Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need help implementing more than 1 VPN on PIX

I could use a general guideline for implementing more than 1 VPN using entering isakmp, crypto, and access-list commands. Also, need to know if I need to define an interface for each VPN. Please help!

3 REPLIES
New Member

Re: Need help implementing more than 1 VPN on PIX

I've done this quite a bit. Just setup a new access-list to define the match traffic, setup a new crypto map with a different number, setup NAT and setup routes to take traffic through your VPN interface. For example:

access-list first_vpn permit ip any 192.168.1.0 255.255.255.0

access-list second_vpn permit ip any 192.168.2.0 255.255.255.0

crypto ipsec transform-set Branch_Offices esp-des esp-sha-hmac

crypto map TEST 10 ipsec-isakmp

crypto map TEST 10 match address first_vpn

crypto map TEST 10 set pfs group2

crypto map TEST 10 set peer x.x.x.x

crypto map TEST 10 set transform-set Branch_Offices

crypto map TEST 10 set security-association lifetime seconds xxx kilobytes xxx

crypto map TEST 20 ipsec-isakmp

crypto map TEST 20 match address second_vpn

crypto map TEST 20 set pfs group2

crypto map TEST 20 set peer y.y.y.y

crypto map TEST 20 set transform-set Branch_Offices

crypto map TEST 20 set security-association lifetime seconds xxx kilobytes xxx

isakmp key xxx address x.x.x.x netmask 255.255.255.255

isakmp key xxx address y.y.y.y netmask 255.255.255.255

Your ISAKMP policy can stay the same, unless you have different requirements for each VPN.

It sounds like you are using an interface just for your VPN traffic - this interface can handle multiple VPNs. If you have already configured your NAT for your other VPN, just add the new private (remote) network to the access list that corresponds with your NAT statements. For example:

nat (inside) 0 access-list vpn_nat_inside

The vpn_nat_inside acl contains all of the remote private networks

nat (vpn_interface) 1 192.168.1.0 255.255.255.0 0 0

You will need this if you are using the 'any' key word in your vpn

match address access-lists - in other words, all traffic goes through

the vpn, regardless of its destination

Don't forget to set up a route to take the traffic to the remote VPN's IP address and to the remote private network via your VPN interface.

route vpn_interface 192.168.1.0 255.255.255.0 vpn_gw

route vpn_interface x.x.x.x 255.255.255.255 vpn_gw

route vpn_interface 192.168.2.0 255.255.255.0 vpn_gw

route vpn_interface y.y.y.y 255.255.255.255 vpn_gw

Hope this helps.

Also, if you want to manage your remote devices through the VPN, take a look at: http://www.cisco.com/warp/public/110/pix_vpn_4094.html

As always, the tips can help: http://www.cisco.com/warp/public/707/index.shtml

New Member

Re: Need help implementing more than 1 VPN on PIX

Thanks for your help! There is an additional wrinkle, which I didn't realize at the time of my original posting...

Looks like I would be adding the "third" VPN to the outside interface. The first looks like a PIX-to-PIX setup with MANY access-list statements so site B can output to printers at site A. The second VPN uses dynamic map for the dial-up VPN clients coming into site A. Both VPN's use different ISAKMP policies but both are assigned to what you define above as "vpn_nat_inside." In this case it is "115." Not sure how the dynamic map dial-up clients are working since NAT'ing is disabled with: nat (outside) 0 access-list 115 (Hmmmm???)

My third VPN would be similar to the first VPN.

Since one can only have one "nat (outside) 0 access-list xxx" defined, I tried the following (without success):

VPN1 and VPN2 (dyn) were already assigned to ACL 115 (and working well.)

VPN3 defined and assigned to ACL 113.

Defined ACL 117 to be inclusive of 113 and 115.

set: nat (outside) 0 access-list 117

I also made sure there was only 1 crypto map (RTPMAP) and each of the VPN's were a different sequence (10, 20, 30).

Result: First 2 VPN's stopped working, according to customer and the third VPN couldn't be confirmed as working or not. Rebooted and got things back to where they were to make the customer happy.

Any ideas of what went wrong?? I'm at my wits end with this one. I'll comb through the links to get some ideas on my own but if anyone sees a blaring error in my thinking, please point them out to me.

Thanks a plenty - this is an invaluable forum!! -Tai

Cisco Employee

Re: Need help implementing more than 1 VPN on PIX

Hi,

You can use the below URL for your reference.

http://www.cisco.com/warp/public/110/pixmeshed.html

Regards,

Arul

79
Views
0
Helpful
3
Replies
CreatePlease login to create content