Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

PIX 506 connecting to 2 different VPNs

Posted on 2005-04-28
6
Medium Priority
?
239 Views
Last Modified: 2010-04-10
Is it possible to connect a PIX 506e to 2 unrelated VPNs?

They are both Cisco Concentrators on the other end, but have different policies.

Thanks in advance.
0
Comment
Question by:youritstaff
6 Comments
 
LVL 7

Expert Comment

by:tonyteri
ID: 13888372
I believe so, as it is Cisco, so never easy, but not that difficult.,  You have to assure to use the same protocols on each end, as well as ports. And you can use the PIX for the Certificate.

/TT
0
 

Author Comment

by:youritstaff
ID: 13888451
Now that it's possible. Where Am I going wrong?

I have a two crypto maps, isakmp keys, and isakmp policy.

Is there anything else I need to setup?
0
 
LVL 1

Expert Comment

by:theandrew
ID: 13889041
We have a 506 that connects to about 20 different other pix's. The only difference in teh config between each pix is the key, keyid, host address. Can you post your config?

--TheAndrew
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 

Author Comment

by:youritstaff
ID: 13889254
Here's the config:

PIX Version 6.3(3)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
hostname pix                  
domain-name pix.com                      
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
access-list 101 permit ip host <my public ip> host <VPN1_gateway>                                                              
access-list 101 permit ip host <my public ip> host <VPN1_IP_1>                                                              
access-list 101 permit ip host <my public ip> host <VPN1_IP_2>                                                              
access-list 101 permit ip host <my public ip> host <VPN1_IP_3>                                                              
access-list 101 permit ip host <my public ip> host <VPN1_IP_4>                                                              
access-list 101 permit ip host <my public ip> host <VPN1_IP_5>                                                            
access-list 101 permit ip host <my public ip> host <VPN1_IP_6>                                                              
access-list 101 permit ip host <my public ip> host <VPN1_IP_7>                                                            
access-list 101 permit ip host <my public ip> host <VPN1_IP_8>                                                              
access-list 101 permit ip host <my public ip> host <VPN1_IP_9>                                                              
access-list 110 permit esp any any                                  
access-list 110 permit ah any any                                
access-list 110 permit udp any eq isakmp any eq isakmp                                                      
access-list 111 permit esp any any                                  
access-list 111 permit ah any any                                
access-list 111 permit udp any eq isakmp any eq isakmp                                                      
access-list 102 permit ip host <my public ip> host <VPN2_gateway>                                                              
access-list 102 permit ip host <my public ip> host <VPN2_IP_1>                                                            
access-list 102 permit ip host <my public ip> host <VPN2_IP_1>                                                            
pager lines 24              
logging on          
logging trap informational                          
logging history debugging                        
logging host inside 192.168.10.5                                
mtu outside 1500                
mtu inside 1500              
ip address outside <my public ip> 255.255.255.192                                              
ip address inside 192.168.10.15 255.255.255.0                                            
ip audit info action alarm                          
ip audit attack action alarm                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
route outside 0.0.0.0 0.0.0.0 <router_ip> 1                                            
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolut                          
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
http server enable                  
http 192.168.10.0 255.255.255.0 inside                                      
snmp-server location 192.168.10.5                                
no snmp-server contact                      
snmp-server community 1ABSNMP                            
snmp-server enable traps                        
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac                                                            
crypto map B2B 1 ipsec-isakmp                            
crypto map B2B 1 match address 101                                  
crypto map B2B 1 set peer <VPN1_gateway>                                      
crypto map B2B 1 set transform-s                              
crypto map B2B 1 set security-association lifetime seconds 360 kilobytes 8192                                                                            
crypto map B2B interface outside                                
crypto map GWB 2 ipsec-isakmp
crypto map GWB 2 match address 102
crypto map GWB 2 set peer <VPN2_gateway>
crypto map GWB 2 set transform-set ESP-3DES-MD5
isakmp enable outside
isakmp key ******** address <VPN1_gateway> netmask 255.255.255.255
isakmp key ******** address <VPN2_gateway> netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp keepalive 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.11.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside


Thanks,
Ron
0
 
LVL 32

Expert Comment

by:harbor235
ID: 13889291
the PIX to Concentrator VPN utilizes IPSEC so yes this will work, all phase 1 and phase 2 parameters need to match to establish the VPN. So the isakmp key, encryption methodolgy, security association timing all need to be the same on both sides.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/index.htm

harbor235
0
 
LVL 6

Accepted Solution

by:
magicomminc earned 2000 total points
ID: 13891358
You can't have different crypto maps on one interface:
if your config:
crypto map B2B 1 ipsec-isakmp                            
crypto map B2B 1 match address 101                                  
crypto map B2B 1 set peer <VPN1_gateway>                                      
crypto map B2B 1 set transform-s                              
crypto map B2B 1 set security-association lifetime seconds 360 kilobytes 8192                                                                            
crypto map B2B interface outside                                
crypto map GWB 2 ipsec-isakmp
crypto map GWB 2 match address 102
crypto map GWB 2 set peer <VPN2_gateway>
crypto map GWB 2 set transform-set ESP-3DES-MD5
need to change to:
crypto map B2B 1 ipsec-isakmp                            
crypto map B2B 1 match address 101                                  
crypto map B2B 1 set peer <VPN1_gateway>                                      
crypto map B2B 1 set transform-s                              
crypto map B2B 1 set security-association lifetime seconds 360 kilobytes 8192                                                                            
crypto map B2B 2 ipsec-isakmp
crypto map B2B 2 match address 102
crypto map B2B 2 set peer <VPN2_gateway>
crypto map B2B 2 set transform-set ESP-3DES-MD5
crypto map B2B interface outside

also don't forget "clear crypto ipsec sa" after you manipulate crypto settings.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question