Setting up pix vpn to a specific host

Unanswered Question
Jan 14th, 2008

Just wanting to check my work for setting up a site-to-site but only want to give access to a specific host. Is correct?

# Access list to specific host.

acces-list inside_outbout_nat0 permit ip 10.0.0.9 255.255.255.255 10.254.0.0 255.255.255.0

# remote side of Site-to-site Tunnel

pdm location 1.2.3.4 255.255.255.255 outside

# VPN specific stuff.

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 1.2.3.4

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 set security-association lifetime seconds 86400 kilobytes 4608000

# VPN authentication

isakmp key ******** address 1.2.3.4 netmask 255.255.255.255

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 01/14/2008 - 10:30

Your Phase2 configuration seems straght forward, you may want to add couple of statements for your l2l as will be needed otherwise it will not work. where is your Phase1 configuration? what pertains to isakmp policy.

This is part of Ipsec Phase2

crypto isakmp enable outside(Enables outside interface as your l2l vpn tunnel point )

crypto map outside_map interface outside( defines your crypto map to be bound to outside interface)

Also make sure the other end of tunnel agrees on these settings, and that oposite side have access-list the other way around.

e.g

Other side of tunnel similarly access list

acces-list inside_outbout_nat0 permit ip 10.254.0.0 255.255.255.255 10.0.0.9 255.255.255.0

Rgds

Jorge

mikelevenson Mon, 01/14/2008 - 10:41

Jorge,

I left out the rest of my config I do currently have an existing site to site already setup. I thought I was correct, but just wanted to double check. Sometimes a second set of eyes are always good.

Thanks

Mike

Actions

This Discussion