PIX 506E Connecting two different Companies

Discussion in 'Cisco' started by Paul, Mar 22, 2006.

  1. Paul

    Paul Guest

    I have a Cisco PIX506E connecting our 3 other facilities via VPN all is
    fine - we have the need to create a VPN connection with one of our Clients
    but they will be using different isakmp policies and transform sets - can I
    connect to this client as well as keep our existing facilities working ?? I
    also would not want our client to be able to browse around our network ...

    thoughts ...

    Thanks
    Paul
     
    Paul, Mar 22, 2006
    #1
    1. Advertising

  2. In article <bOfUf.481$Ph4.360@edtnps90>, Paul <> wrote:
    >I have a Cisco PIX506E connecting our 3 other facilities via VPN all is
    >fine - we have the need to create a VPN connection with one of our Clients
    >but they will be using different isakmp policies and transform sets - can I
    >connect to this client as well as keep our existing facilities working ??


    Yes, no problem. Transform sets are configured at the same level
    that you configure peer and ACL to match. For the isakmp policy,
    just add another policy with a higher policy number.

    >I also would not want our client to be able to browse around our network ...


    That's tougher.

    If you currently have sysopt connection permit-ipsec configured,
    you will have to turn that off, and when you do so you will
    have to configure your access-list attached to your outside
    interface (access-group) to permit the existing VPN traffic.

    Then for the new client, you would add to your outside interface
    access-list -only-:

    - necessary IP traffic from the new client -other- than TCP, UDP, and
    ICMP

    - ICMP time-exceeded and unreachable and possibly echo-reply

    - replying UDP traffic from the client that might be delayed by
    more than 2 minutes (e.g., some Exchange flows), and UDP traffic they
    are authorized to initiate to you (e.g., WINS, DNS, perhaps NETBIOS).
    Allow as little UDP traffic in as you can get away with.

    Do -not- allow any TCP connections from the client, not unless they
    are authorized to use some server of yours. [Note: some forms of
    DNS can require TCP, but a lot of the time you can get away
    with just UDP for DNS.]


    If you leave permit-ipsec configured, then you would need to work
    hard on your crypto map match-address ACL, and will probably
    find it too messy to get the controls you want, at least
    without having the PIX complain. PIX 6.2 does not allow you to
    specify your crypto map ACL right down to the port level;
    PIX 6.3 does, but you would probably have to use at least the
    3.6 VPN client (there are some combinations of OS's and
    configurations for which people still use 3.0; there have been
    a series of problems with the 4.0 client.)
     
    Walter Roberson, Apr 1, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ChudleyDog
    Replies:
    2
    Views:
    536
  2. Joe
    Replies:
    4
    Views:
    1,325
  3. NotGiven
    Replies:
    1
    Views:
    450
    David H. Lipman
    Nov 21, 2005
  4. mike
    Replies:
    15
    Views:
    511
  5. Tony
    Replies:
    0
    Views:
    536
Loading...

Share This Page