Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

hx2
New Member

My First PIX VPN (help)

I have been assigned the task of setting up a VPN between my company and a company that we are doing business with. We have a Cisco PIX515E, and they have some type of PIX as well. I don't know what model, but it is a PIX. The other company would like me to set the standard. What is the best, yet simplest VPN method for PIX. Please, don't just send me a link. I am still learning IOS command syntax. Thank U!!!!

2 REPLIES
Gold

Re: My First PIX VPN (help)

please read below as a sample config:

e.g. 192.168.100.0/24 <--> your company pix <--> www/vpn <--> business partner pix <--> 192.168.101.0/24

for your company pix:

access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list 110 permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

nat (inside) 0 access-list 101

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp identity address

isakmp nat-traversal 20

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto map myvpn 10 ipsec-isakmp

crypto map myvpn 10 match address 110

crypto map myvpn 10 set peer

crypto map myvpn 10 set transform-set vpnset

isakmp key address netmask 255.255.255.255 no-xauth no-config-mode

isakmp enable outside

crypto map myvpn interface outside

for business partner pix:

access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 110 permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list 101

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp identity address

isakmp nat-traversal 20

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto map myvpn 10 ipsec-isakmp

crypto map myvpn 10 match address 110

crypto map myvpn 10 set peer

crypto map myvpn 10 set transform-set vpnset

isakmp key address netmask 255.255.255.255 no-xauth no-config-mode

isakmp enable outside

crypto map myvpn interface outside

the above sample is a lan-lan vpn, that means either site can initiate the vpn and once the vpn established, both site have full access to the other.

one point needs to be noticed are the isakmp policy parameter and the ipsec transform set. with the above sample, it's using 3des. it may not be supported with your/your business partner pix, it depends on the pix licence. do "sh ver" on pix to verify.

Gold

Re: My First PIX VPN (help)

if the pix currently doesn't support 3des, or aes, you can follow the link below to obtain a new key for the pix (it's free).

https://tools.cisco.com/SWIFT/Licensing/jsp/formGenerator/Pix3DesMsgDisplay.jsp

the catch is that you will need to reboot the pix after applying the new key.

111
Views
0
Helpful
2
Replies
CreatePlease login to create content