Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Site to Site config w/ remote access

Status
Not open for further replies.
llneverfollowll

llneverfollowll

IS-IT--Management
Jul 28, 2006
6
US
Hey guys your help is apprecaited. I am in the works of getting a Hub and spoke VPN up between a central hub (vpn3005) and 3 remote offices with PIX515E's. Right now I am working on one of the pix configurations that currently has a dynamic crypto/isakmp for remote client VPN connections. Given that i am working in the static crypto mappings for the site to site to the vpn3005 concentrator. I have worked out the acl/crypto/iskmp config. I will paste it below. If you could just take a look and let me know if it looks good before I implement it, it would be greatly appreciated. Thanks

*Already In Config:

access-list inside_outbound_nat0_acl permit ip any 192.168.31.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.32.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.31.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.32.0 255.255.255.0


*ADD to access-list for nat (inside) 0:

access-list inside_outbound_nat0_acl permit ip 192.168.11.0 255.255.255.0


*Add to access-list to correlate ACL with crypto map below:

access-list outside_cryptomap_stat_10 permit ip 192.168.11.0 255.255.255.0


*Already In Config:

nat (inside) 0 access-list inside_outbound_nat0_acl



*Already In Crypto/Isakmp Config:

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

*Add To Current Crypto/Isakmp Config:


crypto map stat_map 10 ipsec-isakmp
crypto map stat_map 10 match address outside_cryptomap_stat_10
crypto map stat_map 10 set peer x.x.x.x
crypto map stat_map 10 set transform-set ESP-DES-MD5

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-shared
isakmp policy 10 encryption des
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Thanks again
 
Status
Not open for further replies.

Similar threads

F
  • Locked
  • Solved
some IP Phone not working over site-to-site OpenVPN, packets modified on other side of tunnel
Replies
1
Views
2K
FrankSider12
F
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
463
sircles
sircles
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
416
Joon Smith
Joon Smith
RogerRuntings
  • Locked
  • Question
VPN at Head Office to allow agents working from home to communicate (VOIP) with an external dialer
Replies
3
Views
867
iggsterman
iggsterman
Randy_F
  • Locked
  • Question
Need to connect to a VPN on startup... how to run a script that will automatically reconnect
Replies
0
Views
388
Randy_F
Randy_F

Part and Inventory Search

Sponsor

Back
Top