[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 331
  • Last Modified:

3005 concentrator to pix

Running 3.5.2 on 3005 concentrator. Want to know how to setup for lan to lan...

Here is what i have for the pix

!--- Access control list (ACL) for interesting traffic
!--- to be encrypted over the tunnel

access-list 101 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0

!--- Binding ACL 101 to the Network Address Translation (NAT) statement
!--- to avoid NAT on the IPSec packet

nat (inside) 0 access-list 101
!--- The sysopt command avoids conduit on the IPSec-encrypted traffic

sysopt connection permit-ipsec

!---- IPSec policies
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
!--- Setting up the tunnel peer, encryption ACL, and transform set
crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address 101
crypto map aptmap 10 set peer (concentrator outside address)
crypto map aptmap 10 set transform-set aptset
!--- Applying the crypto map on the interface
crypto map aptmap interface outside
isakmp enable outside
!--- Pre-shared key for the tunnel peer
isakmp key xxxxxxxx address (concentrator outside address) ip netmask 255.255.255.255
!--- IKE policies
!--- IKE policies
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
0
cogit
Asked:
cogit
1 Solution
 
lrmooreCommented:
You've got the PIX end pretty much. I will add one thing:

You have the same acl servicing two separate processes. Although this is exactly the way it is shown in most of the configuration examples on Cisco web site, it is not recommended practice:

>access-list 101 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
>nat (inside) 0 access-list 101
>crypto map aptmap 10 match address 101

Add another acl for the crypto map
    access-list 102 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
    crypto map aptmap 10 match address 102

The LAN-LAN setup on the VPN 3000 is pretty straightforward.. however, I would suggest that you upgrade to 4.x
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/rel3_5_1/config/tunnel.htm#xtocid25
0
 
cogitAuthor Commented:
just add this to the config ?
Add another acl for the crypto map
    access-list 102 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
    crypto map aptmap 10 match address 102

I also the following command on the pix

no sysopt route dnat
will this affect the sysopt command

sysopt connection permit-ipsec

0
 
Tim HolmanCommented:
0

Featured Post

The eGuide to Automating Firewall Change Control

Today‚Äôs IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now