site to site vpn between cisco pix 506 e and cisco 7200

Hi there
I have a PIX 506, and I need to set up a site to site vpn with QWest where they have a bunch of servers behind the 7200 that I need to access..

Tunnel endpoint address on QWest : (I changed the ip for security purposes..)

Tunnel endpoint address on my network: (changed again..)

The requirements are as follows according to QWest:

IPSec Parameters (IKE Phase 1 Proposal)
Pre-Shared key :  eggster34
Auth. Algorithm: ESP/MD5/HMAC-128
Encryption Algorithm: 3DES-168
Diffie-Hellman Group: Group 2 (1024-bits)
Lifetime Measurement: Time
Data Lifetime: N/A
Time Lifetime: 1 hour
Negotiation Mode: Main

IPSec Parameters (IKE Phase 2 Proposal)
Encapsulation Mode: Tunnel
Encryption Algorithm: 3DES-168
Perfect Forward Secrecy: Disabled
Lifetime Measurement: Time
Data Lifetime: N/A
Time Lifetime: 1 hour

The are several hosts on the internal network that I need to access, but if you could help me figure out how to connect to only I can figure out the rest.

My internal network is / 24.

Many thanks indeed.
Who is Participating?
 See the following page for an example for your PIX config:
  If your PIX is running 6.3 series, I'd also run the following:
  isakmp nat-traversal
  clear xlate

Referring to the example in the URL above, IPSec parameters you'd change (or add) would look like the following, to match the requirements posted above:

crypto ipsec transform-set DYN-TS esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map IPSEC 10 set peer

isakmp key eggster34 address netmask
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600

  If still having problems, please post your entire "sanitized" PIX config (passwords removed, public IPs either changed as above, or masked out like so: x.x.x.82).

eggster34Author Commented:
thanks I will try this asap.
don't I need to create an access list and set the isakmp policy to use the access list ?
the reason is that I have over 20 ip addresses that I need to connect to once I establish the vpn.
>don't I need to create an access list and set the isakmp policy to use the access list ?
  If you're referring to the line in the example:  "crypto map IPSEC 10 match address 101", then yes you're absolutely correct.  As I mentioned in my post, I only posted what your main IPSec parameters would look like, regarding encryption, etc that would match Qwest's requirements.  You'll of course need to follow the example for all the other ingredients for a complete config, including ACLs.  Sorry if that wasn't clearly spelled out before.

Once again, if you get stuck after going through the example,  post your current complete but "sanitized" PIX config & we'll go from there.

eggster34Author Commented:
ok that's what I thought when I re-read your post..
I'll try it ASAP and let you know and post the config if it still doesn't work.
many thanks indeed.
eggster34Author Commented:
I did it man. Thanks a lot.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.