cogit
asked on
3005 concentrator to pix
Running 3.5.2 on 3005 concentrator. Want to know how to setup for lan to lan...
Here is what i have for the pix
!--- Access control list (ACL) for interesting traffic
!--- to be encrypted over the tunnel
access-list 101 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
!--- Binding ACL 101 to the Network Address Translation (NAT) statement
!--- to avoid NAT on the IPSec packet
nat (inside) 0 access-list 101
!--- The sysopt command avoids conduit on the IPSec-encrypted traffic
sysopt connection permit-ipsec
!---- IPSec policies
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
!--- Setting up the tunnel peer, encryption ACL, and transform set
crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address 101
crypto map aptmap 10 set peer (concentrator outside address)
crypto map aptmap 10 set transform-set aptset
!--- Applying the crypto map on the interface
crypto map aptmap interface outside
isakmp enable outside
!--- Pre-shared key for the tunnel peer
isakmp key xxxxxxxx address (concentrator outside address) ip netmask 255.255.255.255
!--- IKE policies
!--- IKE policies
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Here is what i have for the pix
!--- Access control list (ACL) for interesting traffic
!--- to be encrypted over the tunnel
access-list 101 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
!--- Binding ACL 101 to the Network Address Translation (NAT) statement
!--- to avoid NAT on the IPSec packet
nat (inside) 0 access-list 101
!--- The sysopt command avoids conduit on the IPSec-encrypted traffic
sysopt connection permit-ipsec
!---- IPSec policies
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
!--- Setting up the tunnel peer, encryption ACL, and transform set
crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address 101
crypto map aptmap 10 set peer (concentrator outside address)
crypto map aptmap 10 set transform-set aptset
!--- Applying the crypto map on the interface
crypto map aptmap interface outside
isakmp enable outside
!--- Pre-shared key for the tunnel peer
isakmp key xxxxxxxx address (concentrator outside address) ip netmask 255.255.255.255
!--- IKE policies
!--- IKE policies
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
ASKER
just add this to the config ?
Add another acl for the crypto map
access-list 102 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
crypto map aptmap 10 match address 102
I also the following command on the pix
no sysopt route dnat
will this affect the sysopt command
sysopt connection permit-ipsec
Add another acl for the crypto map
access-list 102 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
crypto map aptmap 10 match address 102
I also the following command on the pix
no sysopt route dnat
will this affect the sysopt command
sysopt connection permit-ipsec
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You have the same acl servicing two separate processes. Although this is exactly the way it is shown in most of the configuration examples on Cisco web site, it is not recommended practice:
>access-list 101 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
>nat (inside) 0 access-list 101
>crypto map aptmap 10 match address 101
Add another acl for the crypto map
access-list 102 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
crypto map aptmap 10 match address 102
The LAN-LAN setup on the VPN 3000 is pretty straightforward.. however, I would suggest that you upgrade to 4.x
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/rel3_5_1/config/tunnel.htm#xtocid25