Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to site vpn

I have a siteA with pixA configured for vpn remote access. I have siteB with pixB. I would like to setup a site to site vpn between the pix firewalls but since PixA already has remote access vpn configured i am wondering how do i go about doing this and if it would have redundant commands which could cause any problems pixA.

Any help would be much appreciated.

Thanks,

Lake

3 REPLIES
New Member

Re: Site to site vpn

Hi Lake,

Since you have configured remote access VPN ( for mobile user) on PIX A, it should be no problem creating site to site VPN for PIX A. Just create a new crypto map and isamkp setting with pre-share key.

You may try the sample below.

regards,

Bryan Chua

PIX A

ip address outside 209.165.201.8 255.255.255.224

ip address inside 192.168.12.1 255.255.255.0

no failover

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

arp timeout 14400

static (dmz, outside) 209.165.202.131 10.1.0.2 netmask 255.255.255.255

access-list globalhost permit tcp 209.165.200.229 255.255.255.255 host 209.165.202.131 eq

389

access-list globalhost permit tcp 209.165.200.229 255.255.255.255 host 209.165.202.131 eq

http

access-group globalhost in interface outside

nat 0 access-list 90

access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0

no rip outside passive

no rip outside default

rip inside passive

no rip inside default

route outside 0.0.0.0 0.0.0.0 209.165.201.7 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto map toSanJose 20 ipsec-isakmp

crypto map toSanJose 20 match address 90

crypto map toSanJose 20 set peer 209.165.200.229

crypto map toSanJose 20 set transform-set strong

crypto map toSanJose interface outside

isakmp policy 8 authentication rsa-sig

isakmp policy 8 encryption des

isakmp policy 8 hash sha

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

PIX B

ip address outside 209.165.200.229 255.255.255.224

ip address inside 10.0.0.1 255.0.0.0

ip address dmz 192.168.101.1 255.255.255.0

ip address perimeter 192.168.102.1 255.255.255.0

no failover

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

failover ip address perimeter 0.0.0.0

arp timeout 14400

nat 0 access-list 80

access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.0

no rip outside passive

no rip outside default

no rip inside passive

no rip inside default

no rip dmz passive

no rip dmz default

no rip perimeter passive

no rip perimeter default

route outside 0.0.0.0 0.0.0.0 209.165.200.228 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto map newyork 10 ipsec-isakmp

crypto map newyork 10 match address 80

crypto map newyork 10 set peer 209.165.201.8

crypto map newyork 10 set transform-set strong

crypto map newyork interface outside

isakmp policy 8 authentication rsa-sig

isakmp policy 8 encryption des

isakmp policy 8 hash sha

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

Re: Site to site vpn

hi

can you check out these links which i feel may help u out in acheieving the same ?

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008019e6d7.shtml

http://cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

AFAIK you can have both dynamic as well as static policies or peers configured to cater your requirements..

regds

New Member

Re: Site to site vpn

I will try that. Thanks guys for all the help. I really appreciate that.

Regards,

Lake

117
Views
8
Helpful
3
Replies