Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX-to-PIX VPN with remote VPN client config assistance

I am trying to generate a configuration for the central PIX firewall in a PIX-to-PIX VPN arrangement with remote (dynamic) VPN 3.x clients. I have consulted numerous Cisco configuration websites, but I' still unsure of the proper configuration for this scenario.

According to the documentation I've read, you use a dynamic crypto map and open IP address statement for remote vpn client key exchange:

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 2 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

And for the PIX-to-PIX with a atatic remote address you use static configs:

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 172.22.112.12

crypto map transam 1 set transform-set myset

crypto map transam interface outside

isakmp key ********** address 172.22.112.12 netmask 255.255.255.255

How do you reconcile these two seemingly inconsistent configurations to allow remote clients with dynamic addresses access the same interface on the central firewall as the remote host with a static address?

Any assistance would be greatly appreciated.

Thank You,

Dan

2 REPLIES
Bronze

Re: PIX-to-PIX VPN with remote VPN client config assistance

Hi Dan,

Here you go

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 2 set transform-set myset

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 172.22.112.12

crypto map transam 1 set transform-set myset

crypto map transam 20 ipsec-isakmp dynamic cisco

crypto map transam interface outside

isakmp key ********** address 172.22.112.12 netmask 255.255.255.255

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

Hope that helps

Jazib

New Member

Re: PIX-to-PIX VPN with remote VPN client config assistance

Thank you, Jazib. The configuration you have here will work for both the site-to-site vpn between PIX firewalls and for the remote vpn 3.X clients coming in from the Internet?

118
Views
0
Helpful
2
Replies