Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Pix 506 & 501 site-to-site VPN question.

Reply
Thread Tools

Pix 506 & 501 site-to-site VPN question.

 
 
Silvan Jappert
Guest
Posts: n/a
 
      05-01-2006
Hi all,

I currently have a Cisco Pix 506e setup at our main office. I also have a
PIX 506e at a remote office. I've succesfully configured a Site-to-Site VPN
tunnel between these two locations. I've purchased an additional Pix 501
for another remote office and wish to do the same (site to site from remote2
to main) I've configured everything properly (from what I can see) and from
comparing to the other configuration it should work but its not. Is there
restriction on the main office 506 to only allow 1 set of site-to-site vpn?
I have 50 connectivity lisences for the 506 so lisencing Shouldn't be an
issue as far as I know? Any input would be appreciated, thank you.


Silvan


 
Reply With Quote
 
 
 
 
Gary
Guest
Posts: n/a
 
      05-02-2006

Silvan Jappert wrote:

> Is there restriction on the main office 506 to only allow 1 set of
> site-to-site vpn? I have 50 connectivity lisences for the 506 so
> lisencing Shouldn't be an issue as far as I know? Any input would
> be appreciated, thank you.


The 506e has a max limit of 20 IPsec tunnels so you should be ok for
licensing. One problem I came across with multiple tunnels is that you
can't have more than one crypto map. Instead, you have to give each
additional tunnel a new priority. For example:

no crypto map outside_map1 10 match address outside1
no crypto map outside_map1 10 set peer 10.10.0.3
no crypto map outside_map1 10 set transform-set ESP-3DES-SHA

no crypto map outside_map2 10 match address outside2
no crypto map outside_map2 10 set peer 10.20.0.3
no crypto map outside_map2 10 set transform-set ESP-3DES-SHA

crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 10.10.0.3
crypto map outside_map 10 set transform-set ESP-3DES-SHA

crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 10.20.0.3
crypto map outside_map 20 set transform-set ESP-3DES-SHA

access-list outside_cryptomap_10 extended permit ip 10.1.0.0 255.255.0.0
192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 10.2.0.0 255.255.0.0
192.168.2.0 255.255.255.0

tunnel-group 10.10.0.3 type ipsec-l2l
tunnel-group 10.10.0.3 ipsec-attributes
pre-shared-key foo

tunnel-group 10.20.0.3 type ipsec-l2l
tunnel-group 10.20.0.3 ipsec-attributes
pre-shared-key bar

 
Reply With Quote
 
 
 
 
Silvan Jappert
Guest
Posts: n/a
 
      05-03-2006
ok this is part of my current config at the main office pix 506.



access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.1.0
255.255.255.0 #This is internal local Office IP
access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.2.0
255.255.255.0 #This is the remote Office1 IP (the one that works)
access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.3.0
255.255.255.0 #This is the remote Office2 IP (one i'm trying to
setup)
access-list Split-Tun permit ip 192.168.0.0 255.255.255.0 192.168.2.0
255.255.255.0 #Remote Office1
access-list Split-Tun3 permit ip 192.168.0.0 255.255.255.0 192.168.3.0
255.255.255.0 #Remote Office2
......
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
.......
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set Trans-1 esp-3des esp-sha-hmac
crypto dynamic-map CovConn-Dyno 10 set transform-set Trans-1
crypto map CovConn-VPN 10 ipsec-isakmp dynamic CovConn-Dyno
crypto map CovConn-VPN client authentication MS-IAS
crypto map CovConn-VPN interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup CovConn-Group1 address-pool IP-Pool1
#CovConn-Group1 is used for home users to vpn to network.
vpngroup CovConn-Group1 dns-server 192.168.0.5 192.168.0.6
vpngroup CovConn-Group1 default-domain cci.local
vpngroup CovConn-Group1 idle-time 1800
vpngroup CovConn-Group1 password ********
vpngroup CovConn-Group2 address-pool IP-Pool2
#CovConn-Group2 is used for Remote Office1 VPN Tunnel, which currently
works.
vpngroup CovConn-Group2 dns-server 192.168.0.5 192.168.0.6
vpngroup CovConn-Group2 default-domain cci.local
vpngroup CovConn-Group2 split-tunnel Split-Tun
vpngroup CovConn-Group2 idle-time 1800
vpngroup CovConn-Group2 password ********
vpngroup CovConn-Group3 address-pool IP-Pool3
#CovConn-Group3 is the one not working i'm trying to setup.
vpngroup CovConn-Group3 dns-server 192.168.0.5 192.168.0.6
vpngroup CovConn-Group3 default-domain cci.local
vpngroup CovConn-Group3 split-tunnel Split-Tun3
vpngroup CovConn-Group3 idle-time 1800
vpngroup CovConn-Group3 password ********




This is the config of the pix501 at Remote Office2.

......
ip address outside pppoe setroute
ip address inside 192.168.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
.......
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
......
vpdn group PPPOE request dialout pppoe
vpdn group PPPOE localname *****
vpdn group PPPOE ppp authentication pap
vpdn username ******* password *********
dhcpd address 192.168.3.50-192.168.3.65 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
dhcprelay timeout 60
username ****** password ****** encrypted privilege 15
vpnclient server *IP ADDRESS OF OUTSIDE MAIN OFFICE*
vpnclient mode network-extension-mode
vpnclient vpngroup CovConn-Group3 password ********
vpnclient username ******* password ******
vpnclient enable




"Gary" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Silvan Jappert wrote:
>
>> Is there restriction on the main office 506 to only allow 1 set of
>> site-to-site vpn? I have 50 connectivity lisences for the 506 so
>> lisencing Shouldn't be an issue as far as I know? Any input would
>> be appreciated, thank you.

>
> The 506e has a max limit of 20 IPsec tunnels so you should be ok for
> licensing. One problem I came across with multiple tunnels is that you
> can't have more than one crypto map. Instead, you have to give each
> additional tunnel a new priority. For example:
>
> no crypto map outside_map1 10 match address outside1
> no crypto map outside_map1 10 set peer 10.10.0.3
> no crypto map outside_map1 10 set transform-set ESP-3DES-SHA
>
> no crypto map outside_map2 10 match address outside2
> no crypto map outside_map2 10 set peer 10.20.0.3
> no crypto map outside_map2 10 set transform-set ESP-3DES-SHA
>
> crypto map outside_map 10 match address outside_cryptomap_10
> crypto map outside_map 10 set peer 10.10.0.3
> crypto map outside_map 10 set transform-set ESP-3DES-SHA
>
> crypto map outside_map 20 match address outside_cryptomap_20
> crypto map outside_map 20 set peer 10.20.0.3
> crypto map outside_map 20 set transform-set ESP-3DES-SHA
>
> access-list outside_cryptomap_10 extended permit ip 10.1.0.0 255.255.0.0
> 192.168.1.0 255.255.255.0
> access-list outside_cryptomap_20 extended permit ip 10.2.0.0 255.255.0.0
> 192.168.2.0 255.255.255.0
>
> tunnel-group 10.10.0.3 type ipsec-l2l
> tunnel-group 10.10.0.3 ipsec-attributes
> pre-shared-key foo
>
> tunnel-group 10.20.0.3 type ipsec-l2l
> tunnel-group 10.20.0.3 ipsec-attributes
> pre-shared-key bar
>



 
Reply With Quote
 
Gary
Guest
Posts: n/a
 
      05-03-2006
Please post the IPsec portion of your 501's config. Also, what version of
firmware are you using on the two devices. I see vpdn commands so it's
definitely < 7.

Thanks,
Gary
 
Reply With Quote
 
Silvan Jappert
Guest
Posts: n/a
 
      05-04-2006
the pix 501 is using PIX version 6.3(4) and the 506 is using 6.3(3)

there's no IPsec commands on the 501. I posted any of the relevent vpn
info. I've made 1 change on the 506 last night and it seems to be working
now.

"Gary" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Please post the IPsec portion of your 501's config. Also, what version of
> firmware are you using on the two devices. I see vpdn commands so it's
> definitely < 7.
>
> Thanks,
> Gary



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 501 and 506 lossing VPN connection to remote site after timeout Jay Cisco 7 09-05-2006 10:00 PM
pix 501 to pix 506 easy vpn fredrikmagnil@hotmail.com Cisco 3 05-22-2006 06:42 AM
[Edit] VPN pix 506 to 501 ... Fwed Cisco 5 09-05-2005 10:31 AM
VPN pix 506 - 501 fall down Fwed Cisco 0 08-30-2005 08:54 AM
need help with PIX 506-501 VPN error Brian Cisco 1 07-18-2004 05:27 PM



Advertisments