Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 501 VPN servers and VPN site to site - possible?

Reply
Thread Tools

PIX 501 VPN servers and VPN site to site - possible?

 
 
Robert
Guest
Posts: n/a
 
      12-12-2005
Hello
I have 2 cisco PIX firewalls. Ihave VPN servers on both of PIX. How can i
make VPN site to site
this is mu config

Office
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname fwl1
names
object-group service tcp_19 tcp
description tcp ports for server on address 80.80.80.19
port-object eq www
port-object eq https
access-list outside_access_in permit icmp any any log
access-list outside_access_in permit tcp any host 80.80.80.19 object-group
tcp_19
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
ip address outside 80.80.80.18 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip local pool ippool 192.168.2.14-192.168.2.20
global (outside) 10 interface
nat (inside) 0 access-list 101
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 80.80.80.19 192.168.1.28 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 80.80.80.17 1
http server enable
http 192.168.1.0 255.255.255.0 inside
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map inside_map interface inside
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPN-O address-pool ippool
vpngroup VPN-O dns-server 192.168.1.2
vpngroup VPN-O wins-server 192.168.1.2
vpngroup VPN-O default-domain mydomain.com
vpngroup VPN-O split-tunnel 101
vpngroup VPN-O idle-time 1800
vpngroup VPN-O password ********************
vpdn enable outside
dhcpd address 192.168.1.30-192.168.1.120 inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain aaa.com
dhcpd auto_config outside
dhcpd enable inside

Remote office
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname fwl2
object-group service tcp_114 tcp
object-group service udp_114 udp
object-group service tcp_115 tcp
object-group service udp_115 udp
object-group service tcp_116 tcp
object-group service udp_116 udp
object-group service tcp_117 tcp
object-group service tcp_118 tcp
object-group service udp_118 udp
access-list outside_access_in permit icmp any any log
access-list outside_access_in permit tcp any host 90.90.90.114 object-group
tcp_114
access-list outside_access_in permit udp any host 90.90.90.114 object-group
udp_114
access-list outside_access_in permit tcp any host 90.90.90.115 object-group
tcp_115
access-list outside_access_in permit udp any host 90.90.90.115 object-group
udp_115
access-list outside_access_in permit tcp any host 90.90.90.116 object-group
tcp_116
access-list outside_access_in permit udp any host 90.90.90.116 object-group
udp_116
access-list outside_access_in permit tcp any host 90.90.90.117 object-group
tcp_117
access-list outside_access_in permit tcp any host 90.90.90.118 object-group
tcp_118
access-list 101 permit ip 90.90.90.112 255.255.255.248 192.168.2.0
255.255.255.0
ip address outside 90.90.66.239 255.255.254.0
ip address inside 90.90.90.113 255.255.255.248
global (outside) 100 interface
nat (inside) 0 access-list 101
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 90.90.90.114 90.90.90.114 netmask 255.255.255.255 0
0
static (inside,outside) 90.90.90.115 90.90.90.115 netmask 255.255.255.255 0
0
static (inside,outside) 90.90.90.116 90.90.90.116 netmask 255.255.255.255 0
0
static (inside,outside) 90.90.90.117 90.90.90.117 netmask 255.255.255.255 0
0
static (inside,outside) 90.90.90.118 90.90.90.118 netmask 255.255.255.255 0
0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 90.90.66.1 1
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map inside_map interface inside
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPN-D address-pool ippool
vpngroup VPN-D dns-server 90.90.90.115
vpngroup VPN-D wins-server 90.90.90.115
vpngroup VPN-D default-domain thoughtwebfinancial.com
vpngroup VPN-D split-tunnel 101
vpngroup VPN-D idle-time 1800
vpngroup VPN-D password *****************************
: end

Will it work
can i have VPN servers and VPN site to site?

Thank you
Robert


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      12-12-2005
In article <dnk9v4$1d$(E-Mail Removed)>,
Robert <(E-Mail Removed)> wrote:
>I have 2 cisco PIX firewalls. Ihave VPN servers on both of PIX. How can i
>make VPN site to site


>Office
>PIX Version 6.3(4)
>access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


add:

access-list 101 permit ip 192.168.1.0 255.255.255.0 90.90.90.113 255.255.255.248
access-list RemoteOfficeACL permit ip 192.168.1.0 255.255.255.0 90.90.90.113 255.255.255.248

>ip address outside 80.80.80.18 255.255.255.240
>ip address inside 192.168.1.1 255.255.255.0


>nat (inside) 0 access-list 101


>sysopt connection permit-ipsec
>crypto ipsec transform-set myset esp-des esp-md5-hmac
>crypto dynamic-map dynmap 10 set transform-set myset
>crypto map inside_map interface inside


add:

crypto map mymap 5 ipsec-isakmp
crypto map mymap 5 set transform-set myset
crypto map mymap 5 match address RemoteOfficeACL
crypto map mymap 5 set peer 90.90.66.239

>crypto map mymap 10 ipsec-isakmp dynamic dynmap
>crypto map mymap interface outside
>isakmp enable outside
>isakmp nat-traversal 10


add:

isakmp key SomeSharedPasswordGoesHere address 90.90.66.239 netmask 255.255.255.255 no-xauth no-config-mode


>Remote office
>PIX Version 6.3(4)


>access-list 101 permit ip 90.90.90.112 255.255.255.248 192.168.2.0 255.255.255.0


add:

access-list 101 permit ip 90.90.90.112 255.255.255.248 192.168.1.0 255.255.255.0
access-list RemoteOfficeACL permit ip 90.90.90.112 255.255.255.248 192.168.1.0 255.255.255.0


>ip address outside 90.90.66.239 255.255.254.0
>ip address inside 90.90.90.113 255.255.255.248


>nat (inside) 0 access-list 101


>sysopt connection permit-ipsec


>crypto ipsec transform-set myset esp-des esp-md5-hmac
>crypto dynamic-map dynmap 10 set transform-set myset
>crypto map inside_map interface inside


add:

crypto map mymap 5 ipsec-isakmp
crypto map mymap 5 set transform-set myset
crypto map mymap 5 match address RemoteOfficeACL
crypto map mymap 5 set peer 80.80.80.18

>crypto map mymap 10 ipsec-isakmp dynamic dynmap
>crypto map mymap interface outside
>isakmp enable outside
>isakmp nat-traversal 10


add:

isakmp key SomeSharedPasswordGoesHere address 80.80.80.18 netmask 255.255.255.255 no-xauth no-config-mode


>Will it work


Yes.

>can i have VPN servers and VPN site to site?


Yes.

What you will -not- be able to do with that setup and that software
revision, is have VPN clients that connect to one of the offices and
make use of the VPN link to the other office: each VPN client will
be restricted to the LAN of the PIX it connects to. Allowing the link
to be shared gets complicated and usually requires additional hardware
in PIX 6.x .
--
If you lie to the compiler, it will get its revenge. -- Henry Spencer
 
Reply With Quote
 
 
 
 
Robert
Guest
Posts: n/a
 
      12-13-2005
> What you will -not- be able to do with that setup and that software
> revision, is have VPN clients that connect to one of the offices and
> make use of the VPN link to the other office: each VPN client will
> be restricted to the LAN of the PIX it connects to. Allowing the link
> to be shared gets complicated and usually requires additional hardware
> in PIX 6.x .


Tahnk you
I will do this saturday
Like always Walter you are a star

Robert


 
Reply With Quote
 
Robert
Guest
Posts: n/a
 
      12-14-2005
>Office
>PIX Version 6.3(4)> add:
> access-list 101 permit ip 192.168.1.0 255.255.255.0 90.90.90.113
> 255.255.255.248


should be
access-list 101 permit ip 192.168.1.0 255.255.255.0 90.90.90.112
255.255.255.248

> access-list RemoteOfficeACL permit ip 192.168.1.0 255.255.255.0
> 90.90.90.113 255.255.255.248

should be
access-list RemoteOfficeACL permit ip 192.168.1.0 255.255.255.0 90.90.90.112
255.255.255.248

>>Remote office

>PIX Version 6.3(4)
> add:



Did not work 12st time
I will check again
but i am smarter than before

Thankyou
I will try again and i will tell you about errors


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
515e PIX to 501 PIX - site to site vpn Jim.Seedlenissip@gmail.com Cisco 1 02-22-2007 09:31 AM
Site to Site VPN problems between PIX 501 and PIX 515 Jeff Cisco 5 01-04-2007 02:18 AM
PIX 501 Site-to-Site VPN and Remote Access VPN drhopkins@cox.net Cisco 1 11-14-2006 03:32 PM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
PIX 501 newbie aaa servers for pix Greg Gibson Cisco 3 05-09-2004 06:33 PM



Advertisments