How to config VPN tunnel between PIX515E and Router1721

mike-daniel · ‎06-27-2006

hi,

I have Site to site VPN tunnel between my Headoffice and Branch office-1, both the ends, we are using PIX firewalls.

we have another Branch office-2 here we are using cisco 1721 router, I want to establish a VPN tunnel between My PIX (headoffice) and router(branch office-2)

Any suggestions would be greatly appreciated.

Kindly check the following attached Networklayout and PIX(headoffice) ipsec config.

thanks for any comments.

sean · ‎06-27-2006

Here is a basic config of what you would need to put on your router for the tunnel:

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key address

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

ip access-list extended encrypt-acl

permit

crypto map outside_map

crypto map outside_map 10 ipsec-isakmp

set peer

set transform-set ESP-3DES-SHA

match address encrypt-acl

interface FastEthernet1/0

ip address

no shut

crypto map outside_map

On your pix, you would just need to add another crypto segment for your new site-to-site tunnel.

Hope this helps.

mike-daniel · ‎06-29-2006

hello sean,

Thanks for the reply.

can u please mention the required crypto segment for the pix ,, because i try to add on my pix.

At that time my existing pix to pix tunnel got disconnected.

mike

sean · ‎06-29-2006

Your tunnel dropped probably because you tried to use two

crypto map example_map 10 set peer 64.xxx.xxx.xxx.120

at the same time. To fix this, you will need to add the following:

crypto map example_map 20 ipsec-isakmp

crypto map example_map 20 match address 102

crypto map example_map 20 set peer

crypto map example_map 20 set transform-set cisco2

You will also need to create a new acl to define the traffic that is to be encrypted and sent across this new tunnel. I change the config to show 102 instead of 101, but you can use any number that is not currently in use.

Hope this helps.

mike-daniel · ‎07-01-2006

hello sean,

Thanks a lot.

I updated my pix according to your syntax.

can u please have a look on attached config's, because there is active tunnel between pix and router. i am sure some thing is missing.

Any suggestions highly appreciated

Regards,

Mike

.

mike-daniel · ‎07-01-2006

I am sorry................

hello sean,

Thanks a lot.

I updated my pix according to your syntax.

can u please have a look on attached config's, because there is no active tunnel between pix and router. i am sure some thing is missing.

Any suggestions highly appreciated

Regards,

Mike

froggy3132000 · ‎07-01-2006

Do you have the proper routes configured for the remote end subnets?

mike-daniel · ‎07-01-2006

hi,

'YES' Routes are perfect .

Thanks

froggy3132000 · ‎07-01-2006

On the router the crypto map is not applied to an interface. You need to apply the crypto map outside_map to an interface.

sean · ‎07-01-2006

In addition to the crypto map not being applied to an interface, the transform set that you are using on each sides does not match. On the router you are using 3DES and SHA, but on your pix you are using DES and MD5. I would match both of these to 3DES and SHA. Also, NAT is attempted first before kicking traffic to the crypto engine. You will needed to modify your NAT acls on both devices to deny the tunnel traffic first, then permit the traffic you want. After that, your tunnel traffic will be kicked to the crypto engine and go across the tunnel.

Hope this helps.