site to site vpn between cisco pix 506 e and cisco 7200

Hi there
I have a PIX 506, and I need to set up a site to site vpn with QWest where they have a bunch of servers behind the 7200 that I need to access..

Tunnel endpoint address on QWest : (I changed the ip for security purposes..)

Tunnel endpoint address on my network: (changed again..)

The requirements are as follows according to QWest:

IPSec Parameters (IKE Phase 1 Proposal)
Pre-Shared key :  eggster34
Auth. Algorithm: ESP/MD5/HMAC-128
Encryption Algorithm: 3DES-168
Diffie-Hellman Group: Group 2 (1024-bits)
Lifetime Measurement: Time
Data Lifetime: N/A
Time Lifetime: 1 hour
Negotiation Mode: Main

IPSec Parameters (IKE Phase 2 Proposal)
Encapsulation Mode: Tunnel
Encryption Algorithm: 3DES-168
Perfect Forward Secrecy: Disabled
Lifetime Measurement: Time
Data Lifetime: N/A
Time Lifetime: 1 hour

The are several hosts on the internal network that I need to access, but if you could help me figure out how to connect to only I can figure out the rest.

My internal network is / 24.

Many thanks indeed.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 See the following page for an example for your PIX config:
  If your PIX is running 6.3 series, I'd also run the following:
  isakmp nat-traversal
  clear xlate

Referring to the example in the URL above, IPSec parameters you'd change (or add) would look like the following, to match the requirements posted above:

crypto ipsec transform-set DYN-TS esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map IPSEC 10 set peer

isakmp key eggster34 address netmask
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600

  If still having problems, please post your entire "sanitized" PIX config (passwords removed, public IPs either changed as above, or masked out like so: x.x.x.82).


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eggster34Author Commented:
thanks I will try this asap.
don't I need to create an access list and set the isakmp policy to use the access list ?
the reason is that I have over 20 ip addresses that I need to connect to once I establish the vpn.
>don't I need to create an access list and set the isakmp policy to use the access list ?
  If you're referring to the line in the example:  "crypto map IPSEC 10 match address 101", then yes you're absolutely correct.  As I mentioned in my post, I only posted what your main IPSec parameters would look like, regarding encryption, etc that would match Qwest's requirements.  You'll of course need to follow the example for all the other ingredients for a complete config, including ACLs.  Sorry if that wasn't clearly spelled out before.

Once again, if you get stuck after going through the example,  post your current complete but "sanitized" PIX config & we'll go from there.

eggster34Author Commented:
ok that's what I thought when I re-read your post..
I'll try it ASAP and let you know and post the config if it still doesn't work.
many thanks indeed.
eggster34Author Commented:
I did it man. Thanks a lot.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.