Activate a VPN IPSec between 2 PIX without generate a bidirectional flow at start...

Discussion in 'Cisco' started by vortex, Apr 22, 2004.

  1. vortex

    vortex Guest

    Hi,

    I've just configured an IPSec tunnel between a PIX 525 and a PIX 501 but my
    problem is that the first time I want to up the tunnel, I need to generate
    flow from the remote network (behind the 501) to the local network (behind
    the 525) AND another flow simultaneously from the local network to the
    remote network...If I dont do that...the tunnel refuses to permit any
    traffic...

    In reality, it's not always possible for me to initiate a flow from the
    remote LAN to the local one...
    So, here is my question :
    How can I do to obtain the fully "upped" VPN as soon as I initiate a flow
    from my local network to the remote one ???
    What is the problem in my configuration ? I don't understand...


    Best regards,
    Laurent.



    Here is a sample of my configuration :

    Remote Net<-->PIX501<---WAN--->PIX525<-->Local Net
    With :
    Remote Net = 192.168.2.0/24
    PIX501's IP = 192.168.2.1 and 172.16.2.1 (Wan IP)
    PIX525's IP = 192.168.1.1 and 172.16.1.1 (Wan IP)
    Local Net = 192.168.1.0/24

    Sample of the config on the PIX 501:
    access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list inside_nat0_outbound permit ip 192.168.2.0 255.255.255.0
    192.168.1.0 255.255.255.0
    sysopt connection permit-ipsec
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto map central 20 ipsec-isakmp
    crypto map central 20 match address 90
    crypto map central 20 set peer 172.16.1.1
    crypto map central 20 set transform-set strong
    crypto map central interface outside
    isakmp enable outside
    isakmp enable inside
    isakmp key ******** address 172.16.1.1 netmask 255.255.255.255
    isakmp identity address
    isakmp keepalive 10 10
    isakmp policy 9 authentication pre-share
    isakmp policy 9 encryption 3des
    isakmp policy 9 hash sha
    isakmp policy 9 group 1
    isakmp policy 9 lifetime 86400


    Sample of the config on the PIX 525:
    access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0
    192.168.2.0 255.255.255.0
    sysopt connection permit-ipsec
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto map remote 20 ipsec-isakmp
    crypto map remote 20 match address 90
    crypto map remote 20 set peer 172.16.2.1
    crypto map remote 20 set transform-set strong
    crypto map remote interface outside
    isakmp enable outside
    isakmp enable inside
    isakmp key ******** address 172.16.2.1 netmask 255.255.255.255
    isakmp identity address
    isakmp keepalive 10 10
    isakmp policy 9 authentication pre-share
    isakmp policy 9 encryption 3des
    isakmp policy 9 hash sha
    isakmp policy 9 group 1
    isakmp policy 9 lifetime 86400
     
    vortex, Apr 22, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joris Deschacht
    Replies:
    0
    Views:
    3,971
    Joris Deschacht
    Oct 16, 2003
  2. iwolf
    Replies:
    2
    Views:
    506
    iwolf
    Nov 11, 2003
  3. Laurent Lepage
    Replies:
    0
    Views:
    507
    Laurent Lepage
    Mar 3, 2004
  4. Otmar Spoettel
    Replies:
    2
    Views:
    3,274
    Martin Bilgrav
    Nov 25, 2005
  5. iam23m
    Replies:
    0
    Views:
    684
    iam23m
    Oct 27, 2006
Loading...

Share This Page