Solved: site-to-site multiple vpn tunnels with pix

rwawrig · ‎10-28-2007

Hi,

I have a site-to-site vpn tunnel between two PIX Firewalls.

Is possible to build on one side another site-to-site vpn tunnel with the third PIX ?

Thanks

Robert

Jon Marshall · ‎10-30-2007

Robert

You can only use one crypto map on an interface but you can have sequence numbers within your crypto map so from your config

The existing tunnel

crypto map mykink1 1 ipsec-isakmp

crypto map mykink1 1 match address 101

crypto map mykink1 1 set peer 21.21.21.21

crypto map mykink1 1 set transform-set aesonly

Your new tunnel

crypto map mykink1 2 ipsec-isakmp

crypto map mykink1 2 match address "acl number"

crypto map mykink1 2 set peer "new peer address"

crypto map mykink1 2 set transform-set "new transform set"

crypto map mykink1 2 set security association lifetime seconds "number of seconds"

You need to fill in the right values within the "" marks.

Note the sequence number has incremented from 1 in your first entry to 2 in the second entry.

You can specify the security association lifetime within the crypto map config which overrides the global settings.

Adding this config should not affect your existing tunnel.

HTH

Jon

View solution in original post

JORGE RODRIGUEZ · ‎10-28-2007

Robert, yest it is possible you could build a new L2L tunnel on a single security applience in addition to an existing L2L tunnel.

please refer to bellow link .

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

Rgds

Jorge

Jorge Rodriguez

rwawrig · ‎10-29-2007

thanks for the link.

still i will need a little bit more help.

my config right now is this:

sysopt connection permit-ipsec

crypto ipsec transform-set aesonly esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600 kilobytes 500000

crypto map mykink1 1 ipsec-isakmp

crypto map mykink1 1 match address 101

crypto map mykink1 1 set peer 21.21.21.21

crypto map mykink1 1 set transform-set aesonly

crypto map mykink1 interface outside

isakmp enable outside

isakmp key ******** address 21.21.21.21 netmask 255.255.255.255

isakmp identity key-id mykey1

isakmp keepalive 60 5

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 3600

For the second tunnel I have to use the following parameters:

IPSec (Phase I) Parameter

Encryption Algorithm 3 DES

Hash Algorithm SHA-1

Diffie-Hellman Group 2

Authentication Pre-shared key

Livetime default 86400s

__________________________

IPSec (Phase II) Parameter

ESP Algorithm 3 DES

Hash Algorithm SHA-1

PFS

D-H Group 2

Livetime default 28800s

So, I can create another crypto map for the new connection, but how the second part will look like?

Thanks again

Robert

JORGE RODRIGUEZ · ‎10-29-2007

I assume for your second tunnel you have a new peer IP, also how does the new peer want you to come as, static Public IP?

I think the easiest way is to create a second crypto map for additional tunnel through pdm, you already have existing crypto map mykink1 with isakmp policy1, in pix pdm vpn create a new one.

e.g.

assume second peer IP :20.20.20.1 and

you will access remote host behind peer with IP 199.200.154.12 for RDP services. you inside host at local site is 192.168.1.1 with static nat public IP x.y.x.y

For your second tunnel you would have something similar to this assuming the new remote peer wants you to come with public IP:

crypto ipsec transform-set NEW_SET_SITE2 esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800 kilobytes 86400

crypto map mykink2 2 ipsec-isakmp

crypto map mykink1 2 match address 102

crypto map mykink2 2 set peer 20.20.20.1

crypto map mykink2 2 set transform-set NEW_SET_SITE2

crypto map mykink2 interface outside

isakmp key XXXXX address 20.20.20.1 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 2 authen pre-share

isakmp policy 2 encrypt 3des

isakmp policy 2 hash sha

isakmp policy 2 group 2

isakmp policy 2 lifetime 28800

static (inside,outside) x.y.x.y 192.168.1.1 255.255.255.255 0 0

access-list outside_cryptomap_2 permit tcp host x.y.x.y host 199.200.154.12 eq 3389

Jorge Rodriguez

rwawrig · ‎10-30-2007

yes, i got it up to here.

my problem is with this lines:

crypto map mykink2 interface outside

will overwrite

crypto map mykink1 interface outside

crypto ipsec security-association lifetime seconds 28800 kilobytes 86400

will overwrite

crypto ipsec security-association lifetime seconds 3600 kilobytes 500000

my question is if the first tunnel, that I have now active, will work if I add this two lines.

thanks again

Robert

Jon Marshall · ‎10-30-2007

Robert

You can only use one crypto map on an interface but you can have sequence numbers within your crypto map so from your config

The existing tunnel

crypto map mykink1 1 ipsec-isakmp

crypto map mykink1 1 match address 101

crypto map mykink1 1 set peer 21.21.21.21

crypto map mykink1 1 set transform-set aesonly

Your new tunnel

crypto map mykink1 2 ipsec-isakmp

crypto map mykink1 2 match address "acl number"

crypto map mykink1 2 set peer "new peer address"

crypto map mykink1 2 set transform-set "new transform set"

crypto map mykink1 2 set security association lifetime seconds "number of seconds"

You need to fill in the right values within the "" marks.

Note the sequence number has incremented from 1 in your first entry to 2 in the second entry.

You can specify the security association lifetime within the crypto map config which overrides the global settings.

Adding this config should not affect your existing tunnel.

HTH

Jon

JORGE RODRIGUEZ · ‎10-30-2007

Thanks Jon for the info you're always a great resource, this is good to know that only one crypto map can be used when adding additional tunnels.

Rgds

Jorge

Jorge Rodriguez

rwawrig · ‎11-12-2007

Hi,

I have now this config:

sysopt connection permit-ipsec

crypto ipsec transform-set aesonly esp-aes esp-md5-hmac

crypto ipsec transform-set tripledes esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600 kilobytes 500000

crypto map mymap1 1 ipsec-isakmp

crypto map mymap1 1 match address 101

crypto map mymap1 1 set peer x.x.x.x

crypto map mymap1 1 set transform-set aesonly

crypto map mymap1 2 ipsec-isakmp

crypto map mymap1 2 match address 102

crypto map mymap1 2 set peer y.y.y.y

crypto map mymap1 2 set transform-set tripledes

crypto map mymap1 2 set security-association lifetime seconds 86400 kilobytes 500000

crypto map mymap1 interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp key ******** address y.y.y.y netmask 255.255.255.255

isakmp identity key-id xxx

isakmp keepalive 60 5

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 3600

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption 3des

isakmp policy 2 hash sha

isakmp policy 2 group 2

isakmp policy 2 lifetime 28800

I don't know why, for the second tunnel I get encryption aes on the other side and should be 3des.

The phase 1 of the tunnel building is not completed.

What i'm missing ?

Thanks

Robert

rwawrig · ‎11-17-2007

sorry, my mistake

it is working

thanks for the help

Robert

fabiossilva · ‎11-19-2007

Hi, i have a scenario like your, i have 3 cisco ASA, two of them is a 5505 and one 5510, i have configured the VPN ipsec and from the CORE (5510) i can ping the remote1-network and remote2-network, But, i cant ping anything or access any service from remote1-network directly to remote2-network.

See the deployment that i create in attached file, and if you know what can be the problem, and can tell me.. Any hint i thank.

Best Regards,

Fabio

Here is a small sh run of the appliances...

Sh run - ASA Remote1 - 5505

object-group network DM_INLINE_NETWORK_1

network-object remote2-network 255.255.255.0

network-object core-network 255.255.255.0

access-list outside_1_cryptomap extended permit ip 11.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list inside_nat0_outbound extended permit ip 11.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 192.168.0.5

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

Sh run - ASA Remote2 - 5505

object-group network DM_INLINE_NETWORK_1

network-object remote1-network 255.255.255.0

network-object core-network 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 192.168.0.5

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

Sh run - ASA CORE - 5510

same-security-traffic permit inter-interface

object-group network DM_INLINE_NETWORK_1

network-object remote2-network 255.255.255.0

network-object 12.0.0.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object remote1-network 255.255.255.0

network-object 12.0.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 remote1-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 remote1-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 remote2-network 255.255.255.0

access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 remote2-network 255.255.255.0

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 192.168.0.3

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 192.168.0.4

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

rwawrig · ‎11-28-2007

hi,

have u told to 192.168.0.3 that all the packets for 11.0.0.0/24 have to go to 192.168.0.5 ?

static routing...

and also - the other way around...

fabiossilva · ‎11-29-2007

Hi rwawring, i achieved it.. i need to configure the

same-security-traffic permit intra-interface

And all works fine.

Thanks!

Fabio