01-26-2007 11:49 PM - edited 02-21-2020 02:50 PM
Hi,
I have in my enterprise two offices which are connected through a tunnel IPSec (VPN) configured with PIX 501 on each site.
Now I have to deploy another office and
I need of connect it to one of either sites existing.
Can I configure on PIX 501 another tunnel IPSec ?
Does somebody tell me an a document about ?
Best regards
Lorenzo
01-27-2007 12:34 AM
Lorenzo
Yes you can a second IPSEC tunnel. To do this you need to
Pix1 is existing site.
Pix2 is new site.
1) Add a new key on both Pix1 and Pix2.
2) You won't need any more iskamp settings on Pix1 as long as you are using the same settings.
3) On Pix1 you presumably have a crypto map setup already. So you need to add another entry for the crypto map. You can only have one crypto map so for example if you have on Pix1
crypto map vpn-set 10 ipsec-isakmp
crypto map vpn-set 10 match address existingsite
crypto map vpn-set 10 set pfs group2
crypto map vpn-set 10 set peer x.x.x.x
crypto map vpn-set 10 set transform-set ESP-3DES-SHA
crypto map vpn-set 10 set security-association lifetime seconds 3600 kilobytes 4608000
you would then simply add another sequence number to the crypto map
crypto map vpn-set 20 ipsec-isakmp
crypto map vpn-set 20 match address newsite
crypto map vpn-set 20 set pfs group2
crypto map vpn-set 20 set peer x.x.x.x
crypto map vpn-set 20 set transform-set ESP-3DES-SHA
crypto map vpn-set 20 set security-association lifetime seconds 3600 kilobytes 4608000
The crypto map sequence numbers are only relevant on each pix so you don't have to match sequence numbers across firewalls.
4) On Pix2 setup crypto map.
HTH
Jon
01-27-2007 12:34 PM
Hi Lorenzo,
Check:
Please rate if this helped.
Regards,
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide