eggster34
asked on
site to site vpn between cisco pix 506 e and cisco 7200
Hi there
I have a PIX 506, and I need to set up a site to site vpn with QWest where they have a bunch of servers behind the 7200 that I need to access..
Tunnel endpoint address on QWest : 155.70.52.8 (I changed the ip for security purposes..)
Tunnel endpoint address on my network: 87.74.24.33 (changed again..)
The requirements are as follows according to QWest:
IPSec Parameters (IKE Phase 1 Proposal)
Pre-Shared key : eggster34
Auth. Algorithm: ESP/MD5/HMAC-128
Encryption Algorithm: 3DES-168
Diffie-Hellman Group: Group 2 (1024-bits)
Lifetime Measurement: Time
Data Lifetime: N/A
Time Lifetime: 1 hour
Negotiation Mode: Main
IPSec Parameters (IKE Phase 2 Proposal)
Encapsulation Mode: Tunnel
Encryption Algorithm: 3DES-168
Perfect Forward Secrecy: Disabled
Lifetime Measurement: Time
Data Lifetime: N/A
Time Lifetime: 1 hour
The are several hosts on the internal network that I need to access, but if you could help me figure out how to connect to 155.70.88.3 only I can figure out the rest.
My internal network is 192.168.2.0 / 24.
Many thanks indeed.
I have a PIX 506, and I need to set up a site to site vpn with QWest where they have a bunch of servers behind the 7200 that I need to access..
Tunnel endpoint address on QWest : 155.70.52.8 (I changed the ip for security purposes..)
Tunnel endpoint address on my network: 87.74.24.33 (changed again..)
The requirements are as follows according to QWest:
IPSec Parameters (IKE Phase 1 Proposal)
Pre-Shared key : eggster34
Auth. Algorithm: ESP/MD5/HMAC-128
Encryption Algorithm: 3DES-168
Diffie-Hellman Group: Group 2 (1024-bits)
Lifetime Measurement: Time
Data Lifetime: N/A
Time Lifetime: 1 hour
Negotiation Mode: Main
IPSec Parameters (IKE Phase 2 Proposal)
Encapsulation Mode: Tunnel
Encryption Algorithm: 3DES-168
Perfect Forward Secrecy: Disabled
Lifetime Measurement: Time
Data Lifetime: N/A
Time Lifetime: 1 hour
The are several hosts on the internal network that I need to access, but if you could help me figure out how to connect to 155.70.88.3 only I can figure out the rest.
My internal network is 192.168.2.0 / 24.
Many thanks indeed.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
>don't I need to create an access list and set the isakmp policy to use the access list ?
If you're referring to the line in the example: "crypto map IPSEC 10 match address 101", then yes you're absolutely correct. As I mentioned in my post, I only posted what your main IPSec parameters would look like, regarding encryption, etc that would match Qwest's requirements. You'll of course need to follow the example for all the other ingredients for a complete config, including ACLs. Sorry if that wasn't clearly spelled out before.
Once again, if you get stuck after going through the example, post your current complete but "sanitized" PIX config & we'll go from there.
cheers
If you're referring to the line in the example: "crypto map IPSEC 10 match address 101", then yes you're absolutely correct. As I mentioned in my post, I only posted what your main IPSec parameters would look like, regarding encryption, etc that would match Qwest's requirements. You'll of course need to follow the example for all the other ingredients for a complete config, including ACLs. Sorry if that wasn't clearly spelled out before.
Once again, if you get stuck after going through the example, post your current complete but "sanitized" PIX config & we'll go from there.
cheers
ASKER
ok that's what I thought when I re-read your post..
I'll try it ASAP and let you know and post the config if it still doesn't work.
many thanks indeed.
I'll try it ASAP and let you know and post the config if it still doesn't work.
many thanks indeed.
ASKER
I did it man. Thanks a lot.
ASKER
don't I need to create an access list and set the isakmp policy to use the access list ?
the reason is that I have over 20 ip addresses that I need to connect to once I establish the vpn.