Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Activate a VPN IPSec between 2 PIX without generate a bidirectional flow at start...

Reply
Thread Tools

Activate a VPN IPSec between 2 PIX without generate a bidirectional flow at start...

 
 
vortex
Guest
Posts: n/a
 
      04-22-2004
Hi,

I've just configured an IPSec tunnel between a PIX 525 and a PIX 501 but my
problem is that the first time I want to up the tunnel, I need to generate
flow from the remote network (behind the 501) to the local network (behind
the 525) AND another flow simultaneously from the local network to the
remote network...If I dont do that...the tunnel refuses to permit any
traffic...

In reality, it's not always possible for me to initiate a flow from the
remote LAN to the local one...
So, here is my question :
How can I do to obtain the fully "upped" VPN as soon as I initiate a flow
from my local network to the remote one ???
What is the problem in my configuration ? I don't understand...


Best regards,
Laurent.



Here is a sample of my configuration :

Remote Net<-->PIX501<---WAN--->PIX525<-->Local Net
With :
Remote Net = 192.168.2.0/24
PIX501's IP = 192.168.2.1 and 172.16.2.1 (Wan IP)
PIX525's IP = 192.168.1.1 and 172.16.1.1 (Wan IP)
Local Net = 192.168.1.0/24

Sample of the config on the PIX 501:
access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.2.0 255.255.255.0
192.168.1.0 255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map central 20 ipsec-isakmp
crypto map central 20 match address 90
crypto map central 20 set peer 172.16.1.1
crypto map central 20 set transform-set strong
crypto map central interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 172.16.1.1 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 10
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400


Sample of the config on the PIX 525:
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map remote 20 ipsec-isakmp
crypto map remote 20 match address 90
crypto map remote 20 set peer 172.16.2.1
crypto map remote 20 set transform-set strong
crypto map remote interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 172.16.2.1 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 10
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
what does this error mean `activate': can't activate activesupport (=3.0.1, runtime) for ["activerecord-3.0.1"] Junkone Ruby 2 10-27-2010 09:13 AM
Query:difference between node flow and filter flow in java's I/O,system? Jack Dowson Java 0 05-07-2007 03:35 PM
Traffic Does Not Flow After the Tunnel Is Established in pix to pix vpn iam23m Cisco 0 10-27-2006 01:50 AM
bidirectional connection between two bidirectional ports Manfred Balik VHDL 12 09-10-2006 08:53 PM
Activate a VPN IPSec between 2 PIX without generate a bidirectional flow at start... Laurent Lepage Cisco 0 03-03-2004 04:31 PM



Advertisments