PIX 515e site to site and Cisco vpn client configuration.
Posted on 2006-05-13
I have two PIX515e's in a datacentre (active/failover configuration. I have to configure the units for two seperate site to site vpn's and for the Cisco software client. The two sites also have PIX's one is a 515 and one is a 525. The Cisco software client I have is 4.0.5 and 4.6 (any recommendations on which is the less problematic would be good).
I will need the Cisco clients to be able to authenticate against a Windows 2003 AD server, which will be through IAS. Here is the config I have pulled together for the VPN client (which is probably very wrong, but there you go):
access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list 101 permit ip 192.168.40.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list 101 permit ip 192.168.40.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.50.0 255.255.255.0
ip local pool VPNpool 192.168.40.1-192.168.40.40
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 access-list 101
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 192.168.12.5 timeout 10
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set esp esp-des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication AuthInbound
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup xxxxxxxx address-pool VPNpool
vpngroup xxxxxxxxdns-server 192.168.12.5
vpngroup xxxxxxxx wins-server 192.168.12.5
vpngroup xxxxxxxx default-domain xxxxxxxx.local
vpngroup xxxxxxxx split-tunnel 101
vpngroup xxxxxxxxidle-time 1800
vpngroup xxxxxxxx password ********
Am I on the right track??? From what I understand you can only have one crypto map per interface so how would I configure the central PIX to add the two tunnels from the other two sites and what config needs to be on them??
I have not done this before and am getting a bit confused....
Any help will be much appreciated.