Solved: Re: VPN Tunnel between 3 locations

lexiainfo · ‎09-24-2005

Dear Expertise

Recently we hava configured vpn tunnel between two locations. Now would like to create a vpn tunnel on third location. What configuration will applies on cisco PIX 501 firewall version 6.3.4.

Please refer thr existing pix config at both location.

jackko · ‎10-01-2005

please post the latest config?

View solution in original post

jackko · ‎09-25-2005

you can leave the existing vpn config unchange and add the codes below. acl 101 is for no-nat; whereas acl 102 is for interesting traffic between location 1 and 3. you may apply the same code on location 2 pix.

another point should be noticed is that before you modify any crypto commands, you better disable crypto map, modify the codes and then re-apply the crypto map.

no crypto map rtpmap interface outside

access-list 101 permit ip 192.168.0.0 255.255.255.0

access-list 102 permit ip 192.168.0.0 255.255.255.0

crypto map rtpmap 2 ipsec-isakmp

crypto map rtpmap 2 match address 102

crypto map rtpmap 2 set peer

crypto map rtpmap 2 set transform-set SecuritySet

crypto map rtpmap 2 set security-association lifetime seconds 3600 kilobytes 4608000

isakmp key address netmask 255.255.255.255

crypto map rtpmap interface outside

lexiainfo · ‎09-25-2005

Firstly thank you for your reply.

Loc 1: Static IP:203.49.xxx.xxx Inside IP:192.168.0.1

Loc 2: Static IP:61.17.xxx.xxx Inside IP:192.168.1.0

Loc 3: Static IP:58.105.xxx.xxx Inside IP:10.1.1.1

=====================================================

Location 3, Is this configuration OK ?

=====================================================

Result of firewall command: "sh run"

Saved

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit ip 192.168.0.0 255.255.255.0 10.1.1.1 255.255.255.0

access-list 102 permit ip 192.168.0.0 255.255.255.0 10.1.1.1 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 10.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 10.1.1.1 255.255.255.0 0 0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set SecuritySet esp-des esp-sha-hmac

crypto map rtpmap 1 ipsec-isakmp

crypto map rtpmap 2 ipsec-isakmp

crypto map rtpmap 1 match address 101

crypto map rtpmap 2 match address 102

crypto map rtpmap 1 set peer 61.17.xxx.xxx (Location 1 Static IP)

crypto map rtpmap 2 set peer 58.105.xxx.xx (Location 3 Static IP)

crypto map rtpmap 2 set transform-set SecuritySet

crypto map rtpmap 2 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map rtpmap 1 set transform-set SecuritySet

crypto map rtpmap 1 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map rtpmap interface outside

isakmp enable outside

isakmp key ******** address 61.17.xxx.xxx netmask 255.255.255.255 (Location 1)

isakmp key ******** address 203.49.xxx.xxx netmask 255.255.255.255(Location2)

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group Internet request dialout pppoe

vpdn group Internet localname xxxxx

vpdn group Internet ppp authentication chap

vpdn username xxxxx password *********

vpdn enable inside

terminal width 80

Cryptochecksum:xxxx

: end

=====================================================

And location 1 and Location to Vice versa as location 3.

=====================================================

If i am wrong can you please paste it location 1, 2 and 3 config. Please refer my previous attachment.

Sorry i am new to pix firewall. If you could send me the indivisual location config then i will configure in all the locations.

I appreciate your time and patience.

Thanks

jackko · ‎09-25-2005

--------------------------------------------------

Location 1

--------------------------------------------------

access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 101 permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 102 permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0

crypto map rtpmap 2 ipsec-isakmp

crypto map rtpmap 2 match address 102

crypto map rtpmap 2 set peer

crypto map rtpmap 2 set transform-set SecuritySet

crypto map rtpmap 2 set security-association lifetime seconds 3600 kilobytes 4608000

isakmp key address netmask 255.255.255.255

--------------------------------------------------

Location 2

--------------------------------------------------

access-list 101 permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 103 permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0

crypto map rtpmap 2 ipsec-isakmp

crypto map rtpmap 2 match address 103

crypto map rtpmap 2 set peer

crypto map rtpmap 2 set transform-set SecuritySet

crypto map rtpmap 2 set security-association lifetime seconds 3600 kilobytes 4608000

isakmp key address netmask 255.255.255.255

--------------------------------------------------

Location 3

--------------------------------------------------

access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 102 permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 103 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

crypto map rtpmap 1 ipsec-isakmp

crypto map rtpmap 1 match address 102

crypto map rtpmap 1 set peer

crypto map rtpmap 1 set transform-set SecuritySet

crypto map rtpmap 1 set security-association lifetime seconds 3600 kilobytes 4608000

isakmp key address netmask 255.255.255.255

crypto map rtpmap 2 ipsec-isakmp

crypto map rtpmap 2 match address 103

crypto map rtpmap 2 set peer

crypto map rtpmap 2 set transform-set SecuritySet

crypto map rtpmap 2 set security-association lifetime seconds 3600 kilobytes 4608000

isakmp key address netmask 255.255.255.255

lexiainfo · ‎09-27-2005

I am trying trying trying, its not working may be config is wrong for third location. Can you please check i am unable to ping loca1, 2 from location3

Please see atachment for location 3 config.

Thanks

jackko · ‎09-27-2005

isakmp commands are missing. add the follow:

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

isakmp enable outside

lexiainfo · ‎09-27-2005

Firstly thank you for your quick reply.

I followed the above commands but still didnt work can you please check the config for location 1 and Location 3.

Thanks

jackko · ‎09-28-2005

an important command is missing on pix3.

apply this command "sysopt connection permit-ipsec" on pix3. basically the command tells the pix to ignore any acl for all encrypted traffic.

lexiainfo · ‎09-28-2005

Still same problem.

Here is the config for location 1 and 3.

Thanks

jackko · ‎09-28-2005

with pix3, add the followings:

crypto ipsec transform-set SecuritySet esp-des esp-sha-hmac

crypto map rtpmap 1 set transform-set SecuritySet

crypto map rtpmap 2 set transform-set SecuritySet

lexiainfo · ‎09-28-2005

I did that still same problem.

jackko · ‎09-29-2005

add this command on pix3,

nat (inside) 0 access-list 101

also you don't need this,

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

lexiainfo · ‎09-29-2005

As you know on pix3 i am using 192.168.2.1 as an inside network.

=================================================

" also you don't need this,

nat (inside) 1 192.168.0.0 255.255.255.0 0 0 "

=================================================

So i think i must use

nat (inside) 1 192.168.2.0 255.255.255.0 0 0

=================================================

Waiting for your reply thanks for your effort

jackko · ‎09-30-2005

yes you are right. you must use "nat (inside) 1 192.168.2.0 255.255.255.0 0 0"

so is the vpn working fine now?

jackko · ‎09-30-2005

nat (inside) 0 access-list 101

just wondering whether you have applied the command above, as it's important for the pix not to nat the vpn interesting traffic.