Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 6.3(1) VPN Configuration

I have a PIX 515 running OS 6.3(1). Currently I have VPN/crypto map on one of the interfaces and some live VPN tunnels with the partners. Can I have another set of VPN/crypto map applied to another interface at the same time? Or, does PIX support multiple VPNs on different interfaces?

Thanks.

3 REPLIES
Gold

Re: PIX 6.3(1) VPN Configuration

as far as i know, the only restriction is "Only one crypto map set can be assigned to an interface."

so i believe applying 2 different crypto maps on 2 different interfaces should have no drama.

Re: PIX 6.3(1) VPN Configuration

Note that only one crypto map can be applied to one interface (say outside) at a time. If you want to setup additional site to site or vpn client tunnels on the same interface you can define multiple instances of the same crypto map.

crypto map testmap 10 ipsec-isakmp

<>

<>

<>

crypto map testmap 20 ipsec-isakmp

<>

<>

<>

crypto map testmap 30 ipsec-isakmp

<>

<>

<>

crypto map testmap interface outside.

If you have other vpn tunnels that you want to isolate from the outside interface, you definitely can create another crypto map and apply it to the dmz interface. The question is why you want to do it that way? If you can shed more light on what exactly you are trying to do, we may be able to help you better.

New Member

Re: PIX 6.3(1) VPN Configuration

Actually I have a set of crypto map applied to my DMZ interface for the VPNs with my extranet partners. Now I'm requested to set up another VPN on the outside interface. I know the rule of one crypto map per interface. But I'm not sure if PIX supports multiple crypto maps on multiple interfaces simultaneously. I think both your and previous posts have answered this question.

But what about the ISAKMP policies? ISAKMP can be enabled on an interface (isakmp enable ). But there is not command to bind a set of ISAKMP policy to an interface. Can I enable ISAKMP on multiple interfaces (e.g. DMZ and outside)? VPN tunnels on all interfaces will negotiate the policy by looking up in the same ISAKMP policy list (e.g. policy 9, 10, 11, ...)?

Thanks for the help.

199
Views
0
Helpful
3
Replies
CreatePlease to create content