Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX to PIX VPN Access to workgroup

Status
Not open for further replies.
GM2005

GM2005

ISP
Sep 28, 2005
118
GB
Hi

I have my PIX to PIX VPN configuration in place, but am wondering if this is all I will need in order for users to access workstations behind one of the PIX from workstations behind the other. Do I need statics as well or does the tunnel allow users full access between sites through the tunnel?

I knew this once............
 
Sort by date Sort by votes
once the tunnel is instantiated its just like having a network cable between the machines the tunnel should pass everything
 
Upvote 0 Downvote
You will need a no nat translation for the networks. Post your config.
 
Upvote 0 Downvote
Thanks for that guys, I needed a sanity check as I seem to have forgotten more than I know. Config below:

interface ethernet0 auto shutdown
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxxxxxxxxxxx
hostname syn-hw
domain-name none
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 103 permit ip 192.168.16.0 255.255.255.0 192.168.32.0 255.255.255.0

access-list 104 permit ip 192.168.16.0 255.255.255.0 192.168.48.0 255.255.255.0

access-list 101 permit ip 192.168.16.0 255.255.255.0 192.168.32.0 255.255.255.0

access-list 102 permit ip 192.168.16.0 255.255.255.0 192.168.48.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x4 255.255.255.252
ip address inside 192.168.16.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set highwycombe esp-des esp-md5-hmac
crypto map hwtocorby 1 ipsec-isakmp
crypto map hwtocorby 1 match address 103
crypto map hwtocorby 1 set peer x.x.x.x
crypto map hwtocorby 1 set transform-set highwycombe
crypto map hwtoUS 1 ipsec-isakmp
crypto map hwtoUS 1 match address 104
crypto map hwtoUS 1 set peer x.x.x.x
crypto map hwtoUS 1 set transform-set highwycombe
crypto map hwtoUS interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
 
Upvote 0 Downvote
I've spotted an error in the crypto map statements. There are two separate tunnels, but I notice when I put the config in, there is only one map tied to the outside interface. I'll need to take a look at that.
 
Upvote 0 Downvote
Lets try again with that config:

interface ethernet0 auto shutdown
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password VuQEu7Tw encrypted
passwd VuQEu7Tw encrypted
hostname syn-hw
domain-name synergyflavours

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

names

access-list 103 permit ip 192.168.16.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list 104 permit ip 192.168.16.0 255.255.255.0 192.168.48.0 255.255.255.0
access-list 101 permit ip 192.168.16.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list 102 permit ip 192.168.16.0 255.255.255.0 192.168.48.0 255.255.255.0


pager lines 24
logging history notifications

mtu outside 1500
mtu inside 1500


ip address outside 80.68.58.74 255.255.255.252
ip address inside 192.168.16.254 255.255.255.0

ip audit info action alarm
ip audit attack action alarm

pdm history enable
arp timeout 14400
global (outside) 1 interface


nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 80.68.58.73 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local

snmp-server host outside 80.68.32.18
snmp-server host outside 80.68.34.45
snmp-server host outside 80.68.34.56
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps

floodguard enable
sysopt connection permit-ipsec

crypto ipsec transform-set highwycombe esp-des esp-md5-hmac
crypto map synergy 10 ipsec-isakmp
crypto map synergy 10 match address 103
crypto map synergy 10 set peer 80.68.58.78
crypto map synergy 10 set transform-set highwycombe

crypto map synergy 20 ipsec-isakmp
crypto map synergy 20 match address 104
crypto map synergy 20 set peer 80.68.58.118
crypto map synergy 20 set transform-set highwycombe
crypto map synergy interface outside


isakmp enable outside
isakmp key synergy address 80.68.58.78 netmask 255.255.255.255
isakmp key synergy address 80.68.58.118 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000


telnet 80.68.34.56 255.255.255.255 outside
telnet 80.68.34.45 255.255.255.255 outside
telnet 80.68.32.18 255.255.255.255 outside
telnet timeout 5

ssh timeout 5
console timeout 0
terminal width 80
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
289
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
304
Johnkite
Johnkite
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
367
Shmid
Shmid
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
299
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
128
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top