[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

3005 concentrator to pix

Posted on 2004-09-30
3
Medium Priority
?
330 Views
Last Modified: 2013-11-16
Running 3.5.2 on 3005 concentrator. Want to know how to setup for lan to lan...

Here is what i have for the pix

!--- Access control list (ACL) for interesting traffic
!--- to be encrypted over the tunnel

access-list 101 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0

!--- Binding ACL 101 to the Network Address Translation (NAT) statement
!--- to avoid NAT on the IPSec packet

nat (inside) 0 access-list 101
!--- The sysopt command avoids conduit on the IPSec-encrypted traffic

sysopt connection permit-ipsec

!---- IPSec policies
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
!--- Setting up the tunnel peer, encryption ACL, and transform set
crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address 101
crypto map aptmap 10 set peer (concentrator outside address)
crypto map aptmap 10 set transform-set aptset
!--- Applying the crypto map on the interface
crypto map aptmap interface outside
isakmp enable outside
!--- Pre-shared key for the tunnel peer
isakmp key xxxxxxxx address (concentrator outside address) ip netmask 255.255.255.255
!--- IKE policies
!--- IKE policies
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
0
Comment
Question by:cogit
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12194034
You've got the PIX end pretty much. I will add one thing:

You have the same acl servicing two separate processes. Although this is exactly the way it is shown in most of the configuration examples on Cisco web site, it is not recommended practice:

>access-list 101 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
>nat (inside) 0 access-list 101
>crypto map aptmap 10 match address 101

Add another acl for the crypto map
    access-list 102 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
    crypto map aptmap 10 match address 102

The LAN-LAN setup on the VPN 3000 is pretty straightforward.. however, I would suggest that you upgrade to 4.x
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/rel3_5_1/config/tunnel.htm#xtocid25
0
 

Author Comment

by:cogit
ID: 12194476
just add this to the config ?
Add another acl for the crypto map
    access-list 102 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
    crypto map aptmap 10 match address 102

I also the following command on the pix

no sysopt route dnat
will this affect the sysopt command

sysopt connection permit-ipsec

0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 2000 total points
ID: 12265922
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question