Help needed with advanced pix vpning

Discussion in 'Cisco' started by Richard Lane, Jan 23, 2004.

  1. Richard Lane

    Richard Lane Guest

    Hi I need some assistance with some advanced VPN configuration. I cant
    seem to find many Cisco texts on PIXs and VPN. I have a basic peer to
    peer VPN network. I am using a PIX 515 as the main headquarters unit
    and Pix 501s as the end nodes. The WAN is a leased 802.11b network
    with 512k speed. I also have a privately owned 802.11b network that I
    wish to run a VPN tunnel over. It is intended that the two networks
    will use different physical ports in the 515.

    So I was wondering if someone may be able to help me. I have all the
    configs available etc.

    Richard
    Richard Lane, Jan 23, 2004
    #1
    1. Advertising

  2. In article <>,
    Richard Lane <> wrote:
    :Hi I need some assistance with some advanced VPN configuration. I cant
    :seem to find many Cisco texts on PIXs and VPN. I have a basic peer to
    :peer VPN network. I am using a PIX 515 as the main headquarters unit
    :and Pix 501s as the end nodes. The WAN is a leased 802.11b network
    :with 512k speed. I also have a privately owned 802.11b network that I
    :wish to run a VPN tunnel over. It is intended that the two networks
    :will use different physical ports in the 515.

    :So I was wondering if someone may be able to help me. I have all the
    :configs available etc.

    I'd suggest firing up PDM and letting it handle the details, at least
    to get a base configuration.

    Cisco's site has a lot of configuration examples for VPNs on PIX.
    Key words are ipsec, isakmp, and crypto. If your VPN tunnel is
    "site to site" then those are the keys. If your VPN tunnel is
    software-client-to-PIX then you also need vpngroup and related
    commands.
    --
    Live it up, rip it up, why so lazy?
    Give it out, dish it out, let's go crazy, yeah!
    -- Supertramp (The USENET Song)
    Walter Roberson, Jan 23, 2004
    #2
    1. Advertising

  3. Richard Lane

    Richard Lane Guest

    Walter,

    I have a basic meshed VPN grid using 8 pix 501's and head office using
    a pix 515. I am using 3DES. The 515 has 6 interfaces.

    Inside (The main LAN head office) 192.168.1.2 / 24
    Outside (Internet) 203.xxx.xxx.xxx / 28
    DMZ (Mail and Web Services) 192.168.10.1 / 24 (not in use)
    Radio1 (Private 802.11b wireless network) 192.168.251.1 / 24
    Radio2 (Public 802.11b wireless network) 192.168.250.1 / 29
    int6 (not in use)

    I can get a tunnel connected from 515 inside to a pix501 host on the
    radio2 network and a tunnel connected from 515 inside to radio2 501
    host.

    I cant get the pix to route down from a pix501 on radio2 to a pix501
    on radio1.

    Is this possible??????

    Rich



    -cnrc.gc.ca (Walter Roberson) wrote in message news:<bupqbt$71v$>...
    > In article <>,
    > Richard Lane <> wrote:
    > :Hi I need some assistance with some advanced VPN configuration. I cant
    > :seem to find many Cisco texts on PIXs and VPN. I have a basic peer to
    > :peer VPN network. I am using a PIX 515 as the main headquarters unit
    > :and Pix 501s as the end nodes. The WAN is a leased 802.11b network
    > :with 512k speed. I also have a privately owned 802.11b network that I
    > :wish to run a VPN tunnel over. It is intended that the two networks
    > :will use different physical ports in the 515.
    >
    > :So I was wondering if someone may be able to help me. I have all the
    > :configs available etc.
    >
    > I'd suggest firing up PDM and letting it handle the details, at least
    > to get a base configuration.
    >
    > Cisco's site has a lot of configuration examples for VPNs on PIX.
    > Key words are ipsec, isakmp, and crypto. If your VPN tunnel is
    > "site to site" then those are the keys. If your VPN tunnel is
    > software-client-to-PIX then you also need vpngroup and related
    > commands.
    Richard Lane, Jan 26, 2004
    #3
  4. In article <>,
    Richard Lane <> wrote:
    :I have a basic meshed VPN grid using 8 pix 501's and head office using
    :a pix 515. I am using 3DES. The 515 has 6 interfaces.

    :Inside (The main LAN head office) 192.168.1.2 / 24
    :Outside (Internet) 203.xxx.xxx.xxx / 28
    :DMZ (Mail and Web Services) 192.168.10.1 / 24 (not in use)
    :Radio1 (Private 802.11b wireless network) 192.168.251.1 / 24
    :Radio2 (Public 802.11b wireless network) 192.168.250.1 / 29

    :I can get a tunnel connected from 515 inside to a pix501 host on the
    :radio2 network and a tunnel connected from 515 inside to radio2 501
    :host.

    :I cant get the pix to route down from a pix501 on radio2 to a pix501
    :eek:n radio1.

    :Is this possible??????

    Yes, it isn't a particular problem. You just have to ensure they are
    at different security levels, and then apply the regular nat / global /
    static rules.

    I will assume that Radio1 is higher security than Radio2. Then for
    general access from Radio1 to Radio2, you would have

    nat (Radio1) 10 192.168.251.0 255.255.255.0
    global (Radio2) 10 interface

    To go back up, from Radio2 to Radio1, would require that there
    be a particular host enabled to receive connections... say
    192.168.251.12.

    static (Radio1, Radio2) 192.168.251.12 192.168.251.12 netmask 255.255.255.255 0 0
    access-list acl-r2-r1 permit ip 192.168.250.0 255.255.255.0 host 192.168.251.12

    THe fact that VPNs are involved doesn't matter to the PIX: it applies
    regular routing to packets on VPN connections.
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
    Walter Roberson, Jan 27, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard Lane

    Advanced PIX to PIX VPN Question

    Richard Lane, Mar 3, 2004, in forum: Cisco
    Replies:
    2
    Views:
    757
    mcaissie
    Mar 4, 2004
  2. Lorea

    Help advanced search

    Lorea, May 13, 2005, in forum: Computer Support
    Replies:
    30
    Views:
    1,238
    Uncle Andy
    May 15, 2005
  3. Bernhard Ess

    advanced slide show program needed

    Bernhard Ess, Nov 16, 2003, in forum: Digital Photography
    Replies:
    6
    Views:
    361
    HRosita
    Nov 16, 2003
  4. sparticle
    Replies:
    3
    Views:
    1,200
  5. Ghost

    TOTALLY SCREWED!!! Advanced help needed.

    Ghost, Nov 23, 2003, in forum: A+ Certification
    Replies:
    29
    Views:
    765
    phasedenergy
    Nov 15, 2004
Loading...

Share This Page