pix to pix vpn

cfajardo1_2 · ‎09-30-2005

hello,

i have setup a vpn bet 2 pix where the dynamic pix is initiating the vpn to the static pix (one way). Now the customer wants the vpn to be bidirectional where both locations could initiate the vpn connections.

if i will have a fix ip on the other end which is the dynamic pix, is bidirectional vpn possible?

thanks

jmia · ‎10-01-2005

Bi-directional VPN is possible but you need fixed (static) IP on both ends (PIX 1 and PIX 2), as you correctly pointed out, with static to dynamic setup only the dynamic side can initiate the VPN tunnel as the static side will not know the dynamic side IP.

Hope this helps and please rate post if it helps.

Jay

barry-goldberg · ‎03-12-2006

How Can I create Bi-directional VPN ?

jackko · ‎03-12-2006

below are the sample codes for configuring a lan-lan vpn:

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 121 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

ip address outside 1.1.1.1 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map myvpn 10 ipsec-isakmp

crypto map myvpn 10 match address 121

crypto map myvpn 10 set peer 1.1.1.2

crypto map myvpn 10 set transform-set myset

crypto map myvpn interface outside

isakmp enable outside

isakmp key cisco123 address 1.1.1.2 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400