Solved

3005 concentrator to pix

Posted on 2004-09-30
3
322 Views
Last Modified: 2013-11-16
Running 3.5.2 on 3005 concentrator. Want to know how to setup for lan to lan...

Here is what i have for the pix

!--- Access control list (ACL) for interesting traffic
!--- to be encrypted over the tunnel

access-list 101 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0

!--- Binding ACL 101 to the Network Address Translation (NAT) statement
!--- to avoid NAT on the IPSec packet

nat (inside) 0 access-list 101
!--- The sysopt command avoids conduit on the IPSec-encrypted traffic

sysopt connection permit-ipsec

!---- IPSec policies
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
!--- Setting up the tunnel peer, encryption ACL, and transform set
crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address 101
crypto map aptmap 10 set peer (concentrator outside address)
crypto map aptmap 10 set transform-set aptset
!--- Applying the crypto map on the interface
crypto map aptmap interface outside
isakmp enable outside
!--- Pre-shared key for the tunnel peer
isakmp key xxxxxxxx address (concentrator outside address) ip netmask 255.255.255.255
!--- IKE policies
!--- IKE policies
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
0
Comment
Question by:cogit
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12194034
You've got the PIX end pretty much. I will add one thing:

You have the same acl servicing two separate processes. Although this is exactly the way it is shown in most of the configuration examples on Cisco web site, it is not recommended practice:

>access-list 101 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
>nat (inside) 0 access-list 101
>crypto map aptmap 10 match address 101

Add another acl for the crypto map
    access-list 102 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
    crypto map aptmap 10 match address 102

The LAN-LAN setup on the VPN 3000 is pretty straightforward.. however, I would suggest that you upgrade to 4.x
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/rel3_5_1/config/tunnel.htm#xtocid25
0
 

Author Comment

by:cogit
ID: 12194476
just add this to the config ?
Add another acl for the crypto map
    access-list 102 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
    crypto map aptmap 10 match address 102

I also the following command on the pix

no sysopt route dnat
will this affect the sysopt command

sysopt connection permit-ipsec

0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 12265922
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now