Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
278
Views
0
Helpful
3
Replies

Need help implementing more than 1 VPN on PIX

taikenison
Level 1
Level 1

‎12-19-2002 08:53 AM - edited ‎02-21-2020 12:14 PM

I could use a general guideline for implementing more than 1 VPN using entering isakmp, crypto, and access-list commands. Also, need to know if I need to define an interface for each VPN. Please help!

Labels:
0 Helpful
3 Replies 3

brian.carter
Level 1
Level 1

‎12-20-2002 11:13 AM

I've done this quite a bit. Just setup a new access-list to define the match traffic, setup a new crypto map with a different number, setup NAT and setup routes to take traffic through your VPN interface. For example:

access-list first_vpn permit ip any 192.168.1.0 255.255.255.0

access-list second_vpn permit ip any 192.168.2.0 255.255.255.0

crypto ipsec transform-set Branch_Offices esp-des esp-sha-hmac

crypto map TEST 10 ipsec-isakmp

crypto map TEST 10 match address first_vpn

crypto map TEST 10 set pfs group2

crypto map TEST 10 set peer x.x.x.x

crypto map TEST 10 set transform-set Branch_Offices

crypto map TEST 10 set security-association lifetime seconds xxx kilobytes xxx

crypto map TEST 20 ipsec-isakmp

crypto map TEST 20 match address second_vpn

crypto map TEST 20 set pfs group2

crypto map TEST 20 set peer y.y.y.y

crypto map TEST 20 set transform-set Branch_Offices

crypto map TEST 20 set security-association lifetime seconds xxx kilobytes xxx

isakmp key xxx address x.x.x.x netmask 255.255.255.255

isakmp key xxx address y.y.y.y netmask 255.255.255.255

Your ISAKMP policy can stay the same, unless you have different requirements for each VPN.

It sounds like you are using an interface just for your VPN traffic - this interface can handle multiple VPNs. If you have already configured your NAT for your other VPN, just add the new private (remote) network to the access list that corresponds with your NAT statements. For example:

nat (inside) 0 access-list vpn_nat_inside

The vpn_nat_inside acl contains all of the remote private networks

nat (vpn_interface) 1 192.168.1.0 255.255.255.0 0 0

You will need this if you are using the 'any' key word in your vpn

match address access-lists - in other words, all traffic goes through

the vpn, regardless of its destination

Don't forget to set up a route to take the traffic to the remote VPN's IP address and to the remote private network via your VPN interface.

route vpn_interface 192.168.1.0 255.255.255.0 vpn_gw

route vpn_interface x.x.x.x 255.255.255.255 vpn_gw

route vpn_interface 192.168.2.0 255.255.255.0 vpn_gw

route vpn_interface y.y.y.y 255.255.255.255 vpn_gw

Hope this helps.

Also, if you want to manage your remote devices through the VPN, take a look at: http://www.cisco.com/warp/public/110/pix_vpn_4094.html

As always, the tips can help: http://www.cisco.com/warp/public/707/index.shtml

0 Helpful

taikenison
Level 1
Level 1
In response to brian.carter

‎12-23-2002 07:49 PM

Thanks for your help! There is an additional wrinkle, which I didn't realize at the time of my original posting...

Looks like I would be adding the "third" VPN to the outside interface. The first looks like a PIX-to-PIX setup with MANY access-list statements so site B can output to printers at site A. The second VPN uses dynamic map for the dial-up VPN clients coming into site A. Both VPN's use different ISAKMP policies but both are assigned to what you define above as "vpn_nat_inside." In this case it is "115." Not sure how the dynamic map dial-up clients are working since NAT'ing is disabled with: nat (outside) 0 access-list 115 (Hmmmm???)

My third VPN would be similar to the first VPN.

Since one can only have one "nat (outside) 0 access-list xxx" defined, I tried the following (without success):

VPN1 and VPN2 (dyn) were already assigned to ACL 115 (and working well.)

VPN3 defined and assigned to ACL 113.

Defined ACL 117 to be inclusive of 113 and 115.

set: nat (outside) 0 access-list 117

I also made sure there was only 1 crypto map (RTPMAP) and each of the VPN's were a different sequence (10, 20, 30).

Result: First 2 VPN's stopped working, according to customer and the third VPN couldn't be confirmed as working or not. Rebooted and got things back to where they were to make the customer happy.

Any ideas of what went wrong?? I'm at my wits end with this one. I'll comb through the links to get some ideas on my own but if anyone sees a blaring error in my thinking, please point them out to me.

Thanks a plenty - this is an invaluable forum!! -Tai

0 Helpful

ajagadee
Cisco Employee
Cisco Employee

‎12-20-2002 12:16 PM

Hi,

You can use the below URL for your reference.

http://www.cisco.com/warp/public/110/pixmeshed.html

Regards,

Arul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents