Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Help needed with advanced pix vpning

Reply
Thread Tools

Help needed with advanced pix vpning

 
 
Richard Lane
Guest
Posts: n/a
 
      01-23-2004
Hi I need some assistance with some advanced VPN configuration. I cant
seem to find many Cisco texts on PIXs and VPN. I have a basic peer to
peer VPN network. I am using a PIX 515 as the main headquarters unit
and Pix 501s as the end nodes. The WAN is a leased 802.11b network
with 512k speed. I also have a privately owned 802.11b network that I
wish to run a VPN tunnel over. It is intended that the two networks
will use different physical ports in the 515.

So I was wondering if someone may be able to help me. I have all the
configs available etc.

Richard
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      01-23-2004
In article <(E-Mail Removed) >,
Richard Lane <(E-Mail Removed)> wrote:
:Hi I need some assistance with some advanced VPN configuration. I cant
:seem to find many Cisco texts on PIXs and VPN. I have a basic peer to
eer VPN network. I am using a PIX 515 as the main headquarters unit
:and Pix 501s as the end nodes. The WAN is a leased 802.11b network
:with 512k speed. I also have a privately owned 802.11b network that I
:wish to run a VPN tunnel over. It is intended that the two networks
:will use different physical ports in the 515.

:So I was wondering if someone may be able to help me. I have all the
:configs available etc.

I'd suggest firing up PDM and letting it handle the details, at least
to get a base configuration.

Cisco's site has a lot of configuration examples for VPNs on PIX.
Key words are ipsec, isakmp, and crypto. If your VPN tunnel is
"site to site" then those are the keys. If your VPN tunnel is
software-client-to-PIX then you also need vpngroup and related
commands.
--
Live it up, rip it up, why so lazy?
Give it out, dish it out, let's go crazy, yeah!
-- Supertramp (The USENET Song)
 
Reply With Quote
 
 
 
 
Richard Lane
Guest
Posts: n/a
 
      01-26-2004
Walter,

I have a basic meshed VPN grid using 8 pix 501's and head office using
a pix 515. I am using 3DES. The 515 has 6 interfaces.

Inside (The main LAN head office) 192.168.1.2 / 24
Outside (Internet) 203.xxx.xxx.xxx / 28
DMZ (Mail and Web Services) 192.168.10.1 / 24 (not in use)
Radio1 (Private 802.11b wireless network) 192.168.251.1 / 24
Radio2 (Public 802.11b wireless network) 192.168.250.1 / 29
int6 (not in use)

I can get a tunnel connected from 515 inside to a pix501 host on the
radio2 network and a tunnel connected from 515 inside to radio2 501
host.

I cant get the pix to route down from a pix501 on radio2 to a pix501
on radio1.

Is this possible??????

Rich



http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<bupqbt$71v$(E-Mail Removed)>...
> In article <(E-Mail Removed) >,
> Richard Lane <(E-Mail Removed)> wrote:
> :Hi I need some assistance with some advanced VPN configuration. I cant
> :seem to find many Cisco texts on PIXs and VPN. I have a basic peer to
> eer VPN network. I am using a PIX 515 as the main headquarters unit
> :and Pix 501s as the end nodes. The WAN is a leased 802.11b network
> :with 512k speed. I also have a privately owned 802.11b network that I
> :wish to run a VPN tunnel over. It is intended that the two networks
> :will use different physical ports in the 515.
>
> :So I was wondering if someone may be able to help me. I have all the
> :configs available etc.
>
> I'd suggest firing up PDM and letting it handle the details, at least
> to get a base configuration.
>
> Cisco's site has a lot of configuration examples for VPNs on PIX.
> Key words are ipsec, isakmp, and crypto. If your VPN tunnel is
> "site to site" then those are the keys. If your VPN tunnel is
> software-client-to-PIX then you also need vpngroup and related
> commands.

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      01-27-2004
In article <(E-Mail Removed) >,
Richard Lane <(E-Mail Removed)> wrote:
:I have a basic meshed VPN grid using 8 pix 501's and head office using
:a pix 515. I am using 3DES. The 515 has 6 interfaces.

:Inside (The main LAN head office) 192.168.1.2 / 24
:Outside (Internet) 203.xxx.xxx.xxx / 28
MZ (Mail and Web Services) 192.168.10.1 / 24 (not in use)
:Radio1 (Private 802.11b wireless network) 192.168.251.1 / 24
:Radio2 (Public 802.11b wireless network) 192.168.250.1 / 29

:I can get a tunnel connected from 515 inside to a pix501 host on the
:radio2 network and a tunnel connected from 515 inside to radio2 501
:host.

:I cant get the pix to route down from a pix501 on radio2 to a pix501
n radio1.

:Is this possible??????

Yes, it isn't a particular problem. You just have to ensure they are
at different security levels, and then apply the regular nat / global /
static rules.

I will assume that Radio1 is higher security than Radio2. Then for
general access from Radio1 to Radio2, you would have

nat (Radio1) 10 192.168.251.0 255.255.255.0
global (Radio2) 10 interface

To go back up, from Radio2 to Radio1, would require that there
be a particular host enabled to receive connections... say
192.168.251.12.

static (Radio1, Radio2) 192.168.251.12 192.168.251.12 netmask 255.255.255.255 0 0
access-list acl-r2-r1 permit ip 192.168.250.0 255.255.255.0 host 192.168.251.12

THe fact that VPNs are involved doesn't matter to the PIX: it applies
regular routing to packets on VPN connections.
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Advanced Python Programming Oxford Lectures [was: Re: *Advanced*Python book?] Michele Simionato Python 1 03-27-2010 06:10 AM
Advanced CSS help needed with dropdown problem in IE 6 & 7 poundcommapound@gmail.com HTML 3 02-01-2008 08:02 PM
TOTALLY SCREWED!!! Advanced help needed. Ghost A+ Certification 29 11-15-2004 04:31 PM
Advanced PIX to PIX VPN Question Richard Lane Cisco 2 03-04-2004 04:39 PM
[pix] desperatly need help with PIX-to-PIX config Remco Bressers Cisco 1 11-21-2003 08:58 PM



Advertisments