Setting up pix vpn to a specific host

Unanswered Question
Jan 14th, 2008
User Badges:

Just wanting to check my work for setting up a site-to-site but only want to give access to a specific host. Is correct?

# Access list to specific host.

acces-list inside_outbout_nat0 permit ip

# remote side of Site-to-site Tunnel

pdm location outside

# VPN specific stuff.

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 set security-association lifetime seconds 86400 kilobytes 4608000

# VPN authentication

isakmp key ******** address netmask

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Mon, 01/14/2008 - 10:30
User Badges:
  • Green, 3000 points or more

Your Phase2 configuration seems straght forward, you may want to add couple of statements for your l2l as will be needed otherwise it will not work. where is your Phase1 configuration? what pertains to isakmp policy.

This is part of Ipsec Phase2

crypto isakmp enable outside(Enables outside interface as your l2l vpn tunnel point )

crypto map outside_map interface outside( defines your crypto map to be bound to outside interface)

Also make sure the other end of tunnel agrees on these settings, and that oposite side have access-list the other way around.


Other side of tunnel similarly access list

acces-list inside_outbout_nat0 permit ip



mikelevenson Mon, 01/14/2008 - 10:41
User Badges:


I left out the rest of my config I do currently have an existing site to site already setup. I thought I was correct, but just wanted to double check. Sometimes a second set of eyes are always good.




This Discussion