Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX - PIX - PIX Hub and Spoke question

Status
Not open for further replies.
Chipz

Chipz

MIS
Aug 27, 2001
2
US
Hello everyone.

I have a central office with a Pix506 that has a static IP address and I have a pix 501 in a remote office that has a static address. These two pixes are tunneling IPsec traffic just fine. However, now I wish to add a third Pix (also 501)in a new remote office which has a dynamically assigned ip address. Is it possible to accomplish a hub and spoke with a mixture of both static and dynamic addressed endpoints?
I also have clients connecting to the hub via PPTP and wish to allow them to continue connecting.

If possible any configuration examples would be appreciated.

Best Regards,
Chip Edwards
 
Sort by date Sort by votes
HI.

Is it possible to accomplish a hub and spoke with a mixture of both static and dynamic addressed endpoints
Yes.
The crypto map entry for dynamic ip address should have the lowest priority (highes number).

My suggestion is to configure the main pix 506 for incoming Cisco VPN client connections (with XAUTH).
This can then be used by the pix501 with the dynamic address (configured as "Easy VPN Remote" client), and also for migrating the roaming PPTP clients to Cisco VPN which is more secure then PPTP.
After the migration, disable PPTP.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Thank you Yizhar,

I will attempt to implemennt your suggestion.

Is it correct that I can only apply a single crypto map to an interface?
If this is the case (In order to implement your suggestion) I assume I would have to include lines that appromixate the following:
crypto ipsec transform-set my_set esp-3des esp-md5-hmac
crypto dynamic-map dynmap 20 set teansform-set vpnclnt
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 set peer xxx.xxx.xxx.xxx (This is for the static address)
crypto map mymap 10 set transform-set my_set
crypto map mymap 10 set security-association lifetime seconds 288000 kilobytes 4608000
## map statements for dynamic addressed pix
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside

Then setup the policies as I see fit.

Any gudiance is appreciated.

Best Regards,
Chip

 
Upvote 0 Downvote
HI.

> crypto dynamic-map dynmap 20 set teansform-set vpnclnt
You need a matching "crypto ipsec transform-set " which is missing in your sample.
Or you can use the same transform-set for both site to site and client connections.

The sample config you posted seems fine. Please let us know the results.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
775
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
641
intel233
intel233
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
119
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
161
brownmab53
brownmab53
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
576
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top