Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configure PIX for Site-to-Site VPN and Remote Access VPN

Dear Sir,

We have two PIXes (PIX1 at HQ and PIX2 at branch). Both PIXes are configured for VPN remote access using PPTP and working good.

Now we want to add Site-to-Site VPN using IPSec to both PIXes. Each PIX is connected to Internet via cisco router (3600 and 2500). I am following this doc to configure IPSec for both PIXes:

http://www.cisco.com/warp/public/110/38.html

I have following questions before I apply IPSec configuration to both PIXes:

1. The ACL for VPN Remote access traffic is:

Access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

NAT (inside) 0 access-list 102

The ACL for IPSec traffic is:

access-list 101 permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.0.0

nat (inside) 0 access-list 101

Should I use the same ALC number or different ALC number on "nat (inside) 0" for both traffic?

2. Do I have to open any port on both routers to let IPSec traffic go through? and How?

3. What is the procedure to configure IPSec on both PIXes? Can I configure PIX1 first then do IPSec on PIX2? Or I have to finish ISAKMP part on both PIXes first then do CRYPTO part on both PIXes later?

4. Do I miss any important point when configuration PIX for Site-to-Site VPN and Remote Access VPN?

Thank you for your help.

Simon

2 REPLIES
Silver

Re: Configure PIX for Site-to-Site VPN and Remote Access VPN

1. you can have multiple nat (0) statements, without issue.

2. "sysopt connection permit ipsec" will magically allow all ipsec related traffic to pass the ASA setup.

3. It really doesn't matter - just think about how you are doing it though - how are you connecting to the 2 pixen - I recommend using ssh from a 3rd party host, that is not going to be included in the tunnel (meaning, won't be in a crypto ACL, etc). This way, if you do something stupid (like writing your crypto acl backwards, not that I could *possibly* speak from first time experience ;-) ), you limit how much havoc you can cause, and avoid cutting off your communication methods.

4. I can't think of anything in particular here. Maybe someone else can think of something

New Member

Re: Configure PIX for Site-to-Site VPN and Remote Access VPN

Thank you for your response.

I have applied my config to both PIXen but it did not work. I guess the following two reasons that cause the problem:

1. My perimeter device (cisco 3640 and 2500) did not have open port for IPSec traffic. What is the command on router to turn on the port for IKE negotiation and protocol 50 (ESP) and protocol 51(AH)?

2. My source and destination IP addresses in IPSec traffic as follows:

access-list 101 permit ip 172.16.0.0 255.255.0.0 192.168.100.0 255.255.255.0 (on PIX1)

access-list 101 permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.0.0 (on PIX2)

My perimeter device (cisco 3640 and 2500) have the following ACL command:

access-list 111 deny ip 172.16.0.0 0.15.255.255 any

access-list 111 deny ip 192.168.0.0 0.0.255.255 any

Is that possible the above ACL command on router block the IPSec traffic ?

To my knowledge, the source and destination IP addresses in IPSec traffic are encrypted in IP payload and router should not be able to see it. So router will not be able to block the IPSec traffic.

Thank you for your help.

Simon

167
Views
0
Helpful
2
Replies