Cisco PIX hub and spoke VPN

Posted on 2003-02-25
Medium Priority
Last Modified: 2013-11-16
I am trying to get a hub and spoke VPN config set-up with a central PIX515E talking to 2 remote 501's and also a couple of VPN client users.

My problem is that I think I am getting the configuration wrong somewhere - I have one VPN tunnel setup and working fine but every time I try to add in the other 501 VPN tunnel or VPN client, I lose the existing connection.

I'm assuming I need to add separate crypto map statements but if someone can help with a sample config, I can check against mine and see where I'm going wrong.

Thanks in advance!
Question by:hoinvip
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 79

Expert Comment

ID: 8016452
You need only one crypto map, but multiple policies
Can you post your config?

Author Comment

ID: 8016671

Attached is the central PIX config.   I have sanitised it to remove certain info and replaced with generic strings (pix_outside).  Please let me know if you need any more info.



PIX Version 6.1(3)

nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxxxxxx encrypted
hostname pix01
domain-name xxxxxxxxxxxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no names
name xxx02
name xxx03
name xxx01
access-list external permit tcp any host outside_a eq smtp
access-list 10 permit ip

access-list nonat permit ip

pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside pix_outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside
failover ip address inside
pdm location inside
pdm location inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
static (inside,outside) outside_a netmask 0 0

static (inside,outside) outside_b netmask 0 0

static (inside,outside) outside_c netmask 0 0

access-group external in interface outside
route outside outside_gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set setname esp-3des esp-md5-hmac
crypto map map1 10 ipsec-isakmp
crypto map map1 10 match address 10
crypto map map1 10 set peer peer_ip
crypto map map1 10 set transform-set setname
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp key ******** address peer_ip netmask

isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5

ssh timeout 5
terminal width 80
LVL 79

Expert Comment

ID: 8016824
Here's an example from a working PIX with multiple site-site vpns and VPN clients, using one crypto map, but multiple policies, and multiple priority groups:

crypto ipsec transform-set LAB esp-des esp-md5-hmac
crypto ipsec transform-set Windows2k esp-des esp-md5-hmac
crypto dynamic-map dynmap 50 match address outside_cryptomap_dyn_50
crypto dynamic-map dynmap 50 set transform-set LAB
crypto map CRYMAP 5 ipsec-isakmp
crypto map CRYMAP 5 match address 105
crypto map CRYMAP 5 set peer xx.xxx.199.126
crypto map CRYMAP 5 set transform-set LAB
crypto map CRYMAP 10 ipsec-isakmp
crypto map CRYMAP 10 match address 110
crypto map CRYMAP 10 set peer xx.xxx.22.60
crypto map CRYMAP 10 set transform-set LAB
crypto map CRYMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRYMAP client configuration address initiate
crypto map CRYMAP interface outside

isakmp enable outside
isakmp key ******** address xx.xxx.199.126 netmask
isakmp key ******** address xx.xxx.22.60 netmask

isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 28800

isakmp policy 8 authentication rsa-sig
isakmp policy 8 encryption des
isakmp policy 8 hash sha
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash sha
isakmp policy 15 group 1
isakmp policy 15 lifetime 28800

vpngroup NEWTEST address-pool ippool
vpngroup NEWTEST dns-server
vpngroup NEWTEST wins-server
vpngroup NEWTEST default-domain mycompany.com
vpngroup NEWTEST split-tunnel NEWTEST_splitTunnelAcl
vpngroup NEWTEST idle-time 1800
vpngroup NEWTEST password ********
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

LVL 79

Expert Comment

ID: 8112682
G'day, hoinvip, there has not been any activity on this question in 14 days.
Do you still need assistance, need more information, or have you solved your problem? Can you close
out this question?
LVL 79

Expert Comment

ID: 8344526
No comment has been added lately (36 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Points awarded to: lrmoore

Experts, please leave any comments here within 7 days.



EE Cleanup Volunteer
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post
comments here

Author Comment

ID: 8346578
Hi there, sorry for the delays in responding to your suggestion... We are still looking at this and will respond more fully shortly.  Thanks for the help so far..
LVL 79

Accepted Solution

lrmoore earned 400 total points
ID: 8597777
Any updates? We need to close out this question one way or another..

Author Comment

ID: 8598067
That's fine thanks - I haven't had a chance to fully test this but please close this one off as I'm fairly certain we've got it covered now.

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question