Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

streamlining my PIX IPSec config

I have a hub-and-spoke IPSec VPN setup between spoke IOS routers and a PIX 515 as a hub. I have done the config by the book and I have a pretty big config right now. I was wondering if I could streamline the config a bit. I noticed that I have one crypto map with 50 different sequence numbers. All my peers use the ipsec-isakmp and the same transform set. The only difference in each sequence is the peer address and the access-list to match.

I am wondering if I can chop this down to only one crypto map sequence number that has all my peers and one access-list that includes all the peers. This is my idea for the hub PIX:

crypto map mymap 1 ipsec-isakmp

cryptp map mymap 1 set transform-set myset

cryptp map mymap 1 match address 110

cryptp map mymap 1 set peer 1.1.1.1

cryptp map mymap 1 set peer 2.2.2.2

cryptp map mymap 1 set peer 3.3.3.3

access-list 110 permit gre host 10.10.10.10 host 1.1.1.1

access-list 110 permit gre host 10.10.10.10 host 2.2.2.2

access-list 110 permit gre host 10.10.10.10 host 3.3.3.3

Right now, I am doing this with 3 sequence numbers and three access-lists. I just want to be a bit more "elegant" with my PIX config. Will this work?

Thanks,

Diego

  • Other Security Subjects
3 REPLIES
Cisco Employee

Re: streamlining my PIX IPSec config

Hi Diego,

The config that you have on the pix right now with different sequence numbers with the peer address and access-list is the best method to implement IPSec lan to lan tunnels and the config that you want to implement is a big no no for three different peers.

Regards,

Arul

New Member

Re: streamlining my PIX IPSec config

Diego,

You could configure it as a dynamic VPN, therfore eliminating all the crytpomaps. However, this would then allow anyone to connect via VPN IF THEY KNOW your IP, and you key.

Dan

New Member

Re: streamlining my PIX IPSec config

Thanks for the info. I have been considering using dyn VPN.

Diego

93
Views
0
Helpful
3
Replies