09-24-2005 08:30 PM
Dear Expertise
Recently we hava configured vpn tunnel between two locations. Now would like to create a vpn tunnel on third location. What configuration will applies on cisco PIX 501 firewall version 6.3.4.
Please refer thr existing pix config at both location.
Solved! Go to Solution.
10-01-2005 12:19 AM
please post the latest config?
09-25-2005 03:07 PM
you can leave the existing vpn config unchange and add the codes below. acl 101 is for no-nat; whereas acl 102 is for interesting traffic between location 1 and 3. you may apply the same code on location 2 pix.
another point should be noticed is that before you modify any crypto commands, you better disable crypto map, modify the codes and then re-apply the crypto map.
no crypto map rtpmap interface outside
access-list 101 permit ip 192.168.0.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0
crypto map rtpmap 2 ipsec-isakmp
crypto map rtpmap 2 match address 102
crypto map rtpmap 2 set peer
crypto map rtpmap 2 set transform-set SecuritySet
crypto map rtpmap 2 set security-association lifetime seconds 3600 kilobytes 4608000
isakmp key
crypto map rtpmap interface outside
09-25-2005 05:21 PM
Firstly thank you for your reply.
Loc 1: Static IP:203.49.xxx.xxx Inside IP:192.168.0.1
Loc 2: Static IP:61.17.xxx.xxx Inside IP:192.168.1.0
Loc 3: Static IP:58.105.xxx.xxx Inside IP:10.1.1.1
=====================================================
Location 3, Is this configuration OK ?
=====================================================
Result of firewall command: "sh run"
Saved
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
passwd xxxx
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.0.0 255.255.255.0 10.1.1.1 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 10.1.1.1 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 10.1.1.1 255.255.255.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set SecuritySet esp-des esp-sha-hmac
crypto map rtpmap 1 ipsec-isakmp
crypto map rtpmap 2 ipsec-isakmp
crypto map rtpmap 1 match address 101
crypto map rtpmap 2 match address 102
crypto map rtpmap 1 set peer 61.17.xxx.xxx (Location 1 Static IP)
crypto map rtpmap 2 set peer 58.105.xxx.xx (Location 3 Static IP)
crypto map rtpmap 2 set transform-set SecuritySet
crypto map rtpmap 2 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map rtpmap 1 set transform-set SecuritySet
crypto map rtpmap 1 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map rtpmap interface outside
isakmp enable outside
isakmp key ******** address 61.17.xxx.xxx netmask 255.255.255.255 (Location 1)
isakmp key ******** address 203.49.xxx.xxx netmask 255.255.255.255(Location2)
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group Internet request dialout pppoe
vpdn group Internet localname xxxxx
vpdn group Internet ppp authentication chap
vpdn username xxxxx password *********
vpdn enable inside
terminal width 80
Cryptochecksum:xxxx
: end
=====================================================
And location 1 and Location to Vice versa as location 3.
=====================================================
If i am wrong can you please paste it location 1, 2 and 3 config. Please refer my previous attachment.
Sorry i am new to pix firewall. If you could send me the indivisual location config then i will configure in all the locations.
I appreciate your time and patience.
Thanks
Thanks
09-25-2005 09:04 PM
--------------------------------------------------
Location 1
--------------------------------------------------
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0
crypto map rtpmap 2 ipsec-isakmp
crypto map rtpmap 2 match address 102
crypto map rtpmap 2 set peer
crypto map rtpmap 2 set transform-set SecuritySet
crypto map rtpmap 2 set security-association lifetime seconds 3600 kilobytes 4608000
isakmp key
--------------------------------------------------
Location 2
--------------------------------------------------
access-list 101 permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 103 permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0
crypto map rtpmap 2 ipsec-isakmp
crypto map rtpmap 2 match address 103
crypto map rtpmap 2 set peer
crypto map rtpmap 2 set transform-set SecuritySet
crypto map rtpmap 2 set security-association lifetime seconds 3600 kilobytes 4608000
isakmp key
--------------------------------------------------
Location 3
--------------------------------------------------
access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 103 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map rtpmap 1 ipsec-isakmp
crypto map rtpmap 1 match address 102
crypto map rtpmap 1 set peer
crypto map rtpmap 1 set transform-set SecuritySet
crypto map rtpmap 1 set security-association lifetime seconds 3600 kilobytes 4608000
isakmp key
crypto map rtpmap 2 ipsec-isakmp
crypto map rtpmap 2 match address 103
crypto map rtpmap 2 set peer
crypto map rtpmap 2 set transform-set SecuritySet
crypto map rtpmap 2 set security-association lifetime seconds 3600 kilobytes 4608000
isakmp key
09-27-2005 03:27 AM
09-27-2005 03:37 AM
isakmp commands are missing. add the follow:
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp enable outside
09-27-2005 10:38 PM
09-28-2005 05:42 AM
an important command is missing on pix3.
apply this command "sysopt connection permit-ipsec" on pix3. basically the command tells the pix to ignore any acl for all encrypted traffic.
09-28-2005 06:28 AM
09-28-2005 06:43 AM
with pix3, add the followings:
crypto ipsec transform-set SecuritySet esp-des esp-sha-hmac
crypto map rtpmap 1 set transform-set SecuritySet
crypto map rtpmap 2 set transform-set SecuritySet
09-28-2005 05:13 PM
I did that still same problem.
09-29-2005 04:32 AM
add this command on pix3,
nat (inside) 0 access-list 101
also you don't need this,
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
09-29-2005 06:18 AM
As you know on pix3 i am using 192.168.2.1 as an inside network.
=================================================
" also you don't need this,
nat (inside) 1 192.168.0.0 255.255.255.0 0 0 "
=================================================
So i think i must use
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
=================================================
Waiting for your reply thanks for your effort
09-30-2005 05:13 AM
yes you are right. you must use "nat (inside) 1 192.168.2.0 255.255.255.0 0 0"
so is the vpn working fine now?
09-30-2005 06:34 AM
nat (inside) 0 access-list 101
just wondering whether you have applied the command above, as it's important for the pix not to nat the vpn interesting traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide