Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Multi VPN Setup 1

Status
Not open for further replies.
doctorj227

doctorj227

IS-IT--Management
Aug 11, 2001
12
US
Hello all
I have a question, that maybe someone can answer or point me to the correct solution. Anyway I have a 4 sites using pix firewalls, the main site has a T1 line to the internet, and a 506e pix, the other 3 remote sites have dsl connections to the internet and they are using 501 pix. The main site has static IP's and of course the remote sites are dynamic. All the sites are up and running, but now they want to implement VPN access from remote to main.

I know how to setup VPN access back to main, using static IP's all around. But since the remote sites are using Dynamic IP's, I am a little confused. Do I need to setup multiple isakmp key's. For example
isakmp key "key1" address 0.0.0.0 netmask 0.0.0.0
isakmp key "key2" address 0.0.0.0 netmask 0.0.0.0
isakmp key "key3" address 0.0.0.0 netmask 0.0.0.0

And how about my crypto map? Will this work?
crypto ipsec transform-set doset esp-des esp-md5-hmac
crypto dynamic-map mymap 1 set-transform doset
crypto map dyn-map 20 ipsec-isakmp dynamic myset
crypto map dyn-map 30 ipsec-isakmp dynamic myset
crypto map dyn-map 40 ipsec-isakmp dynamic myset

Any help or comments will be helpful.
Thanks
 
Sort by date Sort by votes
The easiest way to accomplish this task is configuring the 506 as an EZVPN server and the 501s as EZVPN clients. The link below is an excellent guideline:


Another option is to configure a dynamic to static IPSec tunnels. As you are planning to do, the link below gives you an example on how to do it:

 
Upvote 0 Downvote
Thanks I'll check them out, by the way is the easyvpn server and client software? And if it is where do I get it?
 
Upvote 0 Downvote
The EZVP server is a feature available on the 6.0 code or greater while the EZVPN client is available on 6.2 or above. In your case make sure you are running at least 6.0 on the 506 and 6.2 on the 501s. If you want stability I would advise you to run 6.2(3) on all of them but if you want more features then you may need 6.3(3).
 
Upvote 0 Downvote
Thanks
I upgraded all The Pix'es to 6.3(3), setup the 506E as the Easy VPN server and the 501's as Easy VPN clients and wow it all worked. The 501's all use dynamic IP's. I had to add less then 10 lines of CL code. Of course I did have to tweak a little, but all in all, everything works.
Thanks for the pointers.....
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
284
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
122
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
353
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
86
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
77
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top