Thanks in advance for your help. I'm having trouble setting up VPNs between my PIX and two others. Following is the pertinent information (I think) from my PIX config. My internal address is 172.16.0.0 and the addresses for the other sites are 192.168.1.0 and 192.168.2.0. CompanyA (192.168.1.0) needs to access any host on my side while CompanyB's (192.168.2.0) access needs to be limited to 2 specific hosts.
At present, the 'crypto map vpn interface outside' is not active on my configuration as when I invoked that yesterday, my site lost connectivity to the Internet.
PIX Version 6.1(2)
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host 172.16.1.2 eq smtp
access-list outside_access_in permit tcp any host 172.16.1.3 eq www
access-list outside_access_in permit tcp any host 172.16.1.3 eq 443
access-list outside_access_in permit tcp any host 172.16.1.4 eq 1494
access-list outside_access_in permit udp any host 172.16.1.4 eq 1604
access-list outside_access_in permit ip 192.168.2.0 255.255.255.0 host 172.16.1.5
access-list outside_access_in permit ip 192.168.2.0 255.255.255.0 host 172.16.1.6
access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 172.16.0.0
255.255.0.0
access-list companya_vpn permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list companyb_vpn permit ip host 172.16.1.5 192.168.2.0 255.255.255.0
access-list companyb_vpn permit ip host 172.16.1.6 192.168.2.0 255.255.255.0
access-list NoNAT permit ip 172.16.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list NoNAT permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
ip address outside 12.X.X.X 255.255.255.248
ip address inside 172.16.1.1 255.255.0.0
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.X.X.X 1
route inside 172.16.0.0 255.0.0.0 172.16.1.2 1
sysopt connection permit-ipsec
crypto ipsec transform-set companyb_set esp-des esp-md5-hmac
crypto ipsec transform-set companya_set esp-des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address companyb_vpn
crypto map vpn 10 set peer 68.X.X.X
crypto map vpn 10 set transform-set companyb_set
crypto map vpn 15 ipsec-isakmp
crypto map vpn 15 match address companya_vpn
crypto map vpn 15 set peer 66.X.X.X
crypto map vpn 15 set transform-set companya_set
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 68.X.X.X netmask 255.255.255.224
isakmp key ******** address 66.X.X.X netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash sha
isakmp policy 15 group 1
isakmp policy 15 lifetime 86400
In my limited knowledge of PIX, it seems like it oughta work but obviously I missing someting. Any thoughts? Thanks again.
At present, the 'crypto map vpn interface outside' is not active on my configuration as when I invoked that yesterday, my site lost connectivity to the Internet.
PIX Version 6.1(2)
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host 172.16.1.2 eq smtp
access-list outside_access_in permit tcp any host 172.16.1.3 eq www
access-list outside_access_in permit tcp any host 172.16.1.3 eq 443
access-list outside_access_in permit tcp any host 172.16.1.4 eq 1494
access-list outside_access_in permit udp any host 172.16.1.4 eq 1604
access-list outside_access_in permit ip 192.168.2.0 255.255.255.0 host 172.16.1.5
access-list outside_access_in permit ip 192.168.2.0 255.255.255.0 host 172.16.1.6
access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 172.16.0.0
255.255.0.0
access-list companya_vpn permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list companyb_vpn permit ip host 172.16.1.5 192.168.2.0 255.255.255.0
access-list companyb_vpn permit ip host 172.16.1.6 192.168.2.0 255.255.255.0
access-list NoNAT permit ip 172.16.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list NoNAT permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
ip address outside 12.X.X.X 255.255.255.248
ip address inside 172.16.1.1 255.255.0.0
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.X.X.X 1
route inside 172.16.0.0 255.0.0.0 172.16.1.2 1
sysopt connection permit-ipsec
crypto ipsec transform-set companyb_set esp-des esp-md5-hmac
crypto ipsec transform-set companya_set esp-des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address companyb_vpn
crypto map vpn 10 set peer 68.X.X.X
crypto map vpn 10 set transform-set companyb_set
crypto map vpn 15 ipsec-isakmp
crypto map vpn 15 match address companya_vpn
crypto map vpn 15 set peer 66.X.X.X
crypto map vpn 15 set transform-set companya_set
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 68.X.X.X netmask 255.255.255.224
isakmp key ******** address 66.X.X.X netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash sha
isakmp policy 15 group 1
isakmp policy 15 lifetime 86400
In my limited knowledge of PIX, it seems like it oughta work but obviously I missing someting. Any thoughts? Thanks again.
