Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX VPN Configuration LAN to LAN

PC1 PC2

| |

------LAN1--- --LAN2-----

| |

|[10.16.1.1/24] |[10.16.2.1/24]

PIX515E-1 PIX515E-2

|[122.1.1.2/30] |[122.1.2.2/30]

| |

-----------Internet-(VPN)------

|

|[122.1.3.2/30]

PIX515E-3

|[10.16.3.1/24]

|

-------LAN3-------------------

| |

PC3 |[10.16.3.99]

DMZ----- Firewall (HQ office)

|[?.?.?.?]

|

-----------Internet----------

I am trying to connect VPN on PIX515Es(ver.6.3).

I could connect VPN for PC1, PC2, PC3 each other,

but not connect PC1,PC2 -> PIX515E-1 -> PIX515E-3 -> Firewall -> Internet.

(I can connect PC3 -> Firewall -> Internet.)

I want to know how to configure PIX515Es.

PIX515E-3 CONFIGURATION

PIX Version 6.3(5)

access-list nat0_acl permit ip 10.16.3.0 255.255.255.0 10.16.1.0 255.255.255.0

access-list nat0_acl permit ip 10.16.3.0 255.255.255.0 10.16.2.0 255.255.255.0

access-list crypt_10 permit ip 10.16.3.0 255.255.255.0 10.16.1.0 255.255.255.0

access-list crypt_20 permit ip 10.16.3.0 255.255.255.0 10.16.2.0 255.255.255.0

nat (inside) 0 access-list nat0_acl

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.x.x.1.3.1 1

sysopt connection permit-ipsec

crypto map outside_map 10 ipsec-isakmp

crypto map outside_map 10 match address crypt_10

crypto map outside_map 10 set pfs group5

crypto map outside_map 10 set peer 122.1.1.2

crypto map outside_map 10 set transform-set ESP-AES-128-SHA

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address crypt_20

crypto map outside_map 20 set pfs group5

crypto map outside_map 20 set peer 122.1.2.2

crypto map outside_map 20 set transform-set ESP-AES-128-SHA

crypto map outside_map interface outside

isakmp enable outside

:

  • VPN
3 REPLIES
New Member

Re: PIX VPN Configuration LAN to LAN

Hi,

Not able to fully comprehend the diagram

"but not connect PC1,PC2 -> PIX515E-1 -> PIX515E-3 -> Firewall -> Internet. "

From PC 1 u need to connect to internet ?

Please refer to this link for configuring site to site tunnels :

http://www.ciscosystems.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

This document describes a hub and spoke example :

http://www.ciscosystems.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

Raj

New Member

Re: PIX VPN Configuration LAN to LAN

Hi,

From PC1, i want to web-access to internet via proxy on DMZ (HQ office).

PC1 default-gateway is 10.16.1.1

PC1 proxy is 192.168.1.1

i want to connect the VPN from 10.16.1.xxx to 192.168.1.1 that is behind PIX515E-3.

(Simply route to other private-net through the VPN)

New Member

Re: PIX VPN Configuration LAN to LAN

Hi,

You mean to say that the crypto acl should be like :

access-list cry 10.16.1.0 255.255.255.0 host 192.168.1.1 on the first pix ?

Along with the identical nat 0 and the access list with it

Raj

127
Views
0
Helpful
3
Replies
This widget could not be displayed.