VPN Tunnel Between three locations

lexiainfo · ‎09-24-2005

Dear Expertise

Recently we hava configured vpn tunnel between two locations. Now would like to create a vpn tunnel on third location. What configuration will applies on cisco PIX 501 firewall version 6.3.4.

Please refer thr existing pix config at both location.

mehrdad · ‎09-25-2005

Hi,

the below link explains hub and spokes (PIX-to-PIX-to-PIX) scenario so maybe it can be helpful.

http://www.cisco.com/warp/public/110/pixhubspoke.html

jmia · ‎09-25-2005

Carl,

What kind of network are you asking for, i.e. fully meshed or hub to spoke? If it’s fully meshed then you can not do this with PIX 501 6.3(4), you can do it with PIX version 7.0, but if your asking for hub to spoke then it is possible.

As an example of hub to spoke VPN:

central_pix (Hub) -------------- peer_pix1 (spoke) [network: 10.0.1.0 /24]

[network: 192.168.1.0 /24]

|

Peer_pix2 (spoke) [network: 10.1.1.0 /24]

Configuration example on the central_pix (Hub):

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 100 permit ip 192.168.35.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list 101 permit ip 192.168.35.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

crypto ipsec transform-set LAB_1 esp-3des esp-md5-hmac

crypto map LABMAP 1 ipsec-isakmp

crypto map LABMAP 1 match address 100

crypto map LABMAP 1 set peer

crypto map LABMAP 1 set transform-set LAB_1

crypto map LABMAP 2 ipsec-isakmp

crypto map LABMAP 2 match address 101

crypto map LABMAP 2 set peer <2nd_peer_ip>

crypto map LABMAP 2 set transform-set LAB_1

crypto map LABMAP interface outside

isakmp enable outside

isakmp key address netmask 255.255.255.255

isakmp key address <2nd_peer_ip> netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

Of course, you’ll need the apporiate configuration on the peer PIXes for the above to work. The reason for having ACL’s 100 and 101 is so that PDM works as PDM database doesn’t like same ACL in different locations in the configuration therefore you need to separate the ACL’s as I did above.

I hope the above helps answer your requirement. And let me know how you get on or need further help.

Jay

lexiainfo · ‎09-25-2005

Firstly thanks for your reply.

I have few doubts.

1. Is the above config goes in to third Pix location?

2. What is 10.0.1.0, 192.168.1.0, 192.168.1.35 i am confused because i am using the following internal IPs location 1: 192.168.1.0 location2 192.168.0.1 and location 3: 10.1.1.1

3. Here in my case which will be the central pix

hub.

4. I believe you have seen my both location pix config what basically i am looking for all three locations must access each location.

5. I am confused in HUB?

Sorry i am new to pix firewall may be i am asking silly question. If possible please solve my problem.

Thanks

jmia · ‎09-25-2005

1. Is the above config goes in to third Pix location?

No, the configuration is for your central PIX i.e. HQ!

2. What is 10.0.1.0, 192.168.1.0, 192.168.1.35 I am confused because I am using the following internal IPs location 1: 192.168.1.0 location2 192.168.0.1 and location 3: 10.1.1.1

I only used the above IP’s as an example – you can change the IP’s to your requirement.

3. Here in my case which will be the central pix hub.

See answer to Q1 (above).

4. I believe you have seen my both location pix config what basically i am looking for all three locations must access each location.

In this case, you are asking for a fully meshed network i.e. all three locations can send data to each other – correct? If so, this can NOT be achieved using PIX 501 6.3(4), you’ll need to upgrade your PIX to PIX 515 with OS version 7.0 – PIX OS version 7.0+ is ONLY available for PIX models 515 and above (at the moment)!

But you can have Hub (HQ) to Spoke (remote sites) as explained in my post plus example configuration provided.

5. I am confused in HUB?

HUB = your HQ i.e. your central PIX (see my diagram on the original post).

I hope this explains your questions and let me know if you need further help/explanation.

lexiainfo · ‎09-27-2005

Is this configuration OK. Location 3 is unable to ping Location 1(location1 is HQ).

Please refer the attachment thanks.