Solved

3005 concentrator to pix

Posted on 2004-09-30
3
323 Views
Last Modified: 2013-11-16
Running 3.5.2 on 3005 concentrator. Want to know how to setup for lan to lan...

Here is what i have for the pix

!--- Access control list (ACL) for interesting traffic
!--- to be encrypted over the tunnel

access-list 101 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0

!--- Binding ACL 101 to the Network Address Translation (NAT) statement
!--- to avoid NAT on the IPSec packet

nat (inside) 0 access-list 101
!--- The sysopt command avoids conduit on the IPSec-encrypted traffic

sysopt connection permit-ipsec

!---- IPSec policies
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
!--- Setting up the tunnel peer, encryption ACL, and transform set
crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address 101
crypto map aptmap 10 set peer (concentrator outside address)
crypto map aptmap 10 set transform-set aptset
!--- Applying the crypto map on the interface
crypto map aptmap interface outside
isakmp enable outside
!--- Pre-shared key for the tunnel peer
isakmp key xxxxxxxx address (concentrator outside address) ip netmask 255.255.255.255
!--- IKE policies
!--- IKE policies
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
0
Comment
Question by:cogit
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12194034
You've got the PIX end pretty much. I will add one thing:

You have the same acl servicing two separate processes. Although this is exactly the way it is shown in most of the configuration examples on Cisco web site, it is not recommended practice:

>access-list 101 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
>nat (inside) 0 access-list 101
>crypto map aptmap 10 match address 101

Add another acl for the crypto map
    access-list 102 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
    crypto map aptmap 10 match address 102

The LAN-LAN setup on the VPN 3000 is pretty straightforward.. however, I would suggest that you upgrade to 4.x
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/rel3_5_1/config/tunnel.htm#xtocid25
0
 

Author Comment

by:cogit
ID: 12194476
just add this to the config ?
Add another acl for the crypto map
    access-list 102 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
    crypto map aptmap 10 match address 102

I also the following command on the pix

no sysopt route dnat
will this affect the sysopt command

sysopt connection permit-ipsec

0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 12265922
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Router DMZ 5 63
Cisco Access Points AIR-AP1852I-E-K9 , use as mobility controller / Autonomous 3 42
The purpose of using BGP 33 73
Cisco Router / Switch - NAT 10 37
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now