Pix 506 & 501 site-to-site VPN question.

Discussion in 'Cisco' started by Silvan Jappert, May 1, 2006.

  1. Hi all,

    I currently have a Cisco Pix 506e setup at our main office. I also have a
    PIX 506e at a remote office. I've succesfully configured a Site-to-Site VPN
    tunnel between these two locations. I've purchased an additional Pix 501
    for another remote office and wish to do the same (site to site from remote2
    to main) I've configured everything properly (from what I can see) and from
    comparing to the other configuration it should work but its not. Is there
    restriction on the main office 506 to only allow 1 set of site-to-site vpn?
    I have 50 connectivity lisences for the 506 so lisencing Shouldn't be an
    issue as far as I know? Any input would be appreciated, thank you.


    Silvan
     
    Silvan Jappert, May 1, 2006
    #1
    1. Advertising

  2. Silvan Jappert

    Gary Guest

    Silvan Jappert wrote:

    > Is there restriction on the main office 506 to only allow 1 set of
    > site-to-site vpn? I have 50 connectivity lisences for the 506 so
    > lisencing Shouldn't be an issue as far as I know? Any input would
    > be appreciated, thank you.


    The 506e has a max limit of 20 IPsec tunnels so you should be ok for
    licensing. One problem I came across with multiple tunnels is that you
    can't have more than one crypto map. Instead, you have to give each
    additional tunnel a new priority. For example:

    no crypto map outside_map1 10 match address outside1
    no crypto map outside_map1 10 set peer 10.10.0.3
    no crypto map outside_map1 10 set transform-set ESP-3DES-SHA

    no crypto map outside_map2 10 match address outside2
    no crypto map outside_map2 10 set peer 10.20.0.3
    no crypto map outside_map2 10 set transform-set ESP-3DES-SHA

    crypto map outside_map 10 match address outside_cryptomap_10
    crypto map outside_map 10 set peer 10.10.0.3
    crypto map outside_map 10 set transform-set ESP-3DES-SHA

    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 10.20.0.3
    crypto map outside_map 20 set transform-set ESP-3DES-SHA

    access-list outside_cryptomap_10 extended permit ip 10.1.0.0 255.255.0.0
    192.168.1.0 255.255.255.0
    access-list outside_cryptomap_20 extended permit ip 10.2.0.0 255.255.0.0
    192.168.2.0 255.255.255.0

    tunnel-group 10.10.0.3 type ipsec-l2l
    tunnel-group 10.10.0.3 ipsec-attributes
    pre-shared-key foo

    tunnel-group 10.20.0.3 type ipsec-l2l
    tunnel-group 10.20.0.3 ipsec-attributes
    pre-shared-key bar
     
    Gary, May 2, 2006
    #2
    1. Advertising

  3. ok this is part of my current config at the main office pix 506.



    access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.1.0
    255.255.255.0 #This is internal local Office IP
    access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.2.0
    255.255.255.0 #This is the remote Office1 IP (the one that works)
    access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.3.0
    255.255.255.0 #This is the remote Office2 IP (one i'm trying to
    setup)
    access-list Split-Tun permit ip 192.168.0.0 255.255.255.0 192.168.2.0
    255.255.255.0 #Remote Office1
    access-list Split-Tun3 permit ip 192.168.0.0 255.255.255.0 192.168.3.0
    255.255.255.0 #Remote Office2
    ......
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    .......
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set Trans-1 esp-3des esp-sha-hmac
    crypto dynamic-map CovConn-Dyno 10 set transform-set Trans-1
    crypto map CovConn-VPN 10 ipsec-isakmp dynamic CovConn-Dyno
    crypto map CovConn-VPN client authentication MS-IAS
    crypto map CovConn-VPN interface outside
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup CovConn-Group1 address-pool IP-Pool1
    #CovConn-Group1 is used for home users to vpn to network.
    vpngroup CovConn-Group1 dns-server 192.168.0.5 192.168.0.6
    vpngroup CovConn-Group1 default-domain cci.local
    vpngroup CovConn-Group1 idle-time 1800
    vpngroup CovConn-Group1 password ********
    vpngroup CovConn-Group2 address-pool IP-Pool2
    #CovConn-Group2 is used for Remote Office1 VPN Tunnel, which currently
    works.
    vpngroup CovConn-Group2 dns-server 192.168.0.5 192.168.0.6
    vpngroup CovConn-Group2 default-domain cci.local
    vpngroup CovConn-Group2 split-tunnel Split-Tun
    vpngroup CovConn-Group2 idle-time 1800
    vpngroup CovConn-Group2 password ********
    vpngroup CovConn-Group3 address-pool IP-Pool3
    #CovConn-Group3 is the one not working i'm trying to setup.
    vpngroup CovConn-Group3 dns-server 192.168.0.5 192.168.0.6
    vpngroup CovConn-Group3 default-domain cci.local
    vpngroup CovConn-Group3 split-tunnel Split-Tun3
    vpngroup CovConn-Group3 idle-time 1800
    vpngroup CovConn-Group3 password ********




    This is the config of the pix501 at Remote Office2.

    ......
    ip address outside pppoe setroute
    ip address inside 192.168.3.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    .......
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    ......
    vpdn group PPPOE request dialout pppoe
    vpdn group PPPOE localname *****
    vpdn group PPPOE ppp authentication pap
    vpdn username ******* password *********
    dhcpd address 192.168.3.50-192.168.3.65 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd enable inside
    dhcprelay timeout 60
    username ****** password ****** encrypted privilege 15
    vpnclient server *IP ADDRESS OF OUTSIDE MAIN OFFICE*
    vpnclient mode network-extension-mode
    vpnclient vpngroup CovConn-Group3 password ********
    vpnclient username ******* password ******
    vpnclient enable




    "Gary" <> wrote in message
    news:...
    >
    > Silvan Jappert wrote:
    >
    >> Is there restriction on the main office 506 to only allow 1 set of
    >> site-to-site vpn? I have 50 connectivity lisences for the 506 so
    >> lisencing Shouldn't be an issue as far as I know? Any input would
    >> be appreciated, thank you.

    >
    > The 506e has a max limit of 20 IPsec tunnels so you should be ok for
    > licensing. One problem I came across with multiple tunnels is that you
    > can't have more than one crypto map. Instead, you have to give each
    > additional tunnel a new priority. For example:
    >
    > no crypto map outside_map1 10 match address outside1
    > no crypto map outside_map1 10 set peer 10.10.0.3
    > no crypto map outside_map1 10 set transform-set ESP-3DES-SHA
    >
    > no crypto map outside_map2 10 match address outside2
    > no crypto map outside_map2 10 set peer 10.20.0.3
    > no crypto map outside_map2 10 set transform-set ESP-3DES-SHA
    >
    > crypto map outside_map 10 match address outside_cryptomap_10
    > crypto map outside_map 10 set peer 10.10.0.3
    > crypto map outside_map 10 set transform-set ESP-3DES-SHA
    >
    > crypto map outside_map 20 match address outside_cryptomap_20
    > crypto map outside_map 20 set peer 10.20.0.3
    > crypto map outside_map 20 set transform-set ESP-3DES-SHA
    >
    > access-list outside_cryptomap_10 extended permit ip 10.1.0.0 255.255.0.0
    > 192.168.1.0 255.255.255.0
    > access-list outside_cryptomap_20 extended permit ip 10.2.0.0 255.255.0.0
    > 192.168.2.0 255.255.255.0
    >
    > tunnel-group 10.10.0.3 type ipsec-l2l
    > tunnel-group 10.10.0.3 ipsec-attributes
    > pre-shared-key foo
    >
    > tunnel-group 10.20.0.3 type ipsec-l2l
    > tunnel-group 10.20.0.3 ipsec-attributes
    > pre-shared-key bar
    >
     
    Silvan Jappert, May 3, 2006
    #3
  4. Silvan Jappert

    Gary Guest

    Please post the IPsec portion of your 501's config. Also, what version of
    firmware are you using on the two devices. I see vpdn commands so it's
    definitely < 7.

    Thanks,
    Gary
     
    Gary, May 3, 2006
    #4
  5. the pix 501 is using PIX version 6.3(4) and the 506 is using 6.3(3)

    there's no IPsec commands on the 501. I posted any of the relevent vpn
    info. I've made 1 change on the 506 last night and it seems to be working
    now.

    "Gary" <> wrote in message
    news:...
    > Please post the IPsec portion of your 501's config. Also, what version of
    > firmware are you using on the two devices. I see vpdn commands so it's
    > definitely < 7.
    >
    > Thanks,
    > Gary
     
    Silvan Jappert, May 4, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Javier Villegas
    Replies:
    1
    Views:
    539
    Walter Roberson
    Jan 27, 2004
  2. Brian
    Replies:
    1
    Views:
    602
    Brian
    Jul 18, 2004
  3. Christian Pelster

    site to site vpn with pix 506

    Christian Pelster, Jul 20, 2005, in forum: Cisco
    Replies:
    2
    Views:
    2,134
    Christian Pelster
    Jul 23, 2005
  4. Replies:
    3
    Views:
    2,224
  5. Jay
    Replies:
    7
    Views:
    1,000
Loading...

Share This Page