12-22-2005 05:00 AM
Hi all,
is this the right configuration to configure the PIX 525 firewall to establish 2 site-to-site VPN tunnels..
sysopt connection permit-ipsec
crypto ipsec transform-set 1ST_TRANSFORM_SET_NAME esp-des esp-md5-hmac
crypto ipsec transform-set 2ND_TRANSFORM_SET_NAME esp-des esp-md5-hmac
crypto map CRYPTO_MAP_NAME 10 ipsec-isakmp
crypto map CRYPTO_MAP_NAME 10 match address INTERESTED_TRAFFIC_ACL_NAME
crypto map CRYPTO_MAP_NAME 10 set peer 1ST_SITE_IP_ADDRESS
crypto map CRYPTO_MAP_NAME 10 set transform-set 1ST_TRANSFORM_SET_NAME
crypto map CRYPTO_MAP_NAME 20 ipsec-isakmp
crypto map CRYPTO_MAP_NAME 20 match address INTERESTED_TRAFFIC_ACL_NAME
crypto map CRYPTO_MAP_NAME 20 set peer 2ND_SITE_IP_ADDRESS
crypto map CRYPTO_MAP_NAME 20 set transform-set 2ND_TRANSFORM_SET_NAME
crypto map CRYPTO_MAP_NAME interface outside
isakmp enable outside
isakmp key 1ST_TUNNEL_KEY address 1ST_SITE_IP_ADDRESS netmask 255.255.255.255
isakmp key 2ND_TUNNEL_KEY address 2ND_SITE_IP_ADDRESS netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
please advise if this will work or not
12-22-2005 02:37 PM
the codes look fine, providing the no-nat acl and those crytpo acls (i.e. interested_traffic_acl) are accurate.
further, i would apply the command "isakmp identity address".
below are the sample codes with acls:
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 121 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside 1.1.1.2 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map myvpn 10 ipsec-isakmp
crypto map myvpn 10 match address 121
crypto map myvpn 10 set peer 1.1.1.1
crypto map myvpn 10 set transform-set myset
crypto map myvpn interface outside
isakmp enable outside
isakmp key cisco123 address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide