Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need help setting up PIX2PIX VPN Tunnell 1

Status
Not open for further replies.
skhoury

skhoury

IS-IT--Management
Nov 28, 2003
386
0
0
US
Hello all,

Ok, here is the scenario: (Any help would be greatly appreciated!)

I have a PIX515E running 7.02 at my corporate side
I have a PIX515E running 7.02 at my production side

** What we want is to simply all our local network inside, access to the local network in production**

Now, we would like to have a VPN tunnel built between the two.

So far, here is what I have done:
I am using the ASDM VPN Wizard on the corporate side to help create the tunnel.

I've selected the IKE parameters, and the IPSec parmeters.
Selected pre-shared key and picked the key.
Named the group the IP address of the PIX in production.

Ok, so here is where I am getting confused:
What IP address/Inferfaces am I suppose to select when the wizard askes me to specify local hosts and networks?

My instinct tells me to assign our local network of 192.168.1.x on the inside interface access.
Is this wrong, should I be assigning our outside addresses instead?

Next, the Wizard asks to specify the remote hosts and networks.

Again, my instinct tells me to assign the local network of the production 192.168.10.x on the inside interface (but it throws an error saying it doesnt exist on the PIX).

So basically, what am I getting wrong and not understanding here?

Any help would be much appreciate!

thanks,

Sam

Does this make sense?
 
Sort by date Sort by votes
Not familiar with the wizard, but basicly if you want to enter the stuff at the command interface her is what you need. For the example here are the ip address used.
corporate inside (192.168.10.0)
corporate outside (172.29.2.1)
production inside (10.1.10.0)
production outside (172.33.2.1)

corporate pix
#This defines traffic to be sent through tunnel
access-list tunnell_this permit ip 192.168.10.0 255.255.255.0 10.1.10.0 255.255.255.0
#This defines traffic to exempt from nat
access-list no_nat permit ip 192.168.10.0 255.255.255.0 10.1.10.0 255.255.255.0
#This tells it to exempt any traffic matching access-list no_nat from being natted.
nat (inside) 0 access-list no_nat
#Permits vpn traffic
sysopt connection permit-ipsec
#Sets up encryption
crypto ipsec transform-set myset esp-aes esp-md5-hmac
#tells it to send traffic matching access-list tunnell_this through the vpn tunnel
crypto map newmap 20 match address tunnell_this
crypto map newmap 20 set peer (outside ip of production)
crypto map newmap 20 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 172.29.2.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

production pix
#This defines traffic to be sent through tunnel
access-list tunnell_this permit ip 10.1.10.0 255.255.255.0 192.168.10.0 255.255.255.0
#This defines traffic to exempt from nat
access-list no_nat permit ip 10.1.10.0 255.255.255.0 192.168.10.0 255.255.255.0
#This tells it to exempt any traffic matching access-list no_nat from being natted.
nat (inside) 0 access-list no_nat
#Permits vpn traffic
sysopt connection permit-ipsec
#Sets up encryption
crypto ipsec transform-set myset esp-aes esp-md5-hmac
#tells it to send traffic matching access-list tunnell_this through the vpn tunnel
crypto map newmap 20 match address tunnell_this
crypto map newmap 20 set peer 172.33.2.1
crypto map newmap 20 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 172.33.2.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400


Hope that helps. Once you have that, you can also lock down the access-list tunnell_this to only allow specified traffic, the example above allows all ip traffic, which is not as good because then if you have a worm in production, it can spread to corporate over the vpn tunnel. So best practice is to lock it down. Hope that helps.
 
Upvote 0 Downvote
This is exactly what I was looking for! Thanks so much for the commands. Also, good point on the ACL lock down. I am going to initially open all of it up for testing purposes, then slowly tighten the bolt until only the necessary ports are open.

Thanks!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
145
intel233
intel233
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
55
PauS0n
PauS0n
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
67
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
167
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top