Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
yeo
New Member

PIX to PIX VPN and VPN client to PIX VPN on same interface

I have a PIX 515 that has a current and working setup for VPN for our laptops on travel. Works great. Here is config:

access-list 110 permit ip x.x.x.128 255.255.255.128 192.168.110.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool vpnpool

vpngroup vpn3000 dns-server adc001

vpngroup vpn3000 default-domain yeo.org

vpngroup vpn3000 split-tunnel 110

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

This works great but I am trying to add a PIX to PIX VPN using a PIX 501 and the same PIX 515. The above config uses a dynamic crypto map function. The PIX to PIX does not call for this and when I try to use the same transform set for the PIX to PIX that I have for the client to PIX VPN, the PIX to PIX VPN doesnt work. Here is the config for the PIX to PIX VPN:

access-list 150 permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 150

crypto ipsec transform-set newset esp-des esp-md5-hmac

crypto map pixpixvpn 1 ipsec-isakmp

crypto map pixpixvpn 1 match address 150

crypto map pixpixvpn 1 set peer 66.92.150.51

crypto map pixpixvpn 1 set transform-set newset

crypto map pixpixvpn interface outside

isakmp key ********** address x.x.x.51 netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

I can only apply 1 transform-set to the outside interface. Therefore I can only have either the PIX to PIX VPN or the Client to PIX VPN. Does any one know a way around this? Is there a way to use a static crypto map for our mobile vpn client users? Can the PIX to PIX be setup with the dynamic crypto map?

1 REPLY
Cisco Employee

Re: PIX to PIX VPN and VPN client to PIX VPN on same interface

You're correct in the fact you can only have one crypto map on an interface. You have to combine your two crypto maps by giving them the same name but different instance numbers. You want something like the following:

crypto map mymap 1 ipsec-isakmp

crypto map mymap 1 match address 150

crypto map mymap 1 set peer x.x.150.51

crypto map mymap 1 set transform-set newset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

Note the instance numbers of 1 and 10. Crypto maps are read from lowest number up, so the PIX-to-PIX tunnel portion of the crypto map will be read first, then if that doesn't match, instance 10 will be used, which since it maps to a dynamic map, will match on everything. Always make you dynamic crypto map the highest instance number, cause it's sort of a catch-all at the end to match everything that hasn't already been defined (like VPN clients).

Also change your isakmp command as follows:

isakmp key ********** address x.x.x.51 netmask 255.255.255.255 no-xauth no-config-mode

cause you don't want to do xauth or config mode for a PIX-to-PIX tunnel.

178
Views
0
Helpful
1
Replies
CreatePlease to create content