Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix Site to Site VPN - Remote Pix behind adsl

Hi everyone,

I have very little experience with VPN.

I will try and explain the VPN connection I am trying to set.

On one site I have a Pix 501 Firewall and same Firewall on the second site it is behind an ADSL modem.

I wanted to configure site to site IPSec VPN Dynamic-to-Static IP:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

The adsls modem has dynamic address on the public interface, has one segment with private ip between adsl and Pix, and another segment behind the Pix.

Maybe a bit confusing :)

Previously on the Pix with the static public IP client vpn is configured, as well as some other ACLs allowing only certain traffic to go through.

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

...

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto

vpdn group PPTP-VPDN-GROUP client configuration address local pool1

vpdn group PPTP-VPDN-GROUP client configuration dns NTP private_IP.33

vpdn group PPTP-VPDN-GROUP client configuration wins NTP private_IP.7

vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn enable outside

dhcpd address private_IP.89-private_IP.216 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

On the Remote Pix I have the following configuration:

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

Looking at the configuration site to site instructions I tried the following:

1. Config on the Pix with static IP:

isakmp enable outside

isakmp key mysecretkey address N1.N2.N3.N4 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 2400

access-list 101 permit ip private_net_1.0 255.255.255.0 private_net_2.0 255.255.255.0

crypto ipsec transform-set Login esp-3des esp-md5-hmac

crypto dynamic-map Mymap set transform-set Login

crypto map dyn-map 20 ipsec-isakmp dynamic Mymap

crypto map dyn-map interface outside

sysopt connection permit-ipsec

nat (inside) 0 access-list 101

vpngroup VPNGruop address-pool pool1

vpngroup VPNGruop dns-server X.X.X.X

vpngroup VPNGruop default-domain mydomain.com

vpngroup VPNGruop password mysecretkey

vpngroup VPNGruop idle-time 1800

vpngroup VPNGruop split-tunnel 101

2. Config the remote Pix:

isakmp enable outside

isakmp key lspasssec address public_IP netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 2400

isakmp identity hostname

access-list 101 permit ip private_net_2 255.255.255.0 private_net_1 255.255.255.0

crypto ipsec transform-set Login esp-3des esp-md5-hmac

crypto map mapa 1 set transform-set Login

crypto map mapa 1 ipsec-isakmp

crypto map mapa 1 match address 101

crypto map mapa interface outside

crypto map mapa 1 set peer 217.x.x.35

crypto map mapa interface outside

nat (inside) 0 access-list 101

sysopt connection permit-ipsec

I need clients to be able to make Client VPN as they used to do and have the remote pix initiate site-to-site VPN.

I am not sure if I am doing things right. Could be going in a dead end here.

I appreciate any response.

Thank you in advance

Darko

1 REPLY
New Member

Re: Pix Site to Site VPN - Remote Pix behind adsl

This is just to get a visual of the net I am trying to config.

116
Views
0
Helpful
1
Replies
CreatePlease to create content