Multiple VPN Connections on PIX 501
Hello,
This should be an easy one.... I hope.
I have a PIX 501 at our HQ and would like to set up VPN to multiple sites that have PIX/Netgear VPN routers. In testing I was able get single VPN connections working w/o a problem using the sample on Cisco's website (address below). Now I would like to roll out VPN to multiple sites and am not sure how to modify my config.
The sites I would like to have connected via VPN are:
10.0.0.0 255.255.255.0 - via netgear router
192.168.50.0 255.255.255.0 via PIX 501
192.168.60.0 255.255.255.0 via netgear router
My config so far (main office PIX):
Note: WAN IP addresses changed
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key mcllc address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001 (this is the VPN for 10.0.0.0)
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ********* address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
Additional Questions:
Do all sites need to be on access-list 101?
Can "chevelle" used in the Cisco config be named whatever I want?
My end goal is to have a comlete VPN mesh to all offices and be able to eaisly add additional offices as needed.
Cisco Config Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml
This should be an easy one.... I hope.
I have a PIX 501 at our HQ and would like to set up VPN to multiple sites that have PIX/Netgear VPN routers. In testing I was able get single VPN connections working w/o a problem using the sample on Cisco's website (address below). Now I would like to roll out VPN to multiple sites and am not sure how to modify my config.
The sites I would like to have connected via VPN are:
10.0.0.0 255.255.255.0 - via netgear router
192.168.50.0 255.255.255.0 via PIX 501
192.168.60.0 255.255.255.0 via netgear router
My config so far (main office PIX):
Note: WAN IP addresses changed
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key mcllc address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001 (this is the VPN for 10.0.0.0)
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ********* address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
Additional Questions:
Do all sites need to be on access-list 101?
Can "chevelle" used in the Cisco config be named whatever I want?
My end goal is to have a comlete VPN mesh to all offices and be able to eaisly add additional offices as needed.
Cisco Config Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad to help!
ASKER
Hey lrmoore, one thing I forgot, is this possible if the remote locations have a dynamic IP address?
Thanks!
LMar
Thanks!
LMar
Yes, you can... all you have to do is setup one map and one key:
<== dynamic map for remotes with dynamic IP
crypto dynamic-map stingray 1 set transform-set myset
crypto map transam 20 ipsec-isakmp dynamic stingray
<== one key for all remotes, if you want = match any:
isakmp key mcllc address 0.0.0.0 netmask 0.0.0.0
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml
<== dynamic map for remotes with dynamic IP
crypto dynamic-map stingray 1 set transform-set myset
crypto map transam 20 ipsec-isakmp dynamic stingray
<== one key for all remotes, if you want = match any:
isakmp key mcllc address 0.0.0.0 netmask 0.0.0.0
Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml
ASKER
Thanks!
ASKER
lrmoor, one more ? here, I'm adding the dynamic map, do I need to add an access-list to match the subnet of the remote network?
Thanks,
lmar
Thanks,
lmar
ASKER
LMar