Solved

Multiple VPN Connections on PIX 501

Posted on 2004-10-19
7
816 Views
Last Modified: 2012-08-13
Hello,

This should be an easy one.... I hope.

I have a PIX 501 at our HQ and would like to set up VPN to multiple sites that have PIX/Netgear VPN routers.  In testing I was able get single VPN connections working w/o a problem using the sample on Cisco's website (address below).  Now I would like to roll out VPN to multiple sites and am not sure how to modify my config.


The sites I would like to have connected via VPN are:
10.0.0.0 255.255.255.0 - via netgear router
192.168.50.0 255.255.255.0 via PIX 501
192.168.60.0 255.255.255.0 via netgear router


My config so far (main office PIX):

Note:  WAN IP addresses changed

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside

isakmp enable outside
isakmp key mcllc address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001 (this is the VPN for 10.0.0.0)
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside

isakmp enable outside
isakmp key ********* address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

Additional Questions:
Do all sites need to be on access-list 101?
Can "chevelle" used in the Cisco config be named whatever I want?

My end goal is to have a comlete VPN mesh to all offices and be able to eaisly add additional offices as needed.


Cisco Config Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml
0
Comment
Question by:lmar
  • 4
  • 3
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12351801
>Do all sites need to be on access-list 101?
No. You can and should have a different access-list for each remote site
101 - site 1
102 - site 2
103 - site 3 <etc>

>Can "chevelle" used in the Cisco config be named whatever I want?
Yes. This is simply a mnemonic name to reference in the map or policy
Just like "transam" can be anything you want.

Check out the configuration example here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml

Note that only access-list 100 (applied to nat "zero") is constant and contains all of the remote site subnets..

Here's an example script, assuming that your HQ is 192.168.100.0/24:

access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 102 permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 103 permit ip 192.168.100.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list 100 permit ip 192.168.100.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 100 permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 100 permit ip 192.168.100.0 255.255.255.0 192.168.60.0 255.255.255.0

nat (inside) 0 access-list 100

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer xxx.xxx.xxx.001
crypto map transam 1 set transform-set chevelle

crypto map transam 2 ipsec-isakmp
crypto map transam 2 match address 102
crypto map transam 2 set peer xxx.xxx.xxx.abd
crypto map transam 2 set transform-set ESP-3DES-MD5

crypto map transam 3 ipsec-isakmp
crypto map transam 3 match address 103
crypto map transam 3 set peer xxx.xxx.xxx.def
crypto map transam 3 set transform-set chevelle

crypto map transam interface outside

isakmp enable outside
isakmp key mcllc address xxx.xxx.xxx.001 netmask 255.255.255.255
isakmp key mcllc address xxx.xxx.xxx.abc netmask 255.255.255.255 no-xauth no-config-mode <-- to remote PIX
isakmp key mcllc address xxx.xxx.xxx.def netmask 255.255.255.255

<=== you only need one common policy, but you can create multiple ones, and the remotes will negotiate for a common one
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400

isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash sha
isakmp policy 3 group 2
isakmp policy 3 lifetime 28800



0
 
LVL 2

Author Comment

by:lmar
ID: 12351829
Thank you Lrmoore!  You saved me a ton of reading.

LMar
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12351871
Glad to help!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Author Comment

by:lmar
ID: 12352109
Hey lrmoore, one thing I forgot, is this possible if the remote locations have a dynamic IP address?

Thanks!

LMar
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12352196
Yes, you can... all you have to do is setup one map and one key:

<== dynamic map for remotes with dynamic IP
crypto dynamic-map stingray 1 set transform-set myset
crypto map transam 20 ipsec-isakmp dynamic stingray

<== one key for all remotes, if you want = match any:
isakmp key mcllc address 0.0.0.0 netmask 0.0.0.0

Reference:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

 
0
 
LVL 2

Author Comment

by:lmar
ID: 12352202
Thanks!
0
 
LVL 2

Author Comment

by:lmar
ID: 12488518
lrmoor, one more ? here, I'm adding the dynamic map, do I need to add an access-list to match the subnet of the remote network?

Thanks,

lmar
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now