05-09-2006 09:31 PM - edited 02-21-2020 12:53 AM
Greetings all,
I need some help with the following scenario. Site A is 192.168.100.x network with all computer default gateway pointed to the inside of the PIX 515E (192.168.100.1). Site B is 192.168.101.x network with all computer points to the inside interface of the PIX 501. Is it possible to make Site A PIX 515E configure site to site VPN with site B Cico 501 while at the same time allowing Cisco VPN client connecting to site A Pix 515E?
What about intersite routing? For example, computer in site A can access computer in site B? I know PIX does not do routing? Do you have a sample configurations that I could view or point to the right direction.
Thank you in advance!
05-10-2006 12:31 AM
Of course a PIX can do routing, it is at heart a router with enhanced security features. But it does not run IOS and supports only static routes, RIP and OSPF, and they're limited.
Off the top of my head I think you be needing something along the lines of:
PIX515 v7
access-list noNAT_inside permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list VPNtoRemote permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
nat (inside) 0 access-list noNAT_inside
ip local pool VPNclient 192.168.0.1-192.168.0.100
crypto ipsec transform-set des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set des-sha esp-des esp-sha-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto dynamic-map myDynamicMap 100 set transform-set 3des-sha
crypto map myCryptoMap 10 match address VPNtoRemote
crypto map myCryptoMap 10 set pfs
crypto map myCryptoMap 10 set peer PEER_IP
crypto map myCryptoMap 10 set transform-set 3des-sha
crypto map myCryptoMap 250 ipsec-isakmp dynamic myDynamicMap
crypto map myCryptoMap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
tunnel-group PEER_IP type ipsec-l2l
tunnel-group PEER_IP ipsec-attributes
pre-shared-key *
tunnel-group VPN_GROUP_USERNAME type ipsec-ra
tunnel-group VPN_GROUP_USERNAME general-attributes
address-pool VPNclient
default-group-policy VPN_GROUP_USERNAME
tunnel-group VPN_GROUP_USERNAME ipsec-attributes
pre-shared-key VPN_GROUP_PASSWORD
PIX501 v6.3
access-list noNAT_inside permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list VPNtoRemote permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list noNAT_inside
sysopt connection permit-ipsec
crypto ipsec transform-set des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set des-sha esp-des esp-sha-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto map myCryptoMap 10 ipsec-isakmp
crypto map myCryptoMap 10 match address VPNtoRemote
crypto map myCryptoMap 10 set pfs
crypto map myCryptoMap 10 set peer PEER_IP
crypto map myCryptoMap 10 set transform-set 3des-sha
crypto map myCryptoMap interface outside
isakmp enable outside
isakmp key xxxxxxx address PEER_IP netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
05-11-2006 06:30 AM
Thanks Grant. I've seen people posted on different sites saying that the PIX can't do routing. In this case, all internall traffic that go to the internet would be just route inside 0.0.0.0 0.0.0.0 outside interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide