PIX 501 VPN servers and VPN site to site - possible?

Discussion in 'Cisco' started by Robert, Dec 12, 2005.

  1. Robert

    Robert Guest

    Hello
    I have 2 cisco PIX firewalls. Ihave VPN servers on both of PIX. How can i
    make VPN site to site
    this is mu config

    Office
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname fwl1
    names
    object-group service tcp_19 tcp
    description tcp ports for server on address 80.80.80.19
    port-object eq www
    port-object eq https
    access-list outside_access_in permit icmp any any log
    access-list outside_access_in permit tcp any host 80.80.80.19 object-group
    tcp_19
    access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    ip address outside 80.80.80.18 255.255.255.240
    ip address inside 192.168.1.1 255.255.255.0
    ip local pool ippool 192.168.2.14-192.168.2.20
    global (outside) 10 interface
    nat (inside) 0 access-list 101
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 80.80.80.19 192.168.1.28 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 80.80.80.17 1
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map inside_map interface inside
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside
    isakmp enable outside
    isakmp nat-traversal 10
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup VPN-O address-pool ippool
    vpngroup VPN-O dns-server 192.168.1.2
    vpngroup VPN-O wins-server 192.168.1.2
    vpngroup VPN-O default-domain mydomain.com
    vpngroup VPN-O split-tunnel 101
    vpngroup VPN-O idle-time 1800
    vpngroup VPN-O password ********************
    vpdn enable outside
    dhcpd address 192.168.1.30-192.168.1.120 inside
    dhcpd dns
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain aaa.com
    dhcpd auto_config outside
    dhcpd enable inside

    Remote office
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname fwl2
    object-group service tcp_114 tcp
    object-group service udp_114 udp
    object-group service tcp_115 tcp
    object-group service udp_115 udp
    object-group service tcp_116 tcp
    object-group service udp_116 udp
    object-group service tcp_117 tcp
    object-group service tcp_118 tcp
    object-group service udp_118 udp
    access-list outside_access_in permit icmp any any log
    access-list outside_access_in permit tcp any host 90.90.90.114 object-group
    tcp_114
    access-list outside_access_in permit udp any host 90.90.90.114 object-group
    udp_114
    access-list outside_access_in permit tcp any host 90.90.90.115 object-group
    tcp_115
    access-list outside_access_in permit udp any host 90.90.90.115 object-group
    udp_115
    access-list outside_access_in permit tcp any host 90.90.90.116 object-group
    tcp_116
    access-list outside_access_in permit udp any host 90.90.90.116 object-group
    udp_116
    access-list outside_access_in permit tcp any host 90.90.90.117 object-group
    tcp_117
    access-list outside_access_in permit tcp any host 90.90.90.118 object-group
    tcp_118
    access-list 101 permit ip 90.90.90.112 255.255.255.248 192.168.2.0
    255.255.255.0
    ip address outside 90.90.66.239 255.255.254.0
    ip address inside 90.90.90.113 255.255.255.248
    global (outside) 100 interface
    nat (inside) 0 access-list 101
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 90.90.90.114 90.90.90.114 netmask 255.255.255.255 0
    0
    static (inside,outside) 90.90.90.115 90.90.90.115 netmask 255.255.255.255 0
    0
    static (inside,outside) 90.90.90.116 90.90.90.116 netmask 255.255.255.255 0
    0
    static (inside,outside) 90.90.90.117 90.90.90.117 netmask 255.255.255.255 0
    0
    static (inside,outside) 90.90.90.118 90.90.90.118 netmask 255.255.255.255 0
    0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 90.90.66.1 1
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map inside_map interface inside
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside
    isakmp enable outside
    isakmp nat-traversal 10
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup VPN-D address-pool ippool
    vpngroup VPN-D dns-server 90.90.90.115
    vpngroup VPN-D wins-server 90.90.90.115
    vpngroup VPN-D default-domain thoughtwebfinancial.com
    vpngroup VPN-D split-tunnel 101
    vpngroup VPN-D idle-time 1800
    vpngroup VPN-D password *****************************
    : end

    Will it work
    can i have VPN servers and VPN site to site?

    Thank you
    Robert
    Robert, Dec 12, 2005
    #1
    1. Advertising

  2. In article <dnk9v4$1d$>,
    Robert <> wrote:
    >I have 2 cisco PIX firewalls. Ihave VPN servers on both of PIX. How can i
    >make VPN site to site


    >Office
    >PIX Version 6.3(4)
    >access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


    add:

    access-list 101 permit ip 192.168.1.0 255.255.255.0 90.90.90.113 255.255.255.248
    access-list RemoteOfficeACL permit ip 192.168.1.0 255.255.255.0 90.90.90.113 255.255.255.248

    >ip address outside 80.80.80.18 255.255.255.240
    >ip address inside 192.168.1.1 255.255.255.0


    >nat (inside) 0 access-list 101


    >sysopt connection permit-ipsec
    >crypto ipsec transform-set myset esp-des esp-md5-hmac
    >crypto dynamic-map dynmap 10 set transform-set myset
    >crypto map inside_map interface inside


    add:

    crypto map mymap 5 ipsec-isakmp
    crypto map mymap 5 set transform-set myset
    crypto map mymap 5 match address RemoteOfficeACL
    crypto map mymap 5 set peer 90.90.66.239

    >crypto map mymap 10 ipsec-isakmp dynamic dynmap
    >crypto map mymap interface outside
    >isakmp enable outside
    >isakmp nat-traversal 10


    add:

    isakmp key SomeSharedPasswordGoesHere address 90.90.66.239 netmask 255.255.255.255 no-xauth no-config-mode


    >Remote office
    >PIX Version 6.3(4)


    >access-list 101 permit ip 90.90.90.112 255.255.255.248 192.168.2.0 255.255.255.0


    add:

    access-list 101 permit ip 90.90.90.112 255.255.255.248 192.168.1.0 255.255.255.0
    access-list RemoteOfficeACL permit ip 90.90.90.112 255.255.255.248 192.168.1.0 255.255.255.0


    >ip address outside 90.90.66.239 255.255.254.0
    >ip address inside 90.90.90.113 255.255.255.248


    >nat (inside) 0 access-list 101


    >sysopt connection permit-ipsec


    >crypto ipsec transform-set myset esp-des esp-md5-hmac
    >crypto dynamic-map dynmap 10 set transform-set myset
    >crypto map inside_map interface inside


    add:

    crypto map mymap 5 ipsec-isakmp
    crypto map mymap 5 set transform-set myset
    crypto map mymap 5 match address RemoteOfficeACL
    crypto map mymap 5 set peer 80.80.80.18

    >crypto map mymap 10 ipsec-isakmp dynamic dynmap
    >crypto map mymap interface outside
    >isakmp enable outside
    >isakmp nat-traversal 10


    add:

    isakmp key SomeSharedPasswordGoesHere address 80.80.80.18 netmask 255.255.255.255 no-xauth no-config-mode


    >Will it work


    Yes.

    >can i have VPN servers and VPN site to site?


    Yes.

    What you will -not- be able to do with that setup and that software
    revision, is have VPN clients that connect to one of the offices and
    make use of the VPN link to the other office: each VPN client will
    be restricted to the LAN of the PIX it connects to. Allowing the link
    to be shared gets complicated and usually requires additional hardware
    in PIX 6.x .
    --
    If you lie to the compiler, it will get its revenge. -- Henry Spencer
    Walter Roberson, Dec 12, 2005
    #2
    1. Advertising

  3. Robert

    Robert Guest

    > What you will -not- be able to do with that setup and that software
    > revision, is have VPN clients that connect to one of the offices and
    > make use of the VPN link to the other office: each VPN client will
    > be restricted to the LAN of the PIX it connects to. Allowing the link
    > to be shared gets complicated and usually requires additional hardware
    > in PIX 6.x .


    Tahnk you
    I will do this saturday
    Like always Walter you are a star

    Robert
    Robert, Dec 13, 2005
    #3
  4. Robert

    Robert Guest

    >Office
    >PIX Version 6.3(4)> add:
    > access-list 101 permit ip 192.168.1.0 255.255.255.0 90.90.90.113
    > 255.255.255.248


    should be
    access-list 101 permit ip 192.168.1.0 255.255.255.0 90.90.90.112
    255.255.255.248

    > access-list RemoteOfficeACL permit ip 192.168.1.0 255.255.255.0
    > 90.90.90.113 255.255.255.248

    should be
    access-list RemoteOfficeACL permit ip 192.168.1.0 255.255.255.0 90.90.90.112
    255.255.255.248

    >>Remote office

    >PIX Version 6.3(4)
    > add:



    Did not work 12st time
    I will check again :(
    but i am smarter than before

    Thankyou
    I will try again and i will tell you about errors
    Robert, Dec 14, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Greg Gibson

    PIX 501 newbie aaa servers for pix

    Greg Gibson, May 6, 2004, in forum: Cisco
    Replies:
    3
    Views:
    557
    Adrian Grigorof
    May 9, 2004
  2. Alex
    Replies:
    3
    Views:
    854
    Guest
    May 12, 2004
  3. Replies:
    1
    Views:
    650
    Walter Roberson
    Nov 14, 2006
  4. Jeff
    Replies:
    5
    Views:
    1,027
  5. Replies:
    1
    Views:
    391
    =?UTF-8?B?TWljaGHFgiBJd2Fzemtv?=
    Feb 22, 2007
Loading...

Share This Page