Solved

LANtoLAN VPN Between PIX 515 and Non Cisco Devices

Posted on 2004-09-24
7
3,187 Views
Last Modified: 2008-01-09
Currently, our remote users uses a Cisco VPN client to access our main office via DSL.  The VPN sessions are terminated at Cisco PIX 515. Now, we are interested in LAN to LAN VPN.  We want to VPN session to be up and running 24 hours. Is any device enable to accomplish this with PIX 515 termination point? if so, which device?  Since each remote location has 1 user, we don't need to have a high scale device.

Please advise.

Thank you.      
0
Comment
Question by:kaysar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12148301
I'm currently using a Linksys VPN router to connect to multiple PIX's. Piece of cake to setup, and relatively cheap <$200
0
 
LVL 10

Expert Comment

by:plemieux72
ID: 12148793
If you want a Cisco-only solution, see http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/index.html

This hardware client is compatible with the PIX firewalls and emulates the Cisco VPN software client.  

I also have setup a "permanent" site-to-site IPSec tunnel between a Cisco SOHO 91 to a PIX firewall and it works great as well.  There are lots of sample configs posted on the Cisco site with different ways of doing it.
0
 
LVL 1

Author Comment

by:kaysar
ID: 12151074
Hi Irmoor,

With Linksys LAN to LAN soltion,   Do you know any link that shows a sample configs at PIX 515 end?

Thanks.
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 1

Author Comment

by:kaysar
ID: 12151084
Hi premieux72,

Do you know the price for Cisco SOHO 91?  

Thank you.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12151127
Not a specific link, but I can show you mine that I know works.

access-list outside_cryptomap_40 permit ip 172.16.0.0 255.255.0.0 192.168.122.128 255.255.255.128
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map CRYMAP 40 ipsec-isakmp
crypto map CRYMAP 40 match address outside_cryptomap_40
crypto map CRYMAP 40 set peer xx.xx.255.42                          <== my Linksys WAN IP
crypto map CRYMAP 40 set transform-set ESP-3DES-SHA
crypto map CRYMAP interface outside
isakmp enable outside
isakmp key ******** address xx.xx.255.42 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600

On my Linksys, Security, VPN page, I simply choose the same settings. Isakmp key is pre-shared, keys match, encryption policy for both phase 1 and phase 2 are 3DES/SHA. The web page is pretty self-explanatory except for the "group 2". It has a "group" choice, but it's not 1 or 2. Choose "1024".
DH Group 1 = 768
DH Group 2 = 1024
DH Group 5 = 1536 bit (usually only used with AES vs DES)

The exact model I'm using is Linksys WRV54G (I need the wireless). I have three independent VPN's to two different PIX's.

If you have multiple peers, just keep adding for each peer:

access-list outside_cryptomap_50 permit ip 172.16.0.0 255.255.0.0 192.168.xx.0 255.255.255.0
crypto map CRYMAP 50 ipsec-isakmp
crypto map CRYMAP 50 match address outside_cryptomap_50
crypto map CRYMAP 50 set peer xx.xx.xx.xx                     <== Peer #2
crypto map CRYMAP 50 set transform-set ESP-3DES-SHA
crypto map CRYMAP interface outside     <== always re-apply the map after any changes
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode


access-list outside_cryptomap_60 permit ip 172.16.0.0 255.255.0.0 192.168.xx.0 255.255.255.0
crypto map CRYMAP 50 ipsec-isakmp
crypto map CRYMAP 50 match address outside_cryptomap_60
crypto map CRYMAP 50 set peer xx.xx.xx.xx                     <== Peer #3
crypto map CRYMAP 50 set transform-set ESP-3DES-SHA
crypto map CRYMAP interface outside     <== always re-apply the map after any changes
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12151136
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12151140
Of course, with only one user, you could just use the *free* VPN client from Cisco, it just won't be "always on"
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
OSPF - Convergence & Downtime 9 71
what is mstp 6 60
Layer 3 switch recommendation 15 49
Cisco router is restricting wireless bandwidth download and upload speed 38 42
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question