09-24-2005 08:41 PM - edited 02-21-2020 01:59 PM
Dear Expertise
Recently we hava configured vpn tunnel between two locations. Now would like to create a vpn tunnel on third location. What configuration will applies on cisco PIX 501 firewall version 6.3.4.
Please refer thr existing pix config at both location.
09-25-2005 09:34 AM
Hi,
the below link explains hub and spokes (PIX-to-PIX-to-PIX) scenario so maybe it can be helpful.
09-25-2005 09:52 AM
Carl,
What kind of network are you asking for, i.e. fully meshed or hub to spoke? If its fully meshed then you can not do this with PIX 501 6.3(4), you can do it with PIX version 7.0, but if your asking for hub to spoke then it is possible.
As an example of hub to spoke VPN:
central_pix (Hub) -------------- peer_pix1 (spoke) [network: 10.0.1.0 /24]
[network: 192.168.1.0 /24]
|
|
Peer_pix2 (spoke) [network: 10.1.1.0 /24]
Configuration example on the central_pix (Hub):
access-list nonat permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 permit ip 192.168.35.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list 101 permit ip 192.168.35.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
crypto ipsec transform-set LAB_1 esp-3des esp-md5-hmac
crypto map LABMAP 1 ipsec-isakmp
crypto map LABMAP 1 match address 100
crypto map LABMAP 1 set peer
crypto map LABMAP 1 set transform-set LAB_1
crypto map LABMAP 2 ipsec-isakmp
crypto map LABMAP 2 match address 101
crypto map LABMAP 2 set peer <2nd_peer_ip>
crypto map LABMAP 2 set transform-set LAB_1
crypto map LABMAP interface outside
isakmp enable outside
isakmp key
isakmp key
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
Of course, youll need the apporiate configuration on the peer PIXes for the above to work. The reason for having ACLs 100 and 101 is so that PDM works as PDM database doesnt like same ACL in different locations in the configuration therefore you need to separate the ACLs as I did above.
I hope the above helps answer your requirement. And let me know how you get on or need further help.
Jay
09-25-2005 04:55 PM
Firstly thanks for your reply.
I have few doubts.
1. Is the above config goes in to third Pix location?
2. What is 10.0.1.0, 192.168.1.0, 192.168.1.35 i am confused because i am using the following internal IPs location 1: 192.168.1.0 location2 192.168.0.1 and location 3: 10.1.1.1
3. Here in my case which will be the central pix
hub.
4. I believe you have seen my both location pix config what basically i am looking for all three locations must access each location.
5. I am confused in HUB?
Sorry i am new to pix firewall may be i am asking silly question. If possible please solve my problem.
Thanks
09-25-2005 10:01 PM
1. Is the above config goes in to third Pix location?
No, the configuration is for your central PIX i.e. HQ!
2. What is 10.0.1.0, 192.168.1.0, 192.168.1.35 I am confused because I am using the following internal IPs location 1: 192.168.1.0 location2 192.168.0.1 and location 3: 10.1.1.1
I only used the above IPs as an example you can change the IPs to your requirement.
3. Here in my case which will be the central pix hub.
See answer to Q1 (above).
4. I believe you have seen my both location pix config what basically i am looking for all three locations must access each location.
In this case, you are asking for a fully meshed network i.e. all three locations can send data to each other correct? If so, this can NOT be achieved using PIX 501 6.3(4), youll need to upgrade your PIX to PIX 515 with OS version 7.0 PIX OS version 7.0+ is ONLY available for PIX models 515 and above (at the moment)!
But you can have Hub (HQ) to Spoke (remote sites) as explained in my post plus example configuration provided.
5. I am confused in HUB?
HUB = your HQ i.e. your central PIX (see my diagram on the original post).
I hope this explains your questions and let me know if you need further help/explanation.
09-27-2005 10:52 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide