Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Multi Site-To-Site VPN's on a PIX 506 1

Status
Not open for further replies.
bubarooni

bubarooni

Technical User
May 13, 2001
506
US
Thanks to the help of users on this board, I successfully got a site-to-site vpn working between a 1750 router and a PIX about a year ago. It's worked beautifully.

I now need to add another vpn for another site. The setup is identical as far as the isp, service and equipment is concerned at the new site so my plan is to pretty much copy the config that worked on the other router.

My question concerns the PIX. Do I just need to add a new crypto-map to it for the new router to connect to? I was gonna reuse the existing isakmp policy and isakmp key.

Thanks,
Kelly

 
Sort by date Sort by votes
You can use the same isakmp policy but I would recommend you to use a different preshared key. Now regarding the crypto map you need to use the same crypto map since you can only apply one cryptomap to an interface but you need to use a different instance. So you would use, for example:

crypto map mymap 10 ... for the existing tunnel
crypto map mymap 20 ... for the new tunnel

Check out the link below, it may help you on your task:

 
Upvote 0 Downvote
OK, tell me if this looks close:

My current vpn info:

sysopt connection permit-ipsec
crypto ipsec transform-set s2s1trans esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set s2s1trans
crypto map s2s1ipsec 10 ipsec-isakmp
crypto map s2s1ipsec 10 match address ipsec
crypto map s2s1ipsec 10 set peer 66.xxx.xxx.xxx
crypto map s2s1ipsec 10 set transform-set s2s1trans
crypto map s2s1ipsec 10 set security-association lifetime seconds 86400 kilobyte
s 4608000
crypto map s2s1ipsec 20 ipsec-isakmp dynamic dynmap
crypto map s2s1ipsec interface outside
isakmp enable outside
isakmp key ******** address 66.xxx.xxx.xx netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup washpix address-pool washoff
vpngroup washpix dns-server 192.xxx.x.xxx
vpngroup washpix wins-server 192.xxx.x.x
vpngroup washpix default-domain xxxxx.com
vpngroup washpix idle-time 3600
vpngroup washpix password ********

Do I just add another crypto map instance like this:

crypto map s2s1ipsec 40 ipsec-isakmp
crypto map s2s1ipsec 40 match address ipsec
crypto map s2s1ipsec 40 set peer 77.xxx.xxx.xxx
crypto map s2s1ipsec 40 set transform-set s2s1trans
crypto map s2s1ipsec 40 set security-association lifetime seconds 86400 kilobyte
s 4608000

And another isakmp key for the new router's 77.xxx.xxx.xxx address like this:

isakmp key ******** address 77.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-co
nfig-mode


I was expecting something far more complicated...

Thanks Again

ps i know des is worthless but, i haven't got the boss to spring for 3des or aes yet

 
Upvote 0 Downvote
Not quite that simple... You still need the ACLs to bypass NAT and the ACL defining interesting traffic. You shouldn't use the same crypto ACL (crypto map s2s1ipsec 40 match address ipsec)to define interesting traffic, configure a different ACL. Use the link I provided earlier as a guideline.
 
Upvote 0 Downvote
Whew!!! Good point. Current access list for the existing site-to-site is:

access-list ipsec permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

Just add these for the new site for the same effect?

access-list ipsec permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0


 
Upvote 0 Downvote
Upon closer reading of your post and the link I think this is what you were indicating:

access-list ipsec1 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat1 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

crypto map s2s1ipsec 40 match address ipsec1

Thanks for your help and the link.
 
Upvote 0 Downvote
Hi themut,

Thanks for your help on this. I finally got the service installed yesterday at the new location and the vpn is working perfectly.

Thanks Again
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
800
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
659
Johnkite
Johnkite
wrighbr1
  • Locked
  • Question
Cisco ASA 5505 site to site VPN problem
Replies
0
Views
134
wrighbr1
wrighbr1
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
585
nnaarrnn
nnaarrnn
jfp23
  • Locked
  • Question
Site to Site VPN Security
Replies
2
Views
166
PScottC
PScottC

Part and Inventory Search

Sponsor

Back
Top