youritstaff
asked on
PIX 506 connecting to 2 different VPNs
Is it possible to connect a PIX 506e to 2 unrelated VPNs?
They are both Cisco Concentrators on the other end, but have different policies.
Thanks in advance.
They are both Cisco Concentrators on the other end, but have different policies.
Thanks in advance.
ASKER
Now that it's possible. Where Am I going wrong?
I have a two crypto maps, isakmp keys, and isakmp policy.
Is there anything else I need to setup?
I have a two crypto maps, isakmp keys, and isakmp policy.
Is there anything else I need to setup?
We have a 506 that connects to about 20 different other pix's. The only difference in teh config between each pix is the key, keyid, host address. Can you post your config?
--TheAndrew
--TheAndrew
ASKER
Here's the config:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix
domain-name pix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip host <my public ip> host <VPN1_gateway>
access-list 101 permit ip host <my public ip> host <VPN1_IP_1>
access-list 101 permit ip host <my public ip> host <VPN1_IP_2>
access-list 101 permit ip host <my public ip> host <VPN1_IP_3>
access-list 101 permit ip host <my public ip> host <VPN1_IP_4>
access-list 101 permit ip host <my public ip> host <VPN1_IP_5>
access-list 101 permit ip host <my public ip> host <VPN1_IP_6>
access-list 101 permit ip host <my public ip> host <VPN1_IP_7>
access-list 101 permit ip host <my public ip> host <VPN1_IP_8>
access-list 101 permit ip host <my public ip> host <VPN1_IP_9>
access-list 110 permit esp any any
access-list 110 permit ah any any
access-list 110 permit udp any eq isakmp any eq isakmp
access-list 111 permit esp any any
access-list 111 permit ah any any
access-list 111 permit udp any eq isakmp any eq isakmp
access-list 102 permit ip host <my public ip> host <VPN2_gateway>
access-list 102 permit ip host <my public ip> host <VPN2_IP_1>
access-list 102 permit ip host <my public ip> host <VPN2_IP_1>
pager lines 24
logging on
logging trap informational
logging history debugging
logging host inside 192.168.10.5
mtu outside 1500
mtu inside 1500
ip address outside <my public ip> 255.255.255.192
ip address inside 192.168.10.15 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 <router_ip> 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolut
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.10.0 255.255.255.0 inside
snmp-server location 192.168.10.5
no snmp-server contact
snmp-server community 1ABSNMP
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map B2B 1 ipsec-isakmp
crypto map B2B 1 match address 101
crypto map B2B 1 set peer <VPN1_gateway>
crypto map B2B 1 set transform-s
crypto map B2B 1 set security-association lifetime seconds 360 kilobytes 8192
crypto map B2B interface outside
crypto map GWB 2 ipsec-isakmp
crypto map GWB 2 match address 102
crypto map GWB 2 set peer <VPN2_gateway>
crypto map GWB 2 set transform-set ESP-3DES-MD5
isakmp enable outside
isakmp key ******** address <VPN1_gateway> netmask 255.255.255.255
isakmp key ******** address <VPN2_gateway> netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp keepalive 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.11.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
Thanks,
Ron
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix
domain-name pix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip host <my public ip> host <VPN1_gateway>
access-list 101 permit ip host <my public ip> host <VPN1_IP_1>
access-list 101 permit ip host <my public ip> host <VPN1_IP_2>
access-list 101 permit ip host <my public ip> host <VPN1_IP_3>
access-list 101 permit ip host <my public ip> host <VPN1_IP_4>
access-list 101 permit ip host <my public ip> host <VPN1_IP_5>
access-list 101 permit ip host <my public ip> host <VPN1_IP_6>
access-list 101 permit ip host <my public ip> host <VPN1_IP_7>
access-list 101 permit ip host <my public ip> host <VPN1_IP_8>
access-list 101 permit ip host <my public ip> host <VPN1_IP_9>
access-list 110 permit esp any any
access-list 110 permit ah any any
access-list 110 permit udp any eq isakmp any eq isakmp
access-list 111 permit esp any any
access-list 111 permit ah any any
access-list 111 permit udp any eq isakmp any eq isakmp
access-list 102 permit ip host <my public ip> host <VPN2_gateway>
access-list 102 permit ip host <my public ip> host <VPN2_IP_1>
access-list 102 permit ip host <my public ip> host <VPN2_IP_1>
pager lines 24
logging on
logging trap informational
logging history debugging
logging host inside 192.168.10.5
mtu outside 1500
mtu inside 1500
ip address outside <my public ip> 255.255.255.192
ip address inside 192.168.10.15 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 <router_ip> 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolut
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.10.0 255.255.255.0 inside
snmp-server location 192.168.10.5
no snmp-server contact
snmp-server community 1ABSNMP
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map B2B 1 ipsec-isakmp
crypto map B2B 1 match address 101
crypto map B2B 1 set peer <VPN1_gateway>
crypto map B2B 1 set transform-s
crypto map B2B 1 set security-association lifetime seconds 360 kilobytes 8192
crypto map B2B interface outside
crypto map GWB 2 ipsec-isakmp
crypto map GWB 2 match address 102
crypto map GWB 2 set peer <VPN2_gateway>
crypto map GWB 2 set transform-set ESP-3DES-MD5
isakmp enable outside
isakmp key ******** address <VPN1_gateway> netmask 255.255.255.255
isakmp key ******** address <VPN2_gateway> netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp keepalive 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.11.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
Thanks,
Ron
the PIX to Concentrator VPN utilizes IPSEC so yes this will work, all phase 1 and phase 2 parameters need to match to establish the VPN. So the isakmp key, encryption methodolgy, security association timing all need to be the same on both sides.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/index.htm
harbor235
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/index.htm
harbor235
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
/TT