Solved

Multiple VPN Connections on PIX 501

Posted on 2004-10-19
7
807 Views
Last Modified: 2012-08-13
Hello,

This should be an easy one.... I hope.

I have a PIX 501 at our HQ and would like to set up VPN to multiple sites that have PIX/Netgear VPN routers.  In testing I was able get single VPN connections working w/o a problem using the sample on Cisco's website (address below).  Now I would like to roll out VPN to multiple sites and am not sure how to modify my config.


The sites I would like to have connected via VPN are:
10.0.0.0 255.255.255.0 - via netgear router
192.168.50.0 255.255.255.0 via PIX 501
192.168.60.0 255.255.255.0 via netgear router


My config so far (main office PIX):

Note:  WAN IP addresses changed

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside

isakmp enable outside
isakmp key mcllc address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001 (this is the VPN for 10.0.0.0)
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside

isakmp enable outside
isakmp key ********* address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

Additional Questions:
Do all sites need to be on access-list 101?
Can "chevelle" used in the Cisco config be named whatever I want?

My end goal is to have a comlete VPN mesh to all offices and be able to eaisly add additional offices as needed.


Cisco Config Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml
0
Comment
Question by:lmar
  • 4
  • 3
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
>Do all sites need to be on access-list 101?
No. You can and should have a different access-list for each remote site
101 - site 1
102 - site 2
103 - site 3 <etc>

>Can "chevelle" used in the Cisco config be named whatever I want?
Yes. This is simply a mnemonic name to reference in the map or policy
Just like "transam" can be anything you want.

Check out the configuration example here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml

Note that only access-list 100 (applied to nat "zero") is constant and contains all of the remote site subnets..

Here's an example script, assuming that your HQ is 192.168.100.0/24:

access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 102 permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 103 permit ip 192.168.100.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list 100 permit ip 192.168.100.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 100 permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 100 permit ip 192.168.100.0 255.255.255.0 192.168.60.0 255.255.255.0

nat (inside) 0 access-list 100

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001
crypto map transam 1 set transform-set chevelle

crypto map transam 2 ipsec-isakmp
crypto map transam 2 match address 102
crypto map transam 2 set peer xxx.xxx.xxx.abd
crypto map transam 2 set transform-set ESP-3DES-MD5

crypto map transam 3 ipsec-isakmp
crypto map transam 3 match address 103
crypto map transam 3 set peer xxx.xxx.xxx.def
crypto map transam 3 set transform-set chevelle

crypto map transam interface outside

isakmp enable outside
isakmp key mcllc address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp key mcllc address xxx.xxx.xxx.abc netmask 255.255.255.255 no-xauth no-config-mode <-- to remote PIX
isakmp key mcllc address xxx.xxx.xxx.def netmask 255.255.255.255

<=== you only need one common policy, but you can create multiple ones, and the remotes will negotiate for a common one
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400

isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash sha
isakmp policy 3 group 2
isakmp policy 3 lifetime 28800



0
 
LVL 2

Author Comment

by:lmar
Comment Utility
Thank you Lrmoore!  You saved me a ton of reading.

LMar
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Glad to help!
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 2

Author Comment

by:lmar
Comment Utility
Hey lrmoore, one thing I forgot, is this possible if the remote locations have a dynamic IP address?

Thanks!

LMar
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Yes, you can... all you have to do is setup one map and one key:

<== dynamic map for remotes with dynamic IP
crypto dynamic-map stingray 1 set transform-set myset
crypto map transam 20 ipsec-isakmp dynamic stingray

<== one key for all remotes, if you want = match any:
isakmp key mcllc address 0.0.0.0 netmask 0.0.0.0

Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

 
0
 
LVL 2

Author Comment

by:lmar
Comment Utility
Thanks!
0
 
LVL 2

Author Comment

by:lmar
Comment Utility
lrmoor, one more ? here, I'm adding the dynamic map, do I need to add an access-list to match the subnet of the remote network?

Thanks,

lmar
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now