Need help with Multiple Site-to-Site VPNs (BTB)
I have a PIX 515e firewall as my only exterior facing devce. I run remote access VPNs for sales and IT staff through it, but I also use it for a site-to-site to a vendor (ESP-3DES-SHA). I was told to set up an additional site-to-site (I'll abbreiviate, STS)with a different vendor (ESP-3DES-MD5). I have never built a VPN before, only adjusted the current to allow additional traffic. So I am trying to build it using this book I have and examining the current config for the original STS VPN. The STS has to be ESP-3DES-MD5, and I was given a public IP (no mask provided) for the tunnel and a public IP (no mask provided) for the traffic once the tunnel is created. I am allowing only port 3389 for remote desktop.
1) I am having trouble creating an ACL for this traffic since I am not given any private IP addresses.
2) A crypto map is already created for the first STS, so how do I use this map with a different transform set.
3) Is there a specific order I have to go in to build this STS VPN? For example. Does the ACL have to be in there before I can create the other pieces?
I am a rookie :(
1) I am having trouble creating an ACL for this traffic since I am not given any private IP addresses.
2) A crypto map is already created for the first STS, so how do I use this map with a different transform set.
3) Is there a specific order I have to go in to build this STS VPN? For example. Does the ACL have to be in there before I can create the other pieces?
I am a rookie :(
ASKER
Currently I have a STS VPN with a vendor and the following is part of that script:
access-list LDL_CRYPTO_ACL permit ip 172.16.1.0 255.255.255.0 172.16.9.240 255.255.255.240
access-list LDL_CRYPTO_ACL permit ip 192.168.1.0 255.255.255.0 172.16.9.240 255.255.255.240
access-list LDL_CRYPTO_ACL permit ip 10.87.1.0 255.255.255.0 172.16.9.240 255.255.255.240
access-list LDL_CRYPTO_ACL permit ip 172.16.9.240 255.255.255.240 10.87.1.0 255.255.255.0
access-list LDL_CRYPTO_ACL permit ip 10.87.39.0 255.255.255.0 172.16.9.240 255.255.255.240
access-list LDL_CRYPTO_ACL permit ip 172.16.9.240 255.255.255.240 10.87.39.0 255.255.255.0
access-list LDL_CRYPTO_ACL permit ip 172.28.0.0 255.255.0.0 172.16.9.240 255.255.255.240
access-list LDL_CRYPTO_ACL permit ip 172.16.9.240 255.255.255.240 172.28.0.0 255.255.0.0
static (inside,outside) tcp 172.16.9.241 3389 X_Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.16.9.241 ftp X_Server ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.16.9.241 ftp-data X_Server ftp-data netmask 255.255.255.255 0 0
static (inside,outside) 172.16.9.242 Z_Server netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.2.7 X_Server netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.2.11 Y_Server netmask 255.255.255.255 0 0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address HBS_CRYPTO_ACL
crypto map outside_map 10 set peer (public IP of peer)
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address (public IP of peer) netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
What I was thinking to add in that new STS is the following:
access-list Protect permit ip (peer's public IP) 192.168.1.0 255.255.255.0
access-list SecondSTS_ACL permit udp (peer's public IP) host (our public ip) eq isakmp
access-list SecondSTS_Crypto_ACL permit udp (peer's public ip) host (our public IP) eq isakmp
access-list SecondSTS_Crypto_ACL permit ah (peer's public IP) host (pur public IP)
access-list SecondSTS_Crypto_ACL permit esp (peer's public IP) host (our public IP)
isakmp key (preshard key) address (peer's public IP)
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3DES
isakmp policy 30 hash MD5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
crypto ipsec transform-set RSA1 esp-md5-hmac esp-3des
crypto map SecondSTS_map 30 set peer (peer's public IP)
crypto map SecondSTS_map 30 ipsec-isakmp
crypto map SecondSTS_map 30 set session-key
crypto map SecondSTS_map 30 match address SecondSTS_Crypto_ACL
crypto map SecondSTS_map 30 set transform-set SecondSTS_Crypto_ACL
crypto map SecondSTS_map 30 set pfs group2
crypto map SecondSTS_map 30 security-association seconds 86400
1) Do you see any issues with adding this to my running config?
2) I was given two public IPs to use: one ends in .225 the other ends in .1
I was told one was for the tunnel (.225), the other for traffic (.1)
Where should I put those in the script.
3) Also I have asked for a subnet mask of their public IP and they said I don't need it. SO I have used 255.255.255.255 when a command craps out from not having a a mask.
Thanks!
access-list LDL_CRYPTO_ACL permit ip 172.16.1.0 255.255.255.0 172.16.9.240 255.255.255.240
access-list LDL_CRYPTO_ACL permit ip 192.168.1.0 255.255.255.0 172.16.9.240 255.255.255.240
access-list LDL_CRYPTO_ACL permit ip 10.87.1.0 255.255.255.0 172.16.9.240 255.255.255.240
access-list LDL_CRYPTO_ACL permit ip 172.16.9.240 255.255.255.240 10.87.1.0 255.255.255.0
access-list LDL_CRYPTO_ACL permit ip 10.87.39.0 255.255.255.0 172.16.9.240 255.255.255.240
access-list LDL_CRYPTO_ACL permit ip 172.16.9.240 255.255.255.240 10.87.39.0 255.255.255.0
access-list LDL_CRYPTO_ACL permit ip 172.28.0.0 255.255.0.0 172.16.9.240 255.255.255.240
access-list LDL_CRYPTO_ACL permit ip 172.16.9.240 255.255.255.240 172.28.0.0 255.255.0.0
static (inside,outside) tcp 172.16.9.241 3389 X_Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.16.9.241 ftp X_Server ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.16.9.241 ftp-data X_Server ftp-data netmask 255.255.255.255 0 0
static (inside,outside) 172.16.9.242 Z_Server netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.2.7 X_Server netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.2.11 Y_Server netmask 255.255.255.255 0 0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address HBS_CRYPTO_ACL
crypto map outside_map 10 set peer (public IP of peer)
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address (public IP of peer) netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
What I was thinking to add in that new STS is the following:
access-list Protect permit ip (peer's public IP) 192.168.1.0 255.255.255.0
access-list SecondSTS_ACL permit udp (peer's public IP) host (our public ip) eq isakmp
access-list SecondSTS_Crypto_ACL permit udp (peer's public ip) host (our public IP) eq isakmp
access-list SecondSTS_Crypto_ACL permit ah (peer's public IP) host (pur public IP)
access-list SecondSTS_Crypto_ACL permit esp (peer's public IP) host (our public IP)
isakmp key (preshard key) address (peer's public IP)
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3DES
isakmp policy 30 hash MD5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
crypto ipsec transform-set RSA1 esp-md5-hmac esp-3des
crypto map SecondSTS_map 30 set peer (peer's public IP)
crypto map SecondSTS_map 30 ipsec-isakmp
crypto map SecondSTS_map 30 set session-key
crypto map SecondSTS_map 30 match address SecondSTS_Crypto_ACL
crypto map SecondSTS_map 30 set transform-set SecondSTS_Crypto_ACL
crypto map SecondSTS_map 30 set pfs group2
crypto map SecondSTS_map 30 security-association seconds 86400
1) Do you see any issues with adding this to my running config?
2) I was given two public IPs to use: one ends in .225 the other ends in .1
I was told one was for the tunnel (.225), the other for traffic (.1)
Where should I put those in the script.
3) Also I have asked for a subnet mask of their public IP and they said I don't need it. SO I have used 255.255.255.255 when a command craps out from not having a a mask.
Thanks!
Starting backwards...
3) Yes. if they give you a host, 255.255.255.255 specifies a host, not any kind of network.
2) if .225 is the tunnel endpoint, it becomes the (peer's public IP) in the above commands.
.1 would be the host for the traffic that needs to be tunneled.
All the commands need to fit in the existing crypto map. So no SecondSTS_map, but additional commands in the outside_map crypto entry.
Add the following...
isakmp key (preshard key) address (peer's public IP - .225)
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3DES
isakmp policy 30 hash MD5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
crypto ipsec transform-set RSA1 esp-md5-hmac esp-3des
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address SecondSTS_ACL
crypto map outside_map 20 set peer (public IP of peer - .225)
crypto map outside_map 20 set transform-set RSA1
access-list SecondSTS_ACL permit ip (your local IP net) (netmask) host (their public IP - .1)
You'll also have to add a line to whatever nat 0 ACL you are using.
3) Yes. if they give you a host, 255.255.255.255 specifies a host, not any kind of network.
2) if .225 is the tunnel endpoint, it becomes the (peer's public IP) in the above commands.
.1 would be the host for the traffic that needs to be tunneled.
All the commands need to fit in the existing crypto map. So no SecondSTS_map, but additional commands in the outside_map crypto entry.
Add the following...
isakmp key (preshard key) address (peer's public IP - .225)
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3DES
isakmp policy 30 hash MD5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
crypto ipsec transform-set RSA1 esp-md5-hmac esp-3des
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address SecondSTS_ACL
crypto map outside_map 20 set peer (public IP of peer - .225)
crypto map outside_map 20 set transform-set RSA1
access-list SecondSTS_ACL permit ip (your local IP net) (netmask) host (their public IP - .1)
You'll also have to add a line to whatever nat 0 ACL you are using.
ASKER
1) I was able to enter everything you suggested, except when I entered:
crypto map outside_map 20 match address SecondSTS_ACL
It went through but I received the following:
"Warning: access-list has port selectors may have performance impact"
What does that mean? What should I do? Monitor PCU usage?
2) For the nat 0 ACL, I entered the following:
nat (inside) 0 access-list Protect
Does it look correct? I WAS able to enter it.
crypto map outside_map 20 match address SecondSTS_ACL
It went through but I received the following:
"Warning: access-list has port selectors may have performance impact"
What does that mean? What should I do? Monitor PCU usage?
2) For the nat 0 ACL, I entered the following:
nat (inside) 0 access-list Protect
Does it look correct? I WAS able to enter it.
Post the access list entry - it shouldn't have port selectors.
For the nat 0 ACL, it should be any traffic you do not want to nat - traffic to the first vpn site, traffic to the clients, traffic to the second vpn (.1).
All other traffic to the internet should be natted.
Post what you think that is and I'll check it.
For the nat 0 ACL, it should be any traffic you do not want to nat - traffic to the first vpn site, traffic to the clients, traffic to the second vpn (.1).
All other traffic to the internet should be natted.
Post what you think that is and I'll check it.
ASKER
Here is the output of "show Access-list"
access-list cached ACL log flows: total 3, denied 1 (deny-flow-max 1024)
alert-interval 300
access-list inside-out; 1 elements
access-list inside-out line 1 permit ip any any log 6 interval 300 (hitcnt=620391)
access-list outside_access_in; 3 elements
access-list outside_access_in line 1 deny tcp any any log 6 interval 300 (hitcnt=70711)
access-list outside_access_in line 2 deny udp any any log 6 interval 300 (hitcnt=236)
access-list outside_access_in line 3 deny ip any any log 6 interval 300 (hitcnt=4534)
access-list workers_splitTunnelAcl; 1 elements
access-list workers_splitTunnelAcl line 1 permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0)
access-list inside_outbound_nat0_acl; 2 elements
access-list inside_outbound_nat0_acl line 1 permit ip 192.168.1.0 255.255.255.0 192.1.1.0 255.255.255.128 (hitcnt=192553)
access-list inside_outbound_nat0_acl line 2 permit ip host (IP of Server_A) host (Peer's IP) (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 192.1.1.0 255.255.255.128 (hitcnt=138978)
access-list LDL_CRYPTO_ACL; 8 elements
access-list LDL_CRYPTO_ACL line 1 permit ip 172.16.1.0 255.255.255.0 172.16.9.240 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 2 permit ip 172.16.9.0 255.255.255.0 172.16.9.240 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 3 permit ip 10.87.1.0 255.255.255.0 172.16.9.240 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 4 permit ip 172.16.9.240 255.255.255.240 10.87.1.0 255.255.255.0 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 5 permit ip 10.87.39.0 255.255.255.0 172.16.9.24 0 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 6 permit ip 172.16.9.240 255.255.255.240 10.87.39.0 255.255.255.0 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 7 permit ip 172.28.0.0 255.255.0.0 172.16.9.240 255.255.255.240 (hitcnt=39)
access-list LDL_CRYPTO_ACL line 8 permit ip 172.16.9.240 255.255.255.240 172.28.0.0 255.255.0.0 (hitcnt=15749)
access-list dmz-in; 7 elements
access-list dmz-in line 1 permit icmp any host 192.168.2.7 echo (hitcnt=0)
access-list dmz-in line 2 permit tcp any host 192.168.2.7 eq 3389 (hitcnt=388)
access-list dmz-in line 3 permit tcp any host 192.168.2.11 eq ftp (hitcnt=6467)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 object-group FTP host 192.168.2.11 object-group FTP log 6 interval 300
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp-data host 192.168.2.11 eq ftp-data log 6 interval 300 (hitcnt=0)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp-data host 192.168.2.11 eq ftp log 6 interval 300 (hitcnt=0)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp host 192.168.2.11 eq ftp-data log 6 interval 300 (hitcnt=0)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp host 192.168.2.11 eq ftp log 6 interval 300 (hitcnt=0)
access-list dynacl382; 1 elements
access-list dynacl382 line 1 permit ip any host 192.1.1.97 (hitcnt=195)
access-list outside_cryptomap_30; 1 elements
access-list outside_cryptomap_30 line 1 permit ip host HBS_RiteRx host RSA (hitcnt=0)
access-list Protect; 1 elements
access-list Protect line 1 permit ip host (peer'sIP) 192.168.1.0 255.255.255.0 (hitcnt=0)
access-list RSA1_Crypto_ACL; 3 elements
access-list RSA1_Crypto_ACL line 1 permit esp host (peer's ip) host (my public IP) (hitcnt=0)
access-list RSA1_Crypto_ACL line 2 permit udp host (peer's ip) host (my public IP) eq isakmp (hitcnt=0)
access-list RSA1_Crypto_ACL line 3 permit ip host (IPof Server_A) host (peer's IP) (hitcnt=0)
As far as Nat 0 ACL, are you referring to part of what is posted above which reads:
access-list inside_outbound_nat0_acl; 2 elements
access-list inside_outbound_nat0_acl line 1 permit ip 192.168.1.0 255.255.255.0 192.1.1.0 255.255.255.128 (hitcnt=192553)
access-list inside_outbound_nat0_acl line 2 permit ip host (IP of Server_A) host (Peer's IP) (hitcnt=0)
access-list cached ACL log flows: total 3, denied 1 (deny-flow-max 1024)
alert-interval 300
access-list inside-out; 1 elements
access-list inside-out line 1 permit ip any any log 6 interval 300 (hitcnt=620391)
access-list outside_access_in; 3 elements
access-list outside_access_in line 1 deny tcp any any log 6 interval 300 (hitcnt=70711)
access-list outside_access_in line 2 deny udp any any log 6 interval 300 (hitcnt=236)
access-list outside_access_in line 3 deny ip any any log 6 interval 300 (hitcnt=4534)
access-list workers_splitTunnelAcl; 1 elements
access-list workers_splitTunnelAcl line 1 permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0)
access-list inside_outbound_nat0_acl; 2 elements
access-list inside_outbound_nat0_acl line 1 permit ip 192.168.1.0 255.255.255.0 192.1.1.0 255.255.255.128 (hitcnt=192553)
access-list inside_outbound_nat0_acl line 2 permit ip host (IP of Server_A) host (Peer's IP) (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 192.1.1.0 255.255.255.128 (hitcnt=138978)
access-list LDL_CRYPTO_ACL; 8 elements
access-list LDL_CRYPTO_ACL line 1 permit ip 172.16.1.0 255.255.255.0 172.16.9.240 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 2 permit ip 172.16.9.0 255.255.255.0 172.16.9.240 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 3 permit ip 10.87.1.0 255.255.255.0 172.16.9.240 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 4 permit ip 172.16.9.240 255.255.255.240 10.87.1.0 255.255.255.0 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 5 permit ip 10.87.39.0 255.255.255.0 172.16.9.24 0 255.255.255.240 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 6 permit ip 172.16.9.240 255.255.255.240 10.87.39.0 255.255.255.0 (hitcnt=0)
access-list LDL_CRYPTO_ACL line 7 permit ip 172.28.0.0 255.255.0.0 172.16.9.240 255.255.255.240 (hitcnt=39)
access-list LDL_CRYPTO_ACL line 8 permit ip 172.16.9.240 255.255.255.240 172.28.0.0 255.255.0.0 (hitcnt=15749)
access-list dmz-in; 7 elements
access-list dmz-in line 1 permit icmp any host 192.168.2.7 echo (hitcnt=0)
access-list dmz-in line 2 permit tcp any host 192.168.2.7 eq 3389 (hitcnt=388)
access-list dmz-in line 3 permit tcp any host 192.168.2.11 eq ftp (hitcnt=6467)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 object-group FTP host 192.168.2.11 object-group FTP log 6 interval 300
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp-data host 192.168.2.11 eq ftp-data log 6 interval 300 (hitcnt=0)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp-data host 192.168.2.11 eq ftp log 6 interval 300 (hitcnt=0)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp host 192.168.2.11 eq ftp-data log 6 interval 300 (hitcnt=0)
access-list dmz-in line 4 permit tcp 192.168.2.0 255.255.255.0 eq ftp host 192.168.2.11 eq ftp log 6 interval 300 (hitcnt=0)
access-list dynacl382; 1 elements
access-list dynacl382 line 1 permit ip any host 192.1.1.97 (hitcnt=195)
access-list outside_cryptomap_30; 1 elements
access-list outside_cryptomap_30 line 1 permit ip host HBS_RiteRx host RSA (hitcnt=0)
access-list Protect; 1 elements
access-list Protect line 1 permit ip host (peer'sIP) 192.168.1.0 255.255.255.0 (hitcnt=0)
access-list RSA1_Crypto_ACL; 3 elements
access-list RSA1_Crypto_ACL line 1 permit esp host (peer's ip) host (my public IP) (hitcnt=0)
access-list RSA1_Crypto_ACL line 2 permit udp host (peer's ip) host (my public IP) eq isakmp (hitcnt=0)
access-list RSA1_Crypto_ACL line 3 permit ip host (IPof Server_A) host (peer's IP) (hitcnt=0)
As far as Nat 0 ACL, are you referring to part of what is posted above which reads:
access-list inside_outbound_nat0_acl; 2 elements
access-list inside_outbound_nat0_acl line 1 permit ip 192.168.1.0 255.255.255.0 192.1.1.0 255.255.255.128 (hitcnt=192553)
access-list inside_outbound_nat0_acl line 2 permit ip host (IP of Server_A) host (Peer's IP) (hitcnt=0)
Yes - that's the ACL that you need to use in the :
nat (inside) 0 access-list inside_outbound_nat0_acl
command instead of protect.
nat (inside) 0 access-list inside_outbound_nat0_acl
command instead of protect.
ASKER
But what about the "Warning: access-list has port selectors may have performance impact"?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The following is new:
Access-list Protect
access-list RSA1_Crypto_ACL
access-list outside_cryptomap_30
access-list inside_outbound_nat0_acl line 2 permit ip host (IP of Server_A) host (Peer's IP) (hitcnt=0)
Access-list Protect
access-list RSA1_Crypto_ACL
access-list outside_cryptomap_30
access-list inside_outbound_nat0_acl line 2 permit ip host (IP of Server_A) host (Peer's IP) (hitcnt=0)
Did it work? Anything else you have a question on?
ASKER
The tunnel is up. But for some reason I can't get the return traffic to get out of the outside interface.
Which is the return traffic? From the second site back into HQ? Post the latest config and I'll check it.
ASKER
False alarm. I had to backout some of the changes a couple days ago because I lost connectivity to a remote client. So after that was settled I entered the lines back into my script but missed a couple. Most notably the NAT line:
access-list inside_outbound_nat0_acl line 2 permit ip host (IP of Server_A) host (Peer's IP)
Everything is up and tested! Thanks! I have awarded the points.
access-list inside_outbound_nat0_acl line 2 permit ip host (IP of Server_A) host (Peer's IP)
Everything is up and tested! Thanks! I have awarded the points.
1) Me too - ask if they really want you to be using public addresses. (I've used them once before out of a billion (it seems) VPN's)
2) you enter a new crypto map entry, not a new crypto map, as in the following example:
crypto map vpn 35 ipsec-isakmp
crypto map vpn 35 match address outside_cryptomap_35
crypto map vpn 35 set pfs group2
crypto map vpn 35 set peer x.y.z.199
crypto map vpn 35 set transform-set 3destranssha
crypto map vpn 45 ipsec-isakmp
crypto map vpn 45 match address outside_cryptomap_45
crypto map vpn 45 set pfs group2
crypto map vpn 45 set peer x.y.z.293
crypto map vpn 45 set transform-set 3destransmd5
and then use diferent transforms like below:
crypto ipsec transform-set 3destranssha esp-3des esp-sha-hmac
crypto ipsec transform-set 3destransmd5 esp-3des esp-md5-hmac
3) Having the ACL first is good because sometimes when you build a crypto map without a match ACL it sends everything through the tunnel and messes you up until you reload the PIX.
Good luck!