cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
266
Views
0
Helpful
3
Replies

streamlining my PIX IPSec config

tato386
Level 6
Level 6

I have a hub-and-spoke IPSec VPN setup between spoke IOS routers and a PIX 515 as a hub. I have done the config by the book and I have a pretty big config right now. I was wondering if I could streamline the config a bit. I noticed that I have one crypto map with 50 different sequence numbers. All my peers use the ipsec-isakmp and the same transform set. The only difference in each sequence is the peer address and the access-list to match.

I am wondering if I can chop this down to only one crypto map sequence number that has all my peers and one access-list that includes all the peers. This is my idea for the hub PIX:

crypto map mymap 1 ipsec-isakmp

cryptp map mymap 1 set transform-set myset

cryptp map mymap 1 match address 110

cryptp map mymap 1 set peer 1.1.1.1

cryptp map mymap 1 set peer 2.2.2.2

cryptp map mymap 1 set peer 3.3.3.3

access-list 110 permit gre host 10.10.10.10 host 1.1.1.1

access-list 110 permit gre host 10.10.10.10 host 2.2.2.2

access-list 110 permit gre host 10.10.10.10 host 3.3.3.3

Right now, I am doing this with 3 sequence numbers and three access-lists. I just want to be a bit more "elegant" with my PIX config. Will this work?

Thanks,

Diego

3 Replies 3

ajagadee
Cisco Employee
Cisco Employee

Hi Diego,

The config that you have on the pix right now with different sequence numbers with the peer address and access-list is the best method to implement IPSec lan to lan tunnels and the config that you want to implement is a big no no for three different peers.

Regards,

Arul

Diego,

You could configure it as a dynamic VPN, therfore eliminating all the crytpomaps. However, this would then allow anyone to connect via VPN IF THEY KNOW your IP, and you key.

Dan

Thanks for the info. I have been considering using dyn VPN.

Diego

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: