PIX 506E Connecting two different Companies

Discussion in 'Cisco' started by Paul, Mar 22, 2006.

  1. Paul

    Paul Guest

    I have a Cisco PIX506E connecting our 3 other facilities via VPN all is
    fine - we have the need to create a VPN connection with one of our Clients
    but they will be using different isakmp policies and transform sets - can I
    connect to this client as well as keep our existing facilities working ?? I
    also would not want our client to be able to browse around our network ...

    thoughts ...

    Paul, Mar 22, 2006
    1. Advertisements

  2. Yes, no problem. Transform sets are configured at the same level
    that you configure peer and ACL to match. For the isakmp policy,
    just add another policy with a higher policy number.
    That's tougher.

    If you currently have sysopt connection permit-ipsec configured,
    you will have to turn that off, and when you do so you will
    have to configure your access-list attached to your outside
    interface (access-group) to permit the existing VPN traffic.

    Then for the new client, you would add to your outside interface
    access-list -only-:

    - necessary IP traffic from the new client -other- than TCP, UDP, and

    - ICMP time-exceeded and unreachable and possibly echo-reply

    - replying UDP traffic from the client that might be delayed by
    more than 2 minutes (e.g., some Exchange flows), and UDP traffic they
    are authorized to initiate to you (e.g., WINS, DNS, perhaps NETBIOS).
    Allow as little UDP traffic in as you can get away with.

    Do -not- allow any TCP connections from the client, not unless they
    are authorized to use some server of yours. [Note: some forms of
    DNS can require TCP, but a lot of the time you can get away
    with just UDP for DNS.]

    If you leave permit-ipsec configured, then you would need to work
    hard on your crypto map match-address ACL, and will probably
    find it too messy to get the controls you want, at least
    without having the PIX complain. PIX 6.2 does not allow you to
    specify your crypto map ACL right down to the port level;
    PIX 6.3 does, but you would probably have to use at least the
    3.6 VPN client (there are some combinations of OS's and
    configurations for which people still use 3.0; there have been
    a series of problems with the 4.0 client.)
    Walter Roberson, Apr 1, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.