Link to home
Start Free TrialLog in
Avatar of youritstaff
youritstaff

asked on

PIX 506 connecting to 2 different VPNs

Is it possible to connect a PIX 506e to 2 unrelated VPNs?

They are both Cisco Concentrators on the other end, but have different policies.

Thanks in advance.
Avatar of tonyteri
tonyteri
Flag of United States of America image
I believe so, as it is Cisco, so never easy, but not that difficult.,  You have to assure to use the same protocols on each end, as well as ports. And you can use the PIX for the Certificate.

/TT
Avatar of youritstaff
youritstaff

ASKER

Now that it's possible. Where Am I going wrong?

I have a two crypto maps, isakmp keys, and isakmp policy.

Is there anything else I need to setup?
Avatar of theandrew
theandrew
We have a 506 that connects to about 20 different other pix's. The only difference in teh config between each pix is the key, keyid, host address. Can you post your config?

--TheAndrew
Avatar of youritstaff
youritstaff

ASKER

Here's the config:

PIX Version 6.3(3)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
hostname pix                  
domain-name pix.com                      
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
access-list 101 permit ip host <my public ip> host <VPN1_gateway>                                                              
access-list 101 permit ip host <my public ip> host <VPN1_IP_1>                                                              
access-list 101 permit ip host <my public ip> host <VPN1_IP_2>                                                              
access-list 101 permit ip host <my public ip> host <VPN1_IP_3>                                                              
access-list 101 permit ip host <my public ip> host <VPN1_IP_4>                                                              
access-list 101 permit ip host <my public ip> host <VPN1_IP_5>                                                            
access-list 101 permit ip host <my public ip> host <VPN1_IP_6>                                                              
access-list 101 permit ip host <my public ip> host <VPN1_IP_7>                                                            
access-list 101 permit ip host <my public ip> host <VPN1_IP_8>                                                              
access-list 101 permit ip host <my public ip> host <VPN1_IP_9>                                                              
access-list 110 permit esp any any                                  
access-list 110 permit ah any any                                
access-list 110 permit udp any eq isakmp any eq isakmp                                                      
access-list 111 permit esp any any                                  
access-list 111 permit ah any any                                
access-list 111 permit udp any eq isakmp any eq isakmp                                                      
access-list 102 permit ip host <my public ip> host <VPN2_gateway>                                                              
access-list 102 permit ip host <my public ip> host <VPN2_IP_1>                                                            
access-list 102 permit ip host <my public ip> host <VPN2_IP_1>                                                            
pager lines 24              
logging on          
logging trap informational                          
logging history debugging                        
logging host inside 192.168.10.5                                
mtu outside 1500                
mtu inside 1500              
ip address outside <my public ip> 255.255.255.192                                              
ip address inside 192.168.10.15 255.255.255.0                                            
ip audit info action alarm                          
ip audit attack action alarm                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
route outside 0.0.0.0 0.0.0.0 <router_ip> 1                                            
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolut                          
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
http server enable                  
http 192.168.10.0 255.255.255.0 inside                                      
snmp-server location 192.168.10.5                                
no snmp-server contact                      
snmp-server community 1ABSNMP                            
snmp-server enable traps                        
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac                                                            
crypto map B2B 1 ipsec-isakmp                            
crypto map B2B 1 match address 101                                  
crypto map B2B 1 set peer <VPN1_gateway>                                      
crypto map B2B 1 set transform-s                              
crypto map B2B 1 set security-association lifetime seconds 360 kilobytes 8192                                                                            
crypto map B2B interface outside                                
crypto map GWB 2 ipsec-isakmp
crypto map GWB 2 match address 102
crypto map GWB 2 set peer <VPN2_gateway>
crypto map GWB 2 set transform-set ESP-3DES-MD5
isakmp enable outside
isakmp key ******** address <VPN1_gateway> netmask 255.255.255.255
isakmp key ******** address <VPN2_gateway> netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp keepalive 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.11.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside


Thanks,
Ron
Avatar of harbor235
harbor235
Flag of United States of America image
the PIX to Concentrator VPN utilizes IPSEC so yes this will work, all phase 1 and phase 2 parameters need to match to establish the VPN. So the isakmp key, encryption methodolgy, security association timing all need to be the same on both sides.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/index.htm

harbor235
ASKER CERTIFIED SOLUTION
Avatar of magicomminc
magicomminc
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial