Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX to PIX VPN using 501'S

OK, yep im a noobie, here is my newest challenge, i need to setup a pix to pix vpn connection over broadband for a company, which i have no idea where to begin, i have researched it and im so confused, i know routers and switches basically, ok, i dont see what i need to do to enable both PIX firewalls to talk to each other using VPN, like for instance i need this explained to me:what is crypto map. and what is isakmp enable outside, everything i read refers to this but i dont see where VPN enabling comes in, if there is a step to step doc, please let me know, the ones im seen on cisco and others website explain for people who know basic pix stuff which i dont, i really need this help, thanks to all that can help,

5 REPLIES
Silver

Re: PIX to PIX VPN using 501'S

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

this should do exactly what you need, provided both pixen will have static ip addresses on their external interfaces. is that the case?

If one end will be dynamic, this is a good example

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

crypto map binds a combination of settings to an interface. Isakmp is a little service/daemon that is used to negotiate these settings to find a set that is mutually agreeable. Basically, my crypto map for pizza says that I like sausage and/or pepperoni. Your crypto map says that you like peppers and/or pepperoni. To negotiate our pizza plans, our respective isakmp daemons would propose to each other, eventually recognizing that pepperoni is a mutually agreeable configuration (settings for creating the tunnel).

There are separate isakmp and ipsec(crypto map) settings because of various arcane reasons (you can use ipsec without isakmp, etc). Basically, go as strong as you can. Do show version on your pixen, and make sure you have a 3des activation key installed. Use 3des or AES for a bulk crypto algorithm, and SHA for a hash.

Community Member

Re: PIX to PIX VPN using 501'S

Thank you so much i understand much better now, There both static IPs, also i didnt see where the VPN connection came in ,well atleast not that i could see. Is it Software on the PC that make the actual connection, and i just need the ipsec and crypto map seeting for negotiations?

Silver

Re: PIX to PIX VPN using 501'S

for a site to site tunnel, you do not need client software. basically, all of your client pcs will function normally. currently, all of their non local traffic goes to the pix, and out to the internet (probably everything they do is either local to the local network, or internet related). You will functionally be adding a new segment to your network. Because the pix is the default gateway for your client pcs, all traffic will go to them. The pix, in a properly configured ipsec tunnel setup, will recognized the specific traffic cited in the crypto access lists, and will not send it unsecured to the internet - it will only send it across an ipsec tunnel, or it will discard it. if the tunnel is not built, it will attempt to negotiate it. if the tunnel cannot be built, it will discard the traffic

Community Member

Re: PIX to PIX VPN using 501'S

ok...just to make sure i understand, after access list and Ipsec is setup it will recognize the other network accross the internet, so in the access list i specify the other PIX outside staic Ip, saying permit local traffic to this IP which then on the other end i permit the traffic to be allowed along as there are the correct Ipsec negotations on both PIX? Do i specify any NAT ip address anywhere for this?

Community Member

Re: PIX to PIX VPN using 501'S

ok..if i have this at both PIX, except for differnt IP addresses , would this be right

nameif ethernet0 outside security0

nameif ethernet1 inside security100

interface ethernet0 auto

interface ethernet1 auto

ip address outside 192.168.1.2 255.255.255.0

ip address inside 10.2.1.1 255.255.0.0

global (outside) 1 192.168.1.20-192.168.1.254

nat (inside) 1 10.0.0.0 255.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.1.3 1

route inside 10.3.0.0 255.255.0.0 10.2.3.4 1

route inside 10.4.0.0 255.255.0.0 10.2.3.4 1

crypto map kid 1 ipsec-isakmp

crypto map kid interface outside

92
Views
0
Helpful
5
Replies
CreatePlease to create content