Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Adding tunnel to existing transport VPN configuration

I've been checking steps on adding a vpn tunnel to an existing configuration and found this example on the wiki explaining IPSec between networks.

Do we follow similar steps when the case is host to host rather than network? Are there other steps related to step 3 and NAT? It isn't clear how the two access list entries work together.

My main concern is disrupting remote access during the testing, especially if this requires multiple changes.

existing pix 515 config file output:

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mapname 10 ipsec-isakmp dynamic dynmap

crypto map mapname interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

To add a new tunnel between my host and the remote host:

Peer ip address:-

Local host :-

Remote host :-

1. Remove the crypto map that exists off the outside interface.

no crypto map mapname interface outside

2. Create new crypto access-list with the source as the internal network of the PIX Firewall and the destinations as the remote network.

access-list 103 permit ip host host

3. Create an identical access-list for Network Address Translation (NAT) 0 as crypto access-list for the NAT bypass.

access-list 102 permit ip host host

4. Create a new crypto map with the same name, but with a different sequence number.

crypto map mapname 20 ipsec-isakmp

crypto map mapname 20 match address 103

crypto map mapname 20 set peer

crypto map mapname 20 set transform-set myset

5. Configure the ISAKMP policy preshare key.

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp key address netmask

6. Bind the crypto map to the outside interface.

crypto map mapname interface outside

Ping the remote host to bring up the new tunnel.