Link to home
Start Free TrialLog in
Avatar of eggster34
eggster34

asked on

site to site vpn between cisco pix 506 e and cisco 7200

Hi there
I have a PIX 506, and I need to set up a site to site vpn with QWest where they have a bunch of servers behind the 7200 that I need to access..

Tunnel endpoint address on QWest : 155.70.52.8 (I changed the ip for security purposes..)

Tunnel endpoint address on my network: 87.74.24.33 (changed again..)

The requirements are as follows according to QWest:

IPSec Parameters (IKE Phase 1 Proposal)
Pre-Shared key :  eggster34
Auth. Algorithm: ESP/MD5/HMAC-128
Encryption Algorithm: 3DES-168
Diffie-Hellman Group: Group 2 (1024-bits)
Lifetime Measurement: Time
Data Lifetime: N/A
Time Lifetime: 1 hour
Negotiation Mode: Main

IPSec Parameters (IKE Phase 2 Proposal)
Encapsulation Mode: Tunnel
Encryption Algorithm: 3DES-168
Perfect Forward Secrecy: Disabled
Lifetime Measurement: Time
Data Lifetime: N/A
Time Lifetime: 1 hour

The are several hosts on the internal network that I need to access, but if you could help me figure out how to connect to 155.70.88.3 only I can figure out the rest.

My internal network is 192.168.2.0 / 24.

Many thanks indeed.
ASKER CERTIFIED SOLUTION
Avatar of calvinetter
calvinetter
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of eggster34
eggster34

ASKER

thanks I will try this asap.
don't I need to create an access list and set the isakmp policy to use the access list ?
the reason is that I have over 20 ip addresses that I need to connect to once I establish the vpn.
>don't I need to create an access list and set the isakmp policy to use the access list ?
  If you're referring to the line in the example:  "crypto map IPSEC 10 match address 101", then yes you're absolutely correct.  As I mentioned in my post, I only posted what your main IPSec parameters would look like, regarding encryption, etc that would match Qwest's requirements.  You'll of course need to follow the example for all the other ingredients for a complete config, including ACLs.  Sorry if that wasn't clearly spelled out before.

Once again, if you get stuck after going through the example,  post your current complete but "sanitized" PIX config & we'll go from there.

cheers
ok that's what I thought when I re-read your post..
I'll try it ASAP and let you know and post the config if it still doesn't work.
many thanks indeed.
I did it man. Thanks a lot.