cisco config VPN router to pix

Discussion in 'Cisco' started by reili@hotmail.com, Feb 16, 2007.

  1. Guest

    I want to set up a VPN connection between a Cisco router 1760 and a
    PIX 515.
    Can anyone please give me a configuration suggestion that will work, I
    have only expirience with PIX.
     
    , Feb 16, 2007
    #1
    1. Advertising

  2. wrote:

    >I want to set up a VPN connection between a Cisco router 1760 and a
    >PIX 515.
    >Can anyone please give me a configuration suggestion that will work, I
    >have only expirience with PIX.


    I recently did a similar setup with a 1710 and a PIX 515. You need ISAKMP
    policies and crypto maps with appropriate access lists on both sides.
    Depending on whether the router has a fixed or a dynamic IP address, you
    hae to use a dynamic map on the PIX.

    On the router:

    crypto isakmp policy 11
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key <key> address <PIX> no-xauth
    crypto isakmp keepalive 10 5
    !
    !
    crypto ipsec transform-set vpn esp-3des esp-md5-hmac
    !
    crypto map vpn 101 ipsec-isakmp
    description VPN to PIX
    set peer <PIX>
    set transform-set vpn
    match address 101
    !
    interface FastEthernetX
    crypto map vpn
    !
    access-list 101 permit ip <your LAN> <PIX LAN>


    On the PIX (for a dynamic router address):

    sysopt connection permit-ipsec
    crypto ipsec transform-set vpn esp-3des esp-md5-hmac
    crypto dynamic-map vpn-dyn 10 set transform-set vpn
    crypto map vpnmap 101 ipsec-isakmp dynamic vpn-dyn
    crypto map vpnmap interface outside
    isakmp enable outside
    isakmp key <key> address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
    isakmp identity address
    isakmp keepalive 10 5
    isakmp nat-traversal 20
    isakmp policy 4 authentication pre-share
    isakmp policy 4 encryption 3des
    isakmp policy 4 hash md5
    isakmp policy 4 group 2
    isakmp policy 4 lifetime 86400

    And don't forget to include the network behind the router into the "no NAT"
    ACL on the PIX.

    HTH

    fw
     
    Frank Winkler, Feb 19, 2007
    #2
    1. Advertising

  3. Reili Guest

    On 19 Feb, 08:58, Frank Winkler <> wrote:
    > wrote:
    >
    > >I want to set up a VPN connection between a Cisco router 1760 and a
    > >PIX 515.
    > >Can anyone please give me a configuration suggestion that will work, I
    > >have only expirience with PIX.

    >
    > I recently did a similar setup with a 1710 and a PIX 515. You need ISAKMP
    > policies and crypto maps with appropriate access lists on both sides.
    > Depending on whether the router has a fixed or a dynamic IP address, you
    > hae to use a dynamic map on the PIX.
    >
    > On the router:
    >
    > crypto isakmp policy 11
    > encr 3des
    > hash md5
    > authentication pre-share
    > group 2
    > crypto isakmp key <key> address <PIX> no-xauth
    > crypto isakmp keepalive 10 5
    > !
    > !
    > crypto ipsec transform-set vpn esp-3des esp-md5-hmac
    > !
    > crypto map vpn 101 ipsec-isakmp
    > description VPN to PIX
    > set peer <PIX>
    > set transform-set vpn
    > match address 101
    > !
    > interface FastEthernetX
    > crypto map vpn
    > !
    > access-list 101 permit ip <your LAN> <PIX LAN>
    >
    > On the PIX (for a dynamic router address):
    >
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set vpn esp-3des esp-md5-hmac
    > crypto dynamic-map vpn-dyn 10 set transform-set vpn
    > crypto map vpnmap 101 ipsec-isakmp dynamic vpn-dyn
    > crypto map vpnmap interface outside
    > isakmp enable outside
    > isakmp key <key> address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
    > isakmp identity address
    > isakmp keepalive 10 5
    > isakmp nat-traversal 20
    > isakmp policy 4 authentication pre-share
    > isakmp policy 4 encryption 3des
    > isakmp policy 4 hash md5
    > isakmp policy 4 group 2
    > isakmp policy 4 lifetime 86400
    >
    > And don't forget to include the network behind the router into the "no NAT"
    > ACL on the PIX.
    >
    > HTH
    >
    > fw


    Thanx,
    I will try this during the next days

    Reili
     
    Reili, Feb 20, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Remco Bressers
    Replies:
    1
    Views:
    520
    Jyri Korhonen
    Nov 21, 2003
  2. Christian Schneider

    PIX-to-PIX VPN-Config with ACL

    Christian Schneider, Nov 25, 2003, in forum: Cisco
    Replies:
    2
    Views:
    468
    A. Yarrington
    Nov 25, 2003
  3. GVB
    Replies:
    1
    Views:
    2,843
    Martin Bilgrav
    Feb 6, 2004
  4. Ants
    Replies:
    2
    Views:
    552
  5. Svenn
    Replies:
    3
    Views:
    745
    Svenn
    Mar 13, 2006
Loading...

Share This Page