Re: Site-to Site and Easy VPN on PIX

Kevin Melton · ‎10-26-2005

I have a customer whom uses their Pix 515E for a Site to Site tunnel to a remote branch. All works well for the tunnel to the remote branch.

I have now also configured the PIX so that it can take incoming tunnel requests from a few mobile users using the Cisco VPN client.

What I am noticing is that each time that I apply one or the other crypto map to the outside interface; it negates the other crypto map being applied to the outside interface.

I am posting the config for inspection (attachment)if anyone would be gracious enough to take a quick look and let me know where my configuration errors are.

I need to support both the Site to Site tunnel as well as the ability for the PIX to handle the VPN clients.

Thank You.

jackko · ‎10-26-2005

pix only allows one crypto map on an interface. having said that, the scenario you've got can be resolved by create multiple instances under one crypto map.

e.g.

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map myvpn 10 ipsec-isakmp dynamic dynmap

crypto map myvpn 20 ipsec-isakmp

crypto map myvpn 20 match address 110

crypto map myvpn 20 set peer

crypto map myvpn 20 set transform-set vpnset

as the sample shown, both dynamic and static vpn are included in crypto map myvpn, and distinuished by different numbers.

Kevin Melton · ‎10-27-2005

Thanks. I have configured the PIX and will test tomorrow.