Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Connect 2 Remote VPN sites

I have a PIX 515 6.3(3) and I make connections between 2 remote sites A & B (A<->PIX515 & B<-> PIX 515

I would like to link 2 remote site (through our PIX 515) A<->PIX 515<->B

How I can do it?Add access-list? add routing in PIX

Thanks

---PIX 515 config

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

access-list VPN permit ip A.B.C.0 255.255.255.0 X.Y.Z.0 255.255.0.0

access-list VPN permit ip A.B.C.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list siteA permit ip A.B.C.0 255.255.255.0 x.y.z.0 255.255.0.0

access-list siteb permit ip A.B.C.0 255.255.255.0 192.168.0.0 255.255.255.0

no pager

mtu outside 00

mtu inside 00

mtu dmz 00

ip address outside A.A.A.A 255.255.255.240

ip address inside A.B.C.2 255.255.255.0

ip address dmz 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

nat (inside) 0 A.B.C.0 255.255.255.0 0 0

static (inside,outside) A.B.C.0 A.B.C.0 netmask 255.255.255.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set common esp-des esp-sha-hmac

crypto ipsec transform-set common2 esp-des esp-md5-hmac

crypto dynamic-map dynamp 10 set transform-set common

crypto dynamic-map dynamp 20 set transform-set common2

crypto map test 10 ipsec-isakmp

crypto map test 10 match address siteA

crypto map test 10 set peer x.x.x.x

crypto map test 10 set transform-set common

crypto map test 95 ipsec-isakmp

crypto map test 95 match address site b

crypto map test 95 set peer y.y.y.y

crypto map test 95 set transform-set common

crypto map test 100 ipsec-isakmp dynamic dynamp

crypto map test client configuration address initiate

crypto map test client configuration address respond

crypto map test interface outside

isakmp enable outside

isakmp key ******** address y.y.y.y netmask 255.255.255.255

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption des

isakmp policy 40 hash md5

isakmp policy 40 group 1

isakmp policy 40 lifetime 86400

1 REPLY
New Member

Re: Connect 2 Remote VPN sites

Hi,

I'm not sure it is possible, since with 6.3 version the PIX does not allow to enter and go out from the same interface

You can do this, with PIX v7 using same-security-traffic permit intra-interface command....

86
Views
0
Helpful
1
Replies