Solved

Multiple VPN Connections on PIX 501

Posted on 2004-10-19
7
822 Views
Last Modified: 2012-08-13
Hello,

This should be an easy one.... I hope.

I have a PIX 501 at our HQ and would like to set up VPN to multiple sites that have PIX/Netgear VPN routers.  In testing I was able get single VPN connections working w/o a problem using the sample on Cisco's website (address below).  Now I would like to roll out VPN to multiple sites and am not sure how to modify my config.


The sites I would like to have connected via VPN are:
10.0.0.0 255.255.255.0 - via netgear router
192.168.50.0 255.255.255.0 via PIX 501
192.168.60.0 255.255.255.0 via netgear router


My config so far (main office PIX):

Note:  WAN IP addresses changed

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside

isakmp enable outside
isakmp key mcllc address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001 (this is the VPN for 10.0.0.0)
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside

isakmp enable outside
isakmp key ********* address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

Additional Questions:
Do all sites need to be on access-list 101?
Can "chevelle" used in the Cisco config be named whatever I want?

My end goal is to have a comlete VPN mesh to all offices and be able to eaisly add additional offices as needed.


Cisco Config Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml
0
Comment
Question by:lmar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12351801
>Do all sites need to be on access-list 101?
No. You can and should have a different access-list for each remote site
101 - site 1
102 - site 2
103 - site 3 <etc>

>Can "chevelle" used in the Cisco config be named whatever I want?
Yes. This is simply a mnemonic name to reference in the map or policy
Just like "transam" can be anything you want.

Check out the configuration example here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml

Note that only access-list 100 (applied to nat "zero") is constant and contains all of the remote site subnets..

Here's an example script, assuming that your HQ is 192.168.100.0/24:

access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 102 permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 103 permit ip 192.168.100.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list 100 permit ip 192.168.100.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 100 permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 100 permit ip 192.168.100.0 255.255.255.0 192.168.60.0 255.255.255.0

nat (inside) 0 access-list 100

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001
crypto map transam 1 set transform-set chevelle

crypto map transam 2 ipsec-isakmp
crypto map transam 2 match address 102
crypto map transam 2 set peer xxx.xxx.xxx.abd
crypto map transam 2 set transform-set ESP-3DES-MD5

crypto map transam 3 ipsec-isakmp
crypto map transam 3 match address 103
crypto map transam 3 set peer xxx.xxx.xxx.def
crypto map transam 3 set transform-set chevelle

crypto map transam interface outside

isakmp enable outside
isakmp key mcllc address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp key mcllc address xxx.xxx.xxx.abc netmask 255.255.255.255 no-xauth no-config-mode <-- to remote PIX
isakmp key mcllc address xxx.xxx.xxx.def netmask 255.255.255.255

<=== you only need one common policy, but you can create multiple ones, and the remotes will negotiate for a common one
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400

isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash sha
isakmp policy 3 group 2
isakmp policy 3 lifetime 28800



0
 
LVL 2

Author Comment

by:lmar
ID: 12351829
Thank you Lrmoore!  You saved me a ton of reading.

LMar
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12351871
Glad to help!
0
Limited time offer using promo code EXPERTS25

Designed with a wealth of functionality and convenience, ATEN's new Thunderbolt™ 2 Sharing Switch takes your Thunderbolt setup to the next level. Now through August 31, 2017, Experts Exchange members get 25% off the US7220 on the ATEN USA eShop using promo code EXPERTS25.

 
LVL 2

Author Comment

by:lmar
ID: 12352109
Hey lrmoore, one thing I forgot, is this possible if the remote locations have a dynamic IP address?

Thanks!

LMar
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12352196
Yes, you can... all you have to do is setup one map and one key:

<== dynamic map for remotes with dynamic IP
crypto dynamic-map stingray 1 set transform-set myset
crypto map transam 20 ipsec-isakmp dynamic stingray

<== one key for all remotes, if you want = match any:
isakmp key mcllc address 0.0.0.0 netmask 0.0.0.0

Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

 
0
 
LVL 2

Author Comment

by:lmar
ID: 12352202
Thanks!
0
 
LVL 2

Author Comment

by:lmar
ID: 12488518
lrmoor, one more ? here, I'm adding the dynamic map, do I need to add an access-list to match the subnet of the remote network?

Thanks,

lmar
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month4 days, 21 hours left to enroll

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question