Multiple VPN Connections on PIX 501

Hello,

This should be an easy one.... I hope.

I have a PIX 501 at our HQ and would like to set up VPN to multiple sites that have PIX/Netgear VPN routers.  In testing I was able get single VPN connections working w/o a problem using the sample on Cisco's website (address below).  Now I would like to roll out VPN to multiple sites and am not sure how to modify my config.


The sites I would like to have connected via VPN are:
10.0.0.0 255.255.255.0 - via netgear router
192.168.50.0 255.255.255.0 via PIX 501
192.168.60.0 255.255.255.0 via netgear router


My config so far (main office PIX):

Note:  WAN IP addresses changed

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside

isakmp enable outside
isakmp key mcllc address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001 (this is the VPN for 10.0.0.0)
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside

isakmp enable outside
isakmp key ********* address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

Additional Questions:
Do all sites need to be on access-list 101?
Can "chevelle" used in the Cisco config be named whatever I want?

My end goal is to have a comlete VPN mesh to all offices and be able to eaisly add additional offices as needed.


Cisco Config Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml
LVL 2
lmarAsked:
Who is Participating?
 
lrmooreCommented:
>Do all sites need to be on access-list 101?
No. You can and should have a different access-list for each remote site
101 - site 1
102 - site 2
103 - site 3 <etc>

>Can "chevelle" used in the Cisco config be named whatever I want?
Yes. This is simply a mnemonic name to reference in the map or policy
Just like "transam" can be anything you want.

Check out the configuration example here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml

Note that only access-list 100 (applied to nat "zero") is constant and contains all of the remote site subnets..

Here's an example script, assuming that your HQ is 192.168.100.0/24:

access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 102 permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 103 permit ip 192.168.100.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list 100 permit ip 192.168.100.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 100 permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 100 permit ip 192.168.100.0 255.255.255.0 192.168.60.0 255.255.255.0

nat (inside) 0 access-list 100

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001
crypto map transam 1 set transform-set chevelle

crypto map transam 2 ipsec-isakmp
crypto map transam 2 match address 102
crypto map transam 2 set peer xxx.xxx.xxx.abd
crypto map transam 2 set transform-set ESP-3DES-MD5

crypto map transam 3 ipsec-isakmp
crypto map transam 3 match address 103
crypto map transam 3 set peer xxx.xxx.xxx.def
crypto map transam 3 set transform-set chevelle

crypto map transam interface outside

isakmp enable outside
isakmp key mcllc address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp key mcllc address xxx.xxx.xxx.abc netmask 255.255.255.255 no-xauth no-config-mode <-- to remote PIX
isakmp key mcllc address xxx.xxx.xxx.def netmask 255.255.255.255

<=== you only need one common policy, but you can create multiple ones, and the remotes will negotiate for a common one
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400

isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash sha
isakmp policy 3 group 2
isakmp policy 3 lifetime 28800



0
 
lmarAuthor Commented:
Thank you Lrmoore!  You saved me a ton of reading.

LMar
0
 
lrmooreCommented:
Glad to help!
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

 
lmarAuthor Commented:
Hey lrmoore, one thing I forgot, is this possible if the remote locations have a dynamic IP address?

Thanks!

LMar
0
 
lrmooreCommented:
Yes, you can... all you have to do is setup one map and one key:

<== dynamic map for remotes with dynamic IP
crypto dynamic-map stingray 1 set transform-set myset
crypto map transam 20 ipsec-isakmp dynamic stingray

<== one key for all remotes, if you want = match any:
isakmp key mcllc address 0.0.0.0 netmask 0.0.0.0

Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

 
0
 
lmarAuthor Commented:
Thanks!
0
 
lmarAuthor Commented:
lrmoor, one more ? here, I'm adding the dynamic map, do I need to add an access-list to match the subnet of the remote network?

Thanks,

lmar
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.