Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
284
Views
0
Helpful
1
Replies

two VPN site-to-site tunnels

haithamsaif
Level 1
Level 1

‎12-22-2005 05:00 AM

Hi all,

is this the right configuration to configure the PIX 525 firewall to establish 2 site-to-site VPN tunnels..

sysopt connection permit-ipsec

crypto ipsec transform-set 1ST_TRANSFORM_SET_NAME esp-des esp-md5-hmac

crypto ipsec transform-set 2ND_TRANSFORM_SET_NAME esp-des esp-md5-hmac

crypto map CRYPTO_MAP_NAME 10 ipsec-isakmp

crypto map CRYPTO_MAP_NAME 10 match address INTERESTED_TRAFFIC_ACL_NAME

crypto map CRYPTO_MAP_NAME 10 set peer 1ST_SITE_IP_ADDRESS

crypto map CRYPTO_MAP_NAME 10 set transform-set 1ST_TRANSFORM_SET_NAME

crypto map CRYPTO_MAP_NAME 20 ipsec-isakmp

crypto map CRYPTO_MAP_NAME 20 match address INTERESTED_TRAFFIC_ACL_NAME

crypto map CRYPTO_MAP_NAME 20 set peer 2ND_SITE_IP_ADDRESS

crypto map CRYPTO_MAP_NAME 20 set transform-set 2ND_TRANSFORM_SET_NAME

crypto map CRYPTO_MAP_NAME interface outside

isakmp enable outside

isakmp key 1ST_TUNNEL_KEY address 1ST_SITE_IP_ADDRESS netmask 255.255.255.255

isakmp key 2ND_TUNNEL_KEY address 2ND_SITE_IP_ADDRESS netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

please advise if this will work or not

Labels:
0 Helpful
1 Reply 1

jackko
Level 7
Level 7

‎12-22-2005 02:37 PM

the codes look fine, providing the no-nat acl and those crytpo acls (i.e. interested_traffic_acl) are accurate.

further, i would apply the command "isakmp identity address".

below are the sample codes with acls:

access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 121 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside 1.1.1.2 255.255.255.0

ip address inside 192.168.2.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map myvpn 10 ipsec-isakmp

crypto map myvpn 10 match address 121

crypto map myvpn 10 set peer 1.1.1.1

crypto map myvpn 10 set transform-set myset

crypto map myvpn interface outside

isakmp enable outside

isakmp key cisco123 address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

0 Helpful
Customers Also Viewed These Support Documents