Hello everyone:
I need some help on setting up Site to Site PIX VPN and Netscreen on the remote side. I have an existing VPN setup on the PIX for our remote users version 6.3(3). Please see below for my existing VPN configs:
access-list 101 permit ip 192.168.142.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list 101 permit icmp any any
ip local pool vpnusers 172.16.1.100-172.16.1.150
ip local pool vpntemp 172.16.1.160-172.16.1.170
global (outside) 1 216.xxx.xxx.xxx
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local vpnusers outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngoo address-pool vpnusers
vpngroup vpngoo dns-server 151.xxx.xxx.xxx 151.xxx.xxx.xxx
vpngroup vpngoo wins-server 192.168.143.246
vpngroup vpngoo default-domain vpndtest.com
vpngroup vpngoo split-tunnel 101
vpngroup vpngoo idle-time 1800
vpngroup vpngoo password xxxxx
vpngroup vpngsm idle-time 1800
vpngroup vpntempu address-pool vpntemp
vpngroup vpntempu dns-server 151.xxx.xxx.xxx 151.xxx.xxx.xxx
vpngroup vpntempu wins-server 192.168.143.246
vpngroup vpntempu default-domain vpndtest.com
vpngroup vpntempu split-tunnel 101
vpngroup vpntempu idle-time 1800
vpngroup vpntempu password xxxxx
====================================
Goal to setup Site to Site PIX VPN and Netscreen:
access-list nonat permit ip 192.168.143.240 255.255.255.248 172.16.100.0 255.255.254.0
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
crypto ipsec transform-set mytrans esp-3des esp-sha-hmac
crypto map mymap 8 ipsec-isakmp
crypto map mymap 8 match address nonat
crypto map mymap 8 set pfs group2
crypto map mymap 8 set peer 202.151.xxx.xxx
crypto map mymap 8 set transform-set mytrans
DONOT Apply - remove first then re-apply-crypto map mymap interface outside
isakmp key Mensam1ndig address 202.151.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash sha
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
===============================
Please help if this is the correct way to setup the Site to Site PIX VPN with Netscreen at the remote end.
Thank you all in advance:
ralwyn
I need some help on setting up Site to Site PIX VPN and Netscreen on the remote side. I have an existing VPN setup on the PIX for our remote users version 6.3(3). Please see below for my existing VPN configs:
access-list 101 permit ip 192.168.142.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list 101 permit icmp any any
ip local pool vpnusers 172.16.1.100-172.16.1.150
ip local pool vpntemp 172.16.1.160-172.16.1.170
global (outside) 1 216.xxx.xxx.xxx
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local vpnusers outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngoo address-pool vpnusers
vpngroup vpngoo dns-server 151.xxx.xxx.xxx 151.xxx.xxx.xxx
vpngroup vpngoo wins-server 192.168.143.246
vpngroup vpngoo default-domain vpndtest.com
vpngroup vpngoo split-tunnel 101
vpngroup vpngoo idle-time 1800
vpngroup vpngoo password xxxxx
vpngroup vpngsm idle-time 1800
vpngroup vpntempu address-pool vpntemp
vpngroup vpntempu dns-server 151.xxx.xxx.xxx 151.xxx.xxx.xxx
vpngroup vpntempu wins-server 192.168.143.246
vpngroup vpntempu default-domain vpndtest.com
vpngroup vpntempu split-tunnel 101
vpngroup vpntempu idle-time 1800
vpngroup vpntempu password xxxxx
====================================
Goal to setup Site to Site PIX VPN and Netscreen:
access-list nonat permit ip 192.168.143.240 255.255.255.248 172.16.100.0 255.255.254.0
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
crypto ipsec transform-set mytrans esp-3des esp-sha-hmac
crypto map mymap 8 ipsec-isakmp
crypto map mymap 8 match address nonat
crypto map mymap 8 set pfs group2
crypto map mymap 8 set peer 202.151.xxx.xxx
crypto map mymap 8 set transform-set mytrans
DONOT Apply - remove first then re-apply-crypto map mymap interface outside
isakmp key Mensam1ndig address 202.151.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash sha
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
===============================
Please help if this is the correct way to setup the Site to Site PIX VPN with Netscreen at the remote end.
Thank you all in advance:
ralwyn
