pix 515 2 ipsec tunnels

Discussion in 'Cisco' started by chackamakka, Sep 14, 2004.

  1. chackamakka

    chackamakka Guest

    Hi all,

    To be on the sure side i would like a confirmation if the following
    config is correct or not. If not what is wrong?

    access-list schenker-pab permit...
    access-list secure_OSS permit...
    crypto ipsec transform-set schenker-pab-set esp-3des esp-sha-hmac
    crypto ipsec transform-set secure_OSS-set esp-3des esp-md5-hmac
    crypto map pab-map 10 ipsec-isakmp
    crypto map pab-map 10 match address schenker-pab
    crypto map pab-map 10 set peer 194.172.90.136
    crypto map pab-map 10 set transform-set schenker-pab-set
    crypto map pab-map 10 set security-association lifetime seconds 3600
    kilobytes 4608000
    crypto map pab-map 20 ipsec-isakmp
    crypto map pab-map 20 match address secure_OSS
    crypto map pab-map 20 set peer 194.39.181.125
    crypto map pab-map 20 set transform-set secure_OSS-set
    crypto map pab-map 20 set security-association lifetime seconds 7200
    kilobytes 4608000
    crypto map pab-map interface outside
    isakmp enable outside
    isakmp key ********************* address 194.172.90.136 netmask
    255.255.255.255
    isakmp key ********************* address 194.39.181.125 netmask
    255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400

    Thanks in advance.
    reg,
    Philippe
     
    chackamakka, Sep 14, 2004
    #1
    1. Advertisements

  2. chackamakka

    mcaissie Guest

    So far so good , but also verify that;

    -- you don't nat the traffic specified by access-list schenker-pab and
    secure_OSS
    access-list nonat permit...
    access-list nonat permit...
    nat (inside) 0 access-list nonat

    --you need also
    sysopt connection permit-ipsec
    to allow tunneled traffic to bypass access-group applied on inside and
    outside interface,
    or if you want to be more granular on your tunneled traffic filtering ,
    remove sysopt connection permit-ipsec
    and filter the traffic with access-group on inside and outside.
     
    mcaissie, Sep 15, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.