So here is my problem. I have to setup a site to site between my office (company) and a remote location. For the time being I have the remote location's PIX (506E) setup here behind my router so I can test the site-to-site. I went through asdm/pdm on both devices and set it up the way I was taught back in school. I've never claimed to be an expert with Cisco, and I'm usually lost when it comes to command line.. Pair that with being out of school for a few years and no hands on cisco experience in about that amount of time.. here I am.
Here is my Config on the PIX's: (note: site A's external ip has been marked as xxx.xxx.xxx.xxx, while site B's external ip is yyy.yyy.yyy.yyy)
First the Mirrored set of 515E's at the main location (Site A)
PIX Version 7.2(1)
hostname pixfirewall
domain-name ciscopix.com
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxa 255.255.255.x standby xxx.xxx.xxx.xxb
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254
!
interface Ethernet2
nameif intf2
security-level 4
ip address 192.168.4.1 255.255.255.0 standby 192.168.4.254
!
ftp mode passive
access-list outside_access_in extended permit ip any any
access-list company_splitTunnelAcl_3 standard permit 192.168.1.0 255.255.255.0
access-list Default_splitTunnelAcl standard permit any
access-list company_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list company_splitTunnelAcl standard permit 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.64 255.255.255.192
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended deny ip any any
access-list intf2_access_out extended permit icmp any any
access-list intf2_access_out extended permit ip 192.168.0.0 255.255.0.0 any
access-list intf2_access_out extended deny ip any any inactive
access-list company_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip any 192.168.1.64 255.255.255.192
access-list company_splitTunnelAcl_2 standard permit 192.168.1.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host yyy.yyy.yyy.yyy
mtu outside 1500
mtu inside 1500
ip local pool companyVPN 192.168.1.90-192.168.1.99 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
group-policy Default internal
group-policy Default attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelall
split-tunnel-network-list none
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer yyy.yyy.yyy.yyy
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group yyy.yyy.yyy.yyy type ipsec-l2l
tunnel-group yyy.yyy.yyy.yyy ipsec-attributes
pre-shared-key *
And the PIX at site B:
PIX Version 6.3(5)
hostname failoverpix
domain-name ciscopix.com
name xxx.xxx.xxx.xxx Company
access-list company_splitTunnelAcl permit ip 10.10.4.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 10.10.4.0 255.255.255.0 10.10.4.64 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 10.10.4.0 255.255.255.0 host xxx.xxx.xxx.xxx
access-list outside_cryptomap_dyn_20 permit ip any 10.10.4.64 255.255.255.192
access-list outside_cryptomap_20 permit ip 10.10.4.0 255.255.255.0 host xxx.xxx.xxx.xxx
pager lines 24
mtu outside 1500
mtu inside 1500
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup xxx.xxx.xxx.xxx address-pool vpn
vpngroup xxx.xxx.xxx.xxx split-tunnel company_splitTunnelAcl
vpngroup xxx.xxx.xxx.xxx idle-time 1800
vpngroup xxx.xxx.xxx.xxx password ********
If I didnt post the right info, or enough of it. Please let me know, I would like to box and ship this hardware at the latest on Saturday.
David McKissic
A+, Net+, i-net+, CCNA, CNE, CNA
Dell, Compaq, IBM, HP
Network Administrator
Here is my Config on the PIX's: (note: site A's external ip has been marked as xxx.xxx.xxx.xxx, while site B's external ip is yyy.yyy.yyy.yyy)
First the Mirrored set of 515E's at the main location (Site A)
PIX Version 7.2(1)
hostname pixfirewall
domain-name ciscopix.com
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxa 255.255.255.x standby xxx.xxx.xxx.xxb
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254
!
interface Ethernet2
nameif intf2
security-level 4
ip address 192.168.4.1 255.255.255.0 standby 192.168.4.254
!
ftp mode passive
access-list outside_access_in extended permit ip any any
access-list company_splitTunnelAcl_3 standard permit 192.168.1.0 255.255.255.0
access-list Default_splitTunnelAcl standard permit any
access-list company_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list company_splitTunnelAcl standard permit 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.64 255.255.255.192
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended deny ip any any
access-list intf2_access_out extended permit icmp any any
access-list intf2_access_out extended permit ip 192.168.0.0 255.255.0.0 any
access-list intf2_access_out extended deny ip any any inactive
access-list company_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip any 192.168.1.64 255.255.255.192
access-list company_splitTunnelAcl_2 standard permit 192.168.1.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host yyy.yyy.yyy.yyy
mtu outside 1500
mtu inside 1500
ip local pool companyVPN 192.168.1.90-192.168.1.99 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
group-policy Default internal
group-policy Default attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelall
split-tunnel-network-list none
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer yyy.yyy.yyy.yyy
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group yyy.yyy.yyy.yyy type ipsec-l2l
tunnel-group yyy.yyy.yyy.yyy ipsec-attributes
pre-shared-key *
And the PIX at site B:
PIX Version 6.3(5)
hostname failoverpix
domain-name ciscopix.com
name xxx.xxx.xxx.xxx Company
access-list company_splitTunnelAcl permit ip 10.10.4.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 10.10.4.0 255.255.255.0 10.10.4.64 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 10.10.4.0 255.255.255.0 host xxx.xxx.xxx.xxx
access-list outside_cryptomap_dyn_20 permit ip any 10.10.4.64 255.255.255.192
access-list outside_cryptomap_20 permit ip 10.10.4.0 255.255.255.0 host xxx.xxx.xxx.xxx
pager lines 24
mtu outside 1500
mtu inside 1500
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup xxx.xxx.xxx.xxx address-pool vpn
vpngroup xxx.xxx.xxx.xxx split-tunnel company_splitTunnelAcl
vpngroup xxx.xxx.xxx.xxx idle-time 1800
vpngroup xxx.xxx.xxx.xxx password ********
If I didnt post the right info, or enough of it. Please let me know, I would like to box and ship this hardware at the latest on Saturday.
David McKissic
A+, Net+, i-net+, CCNA, CNE, CNA
Dell, Compaq, IBM, HP
Network Administrator