Solved

3005 concentrator to pix

Posted on 2004-09-30
3
324 Views
Last Modified: 2013-11-16
Running 3.5.2 on 3005 concentrator. Want to know how to setup for lan to lan...

Here is what i have for the pix

!--- Access control list (ACL) for interesting traffic
!--- to be encrypted over the tunnel

access-list 101 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0

!--- Binding ACL 101 to the Network Address Translation (NAT) statement
!--- to avoid NAT on the IPSec packet

nat (inside) 0 access-list 101
!--- The sysopt command avoids conduit on the IPSec-encrypted traffic

sysopt connection permit-ipsec

!---- IPSec policies
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
!--- Setting up the tunnel peer, encryption ACL, and transform set
crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address 101
crypto map aptmap 10 set peer (concentrator outside address)
crypto map aptmap 10 set transform-set aptset
!--- Applying the crypto map on the interface
crypto map aptmap interface outside
isakmp enable outside
!--- Pre-shared key for the tunnel peer
isakmp key xxxxxxxx address (concentrator outside address) ip netmask 255.255.255.255
!--- IKE policies
!--- IKE policies
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
0
Comment
Question by:cogit
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12194034
You've got the PIX end pretty much. I will add one thing:

You have the same acl servicing two separate processes. Although this is exactly the way it is shown in most of the configuration examples on Cisco web site, it is not recommended practice:

>access-list 101 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
>nat (inside) 0 access-list 101
>crypto map aptmap 10 match address 101

Add another acl for the crypto map
    access-list 102 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
    crypto map aptmap 10 match address 102

The LAN-LAN setup on the VPN 3000 is pretty straightforward.. however, I would suggest that you upgrade to 4.x
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/rel3_5_1/config/tunnel.htm#xtocid25
0
 

Author Comment

by:cogit
ID: 12194476
just add this to the config ?
Add another acl for the crypto map
    access-list 102 permit ip 10.11.0.0 255.255.255.0 10.12.0.0 255.255.255.0
    crypto map aptmap 10 match address 102

I also the following command on the pix

no sysopt route dnat
will this affect the sysopt command

sysopt connection permit-ipsec

0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 12265922
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
RDP on 4321 Router 33 64
Configuring routing and ACL for Cisco 891 router 15 59
Cisco 3650 switch 7 35
cisco switch 3750E port channel down 11 17
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question