tunnel between two PIX Firewalls.
Is possible to build on one side another site-to-site vpn tunnel with the third PIX ?
Thanks
Robert
Solved! Go to Solution.
10-30-2007 03:11 PM
Robert
You can only use one crypto map on an interface but you can have sequence numbers within your crypto map so from your config
The existing tunnel
crypto map mykink1 1 ipsec-isakmp
crypto map mykink1 1 match address 101
crypto map mykink1 1 set peer 21.21.21.21
crypto map mykink1 1 set transform-set aesonly
Your new tunnel
crypto map mykink1 2 ipsec-isakmp
crypto map mykink1 2 match address "acl number"
crypto map mykink1 2 set peer "new peer address"
crypto map mykink1 2 set transform-set "new transform set"
crypto map mykink1 2 set security association lifetime seconds "number of seconds"
You need to fill in the right values within the "" marks.
Note the sequence number has incremented from 1 in your first entry to 2 in the second entry.
You can specify the security association lifetime within the crypto map config which overrides the global settings.
Adding this config should not affect your existing tunnel.
HTH
Jon
10-28-2007 04:27 PM
Robert, yest it is possible you could build a new L2L tunnel on a single security applience in addition to an existing L2L tunnel.
please refer to bellow link .
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml
Rgds
Jorge
10-29-2007 04:02 PM
thanks for the link.
still i will need a little bit more help.
my config right now is this:
sysopt connection permit-ipsec
crypto ipsec transform-set aesonly esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600 kilobytes 500000
crypto map mykink1 1 ipsec-isakmp
crypto map mykink1 1 match address 101
crypto map mykink1 1 set peer 21.21.21.21
crypto map mykink1 1 set transform-set aesonly
crypto map mykink1 interface outside
isakmp enable outside
isakmp key ******** address 21.21.21.21 netmask 255.255.255.255
isakmp identity key-id mykey1
isakmp keepalive 60 5
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 3600
For the second tunnel I have to use the following parameters:
IPSec (Phase I) Parameter
Encryption Algorithm 3 DES
Hash Algorithm SHA-1
Diffie-Hellman Group 2
Authentication Pre-shared key
Livetime default 86400s
__________________________
IPSec (Phase II) Parameter
ESP Algorithm 3 DES
Hash Algorithm SHA-1
PFS
D-H Group 2
Livetime default 28800s
So, I can create another crypto map for the new connection, but how the second part will look like?
Thanks again
Robert
10-29-2007 08:41 PM
I assume for your second tunnel you have a new peer IP, also how does the new peer want you to come as, static Public IP?
I think the easiest way is to create a second crypto map for additional tunnel through pdm, you already have existing crypto map mykink1 with isakmp policy1, in pix pdm vpn create a new one.
e.g.
assume second peer IP :20.20.20.1 and
you will access remote host behind peer with IP 199.200.154.12 for RDP services. you inside host at local site is 192.168.1.1 with static nat public IP x.y.x.y
For your second tunnel you would have something similar to this assuming the new remote peer wants you to come with public IP:
crypto ipsec transform-set NEW_SET_SITE2 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800 kilobytes 86400
crypto map mykink2 2 ipsec-isakmp
crypto map mykink1 2 match address 102
crypto map mykink2 2 set peer 20.20.20.1
crypto map mykink2 2 set transform-set NEW_SET_SITE2
crypto map mykink2 interface outside
isakmp key XXXXX address 20.20.20.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 2 authen pre-share
isakmp policy 2 encrypt 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 28800
static (inside,outside) x.y.x.y 192.168.1.1 255.255.255.255 0 0
access-list outside_cryptomap_2 permit tcp host x.y.x.y host 199.200.154.12 eq 3389
10-30-2007 03:01 PM
yes, i got it up to here.
my problem is with this lines:
crypto map mykink2 interface outside
will overwrite
crypto map mykink1 interface outside
crypto ipsec security-association lifetime seconds 28800 kilobytes 86400
will overwrite
crypto ipsec security-association lifetime seconds 3600 kilobytes 500000
my question is if the first tunnel, that I have now active, will work if I add this two lines.
thanks again
Robert
10-30-2007 03:11 PM
Robert
You can only use one crypto map on an interface but you can have sequence numbers within your crypto map so from your config
The existing tunnel
crypto map mykink1 1 ipsec-isakmp
crypto map mykink1 1 match address 101
crypto map mykink1 1 set peer 21.21.21.21
crypto map mykink1 1 set transform-set aesonly
Your new tunnel
crypto map mykink1 2 ipsec-isakmp
crypto map mykink1 2 match address "acl number"
crypto map mykink1 2 set peer "new peer address"
crypto map mykink1 2 set transform-set "new transform set"
crypto map mykink1 2 set security association lifetime seconds "number of seconds"
You need to fill in the right values within the "" marks.
Note the sequence number has incremented from 1 in your first entry to 2 in the second entry.
You can specify the security association lifetime within the crypto map config which overrides the global settings.
Adding this config should not affect your existing tunnel.
HTH
Jon
10-30-2007 07:55 PM
Thanks Jon for the info you're always a great resource, this is good to know that only one crypto map can be used when adding additional tunnels.
Rgds
Jorge
11-12-2007 04:29 AM
Hi,
I have now this config:
sysopt connection permit-ipsec
crypto ipsec transform-set aesonly esp-aes esp-md5-hmac
crypto ipsec transform-set tripledes esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600 kilobytes 500000
crypto map mymap1 1 ipsec-isakmp
crypto map mymap1 1 match address 101
crypto map mymap1 1 set peer x.x.x.x
crypto map mymap1 1 set transform-set aesonly
crypto map mymap1 2 ipsec-isakmp
crypto map mymap1 2 match address 102
crypto map mymap1 2 set peer y.y.y.y
crypto map mymap1 2 set transform-set tripledes
crypto map mymap1 2 set security-association lifetime seconds 86400 kilobytes 500000
crypto map mymap1 interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address y.y.y.y netmask 255.255.255.255
isakmp identity key-id xxx
isakmp keepalive 60 5
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 3600
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 28800
I don't know why, for the second tunnel I get encryption aes on the other side and should be 3des.
The phase 1 of the tunnel building is not completed.
What i'm missing ?
Thanks
Robert
11-17-2007 02:15 PM
sorry, my mistake
it is working
thanks for the help
Robert
11-19-2007 08:31 AM
Hi, i have a scenario like your, i have 3 cisco ASA, two of them is a 5505 and one 5510, i have configured the VPN ipsec and from the CORE (5510) i can ping the remote1-network and remote2-network, But, i cant ping anything or access any service from remote1-network directly to remote2-network.
See the deployment that i create in attached file, and if you know what can be the problem, and can tell me.. Any hint i thank.
Best Regards,
Fabio
Here is a small sh run of the appliances...
Sh run - ASA Remote1 - 5505
object-group network DM_INLINE_NETWORK_1
network-object remote2-network 255.255.255.0
network-object core-network 255.255.255.0
access-list outside_1_cryptomap extended permit ip 11.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 11.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 192.168.0.5
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
Sh run - ASA Remote2 - 5505
object-group network DM_INLINE_NETWORK_1
network-object remote1-network 255.255.255.0
network-object core-network 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 192.168.0.5
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
Sh run - ASA CORE - 5510
same-security-traffic permit inter-interface
object-group network DM_INLINE_NETWORK_1
network-object remote2-network 255.255.255.0
network-object 12.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object remote1-network 255.255.255.0
network-object 12.0.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 remote1-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 remote1-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 remote2-network 255.255.255.0
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 remote2-network 255.255.255.0
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 192.168.0.3
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 192.168.0.4
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
11-28-2007 02:50 PM
hi,
have u told to 192.168.0.3 that all the packets for 11.0.0.0/24 have to go to 192.168.0.5 ?
static routing...
and also - the other way around...
11-29-2007 02:04 AM
Hi rwawring, i achieved it.. i need to configure the
same-security-traffic permit intra-interface
And all works fine.
Thanks!
Fabio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide