Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN with a PIX 515E

Hi Everyone,

I'm trying to create a site to site VPN using our Cisco PIX515E (6.3) at our main office and an 837 ADSL router at a remote office.

However, whenever I enable Easy VPN remote on the Pix or use the VPN wizard to create a site to site VPN, all the normal outgoing web traffic ffrom the PIX seems to get blocked, until I disable Easy VPN or remove the Site to Site VPN settings.

Am I missing something here ?

Am I able to use our PIX as a firewall for our incoming and outgoing net traffic, while also using it to form a site to site VPN ?

If so, does anyone have any suggestions as to what I may be doing wrong ?

Thanks,

Peter.

2 REPLIES
Gold

Re: Site to Site VPN with a PIX 515E

please read below are the sample codes for lan-lan vpn:

for pix v6.x

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 121 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

ip address outside 1.1.1.1 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map myvpn 10 ipsec-isakmp

crypto map myvpn 10 match address 121

crypto map myvpn 10 set peer 1.1.1.2

crypto map myvpn 10 set transform-set myset

crypto map myvpn interface outside

isakmp enable outside

isakmp key cisco123 address 1.1.1.2 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

for 837

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 1.1.1.1 no-xauth

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set myset

match address 121

interface Ethernet0

ip address 192.168.2.1 255.255.255.0

ip nat inside

interface Dialer0

ip address 1.1.1.2 255.255.255.0

ip access-group 111 in

ip nat outside

crypto map mymap

ip nat inside source route-map nonat interface Dialer0 overload

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 111 permit udp any host 1.1.1.2 eq non500-isakmp

access-list 111 permit udp any host 1.1.1.2 eq isakmp

access-list 111 permit esp any host 1.1.1.2

access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 111 deny ip any any

access-list 121 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

route-map nonat permit 10

match ip address 101

New Member

Re: Site to Site VPN with a PIX 515E

Hi Jacko,

Thanks very much for your reply.

I'll give it a try.

Regards,

Peter.

84
Views
0
Helpful
2
Replies
CreatePlease login to create content