Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 659
  • Last Modified:

Cisco PIX hub and spoke VPN

I am trying to get a hub and spoke VPN config set-up with a central PIX515E talking to 2 remote 501's and also a couple of VPN client users.

My problem is that I think I am getting the configuration wrong somewhere - I have one VPN tunnel setup and working fine but every time I try to add in the other 501 VPN tunnel or VPN client, I lose the existing connection.

I'm assuming I need to add separate crypto map statements but if someone can help with a sample config, I can check against mine and see where I'm going wrong.

Thanks in advance!
  • 5
  • 3
1 Solution
You need only one crypto map, but multiple policies
Can you post your config?
hoinvipAuthor Commented:

Attached is the central PIX config.   I have sanitised it to remove certain info and replaced with generic strings (pix_outside).  Please let me know if you need any more info.



PIX Version 6.1(3)

nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxxxxxx encrypted
hostname pix01
domain-name xxxxxxxxxxxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no names
name xxx02
name xxx03
name xxx01
access-list external permit tcp any host outside_a eq smtp
access-list 10 permit ip

access-list nonat permit ip

pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside pix_outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside
failover ip address inside
pdm location inside
pdm location inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
static (inside,outside) outside_a netmask 0 0

static (inside,outside) outside_b netmask 0 0

static (inside,outside) outside_c netmask 0 0

access-group external in interface outside
route outside outside_gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set setname esp-3des esp-md5-hmac
crypto map map1 10 ipsec-isakmp
crypto map map1 10 match address 10
crypto map map1 10 set peer peer_ip
crypto map map1 10 set transform-set setname
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp key ******** address peer_ip netmask

isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5

ssh timeout 5
terminal width 80
Here's an example from a working PIX with multiple site-site vpns and VPN clients, using one crypto map, but multiple policies, and multiple priority groups:

crypto ipsec transform-set LAB esp-des esp-md5-hmac
crypto ipsec transform-set Windows2k esp-des esp-md5-hmac
crypto dynamic-map dynmap 50 match address outside_cryptomap_dyn_50
crypto dynamic-map dynmap 50 set transform-set LAB
crypto map CRYMAP 5 ipsec-isakmp
crypto map CRYMAP 5 match address 105
crypto map CRYMAP 5 set peer xx.xxx.199.126
crypto map CRYMAP 5 set transform-set LAB
crypto map CRYMAP 10 ipsec-isakmp
crypto map CRYMAP 10 match address 110
crypto map CRYMAP 10 set peer xx.xxx.22.60
crypto map CRYMAP 10 set transform-set LAB
crypto map CRYMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRYMAP client configuration address initiate
crypto map CRYMAP interface outside

isakmp enable outside
isakmp key ******** address xx.xxx.199.126 netmask
isakmp key ******** address xx.xxx.22.60 netmask

isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 28800

isakmp policy 8 authentication rsa-sig
isakmp policy 8 encryption des
isakmp policy 8 hash sha
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash sha
isakmp policy 15 group 1
isakmp policy 15 lifetime 28800

vpngroup NEWTEST address-pool ippool
vpngroup NEWTEST dns-server
vpngroup NEWTEST wins-server
vpngroup NEWTEST default-domain mycompany.com
vpngroup NEWTEST split-tunnel NEWTEST_splitTunnelAcl
vpngroup NEWTEST idle-time 1800
vpngroup NEWTEST password ********
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

G'day, hoinvip, there has not been any activity on this question in 14 days.
Do you still need assistance, need more information, or have you solved your problem? Can you close
out this question?
No comment has been added lately (36 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Points awarded to: lrmoore

Experts, please leave any comments here within 7 days.



EE Cleanup Volunteer
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post
comments here
hoinvipAuthor Commented:
Hi there, sorry for the delays in responding to your suggestion... We are still looking at this and will respond more fully shortly.  Thanks for the help so far..
Any updates? We need to close out this question one way or another..
hoinvipAuthor Commented:
That's fine thanks - I haven't had a chance to fully test this but please close this one off as I'm fairly certain we've got it covered now.

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now