Solved

PIX Remote Access and Site-to-Site Tunnel

Posted on 2006-06-21
5
469 Views
Last Modified: 2010-04-11
Hi guys,

I have a scenario. I was wondering whether its possible to use a PIX 501 for both remote-access and site-to-site tunnel? Assume there's 3 networks, PIX internal network, ISA internal network and the PUBLIC internet. Both PIX and ISA has client machines behind em and they are both VPN servers for remote users with laptops. IPSEC VPN is working fine. Lets say I wanted to join both networks, both having different subnets, so users on the ISA network can ping machines behind the PIX network and vice versa. I also wanted to keep the capability of giving users to VPN into the PIX.
I tried creating some crypto map, I can only bind one active crypto map to the outside interface, one at a time. Are there any guides to make it work so that existing VPN users wont be affected, and the new network is the joined ISA and PIX network?
0
Comment
Question by:coolsaintz
  • 3
  • 2
5 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16952573
you can do both RA and L2L VPN  at the same time.  however you can only apply one crypto map to an interface at a time (this is true of any pix/asa).  what you do is give the RA crypto map application a priority of 64000 and then the L2L tunnels a priority of say 10.  This way when negotiating the tunnel it will try the priority 10 configuration before the RA.

If you want more help, please post your config so I can take a look at everything to tell you for sure what needs to be done (Just X out the first 3 octets of any public IP and any public fqdn)
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16952591
another note, I believe the only limit for vpn on the 501 is 10 concurrent tunnels and depending upon the license either 10, 50, or unlimited hosts can traverse the firewall at a time (inside hosts that is)
0
 

Author Comment

by:coolsaintz
ID: 16953346
thanx Cyclops.

i appreciate the fast response and comments :). it might take some time for me to edit my pix and blanking out the ips, coz its a freaking long config but i think i am getting the picture. lets take these set of lines for example.

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication myRadius
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local VPNPool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup testGroup address-pool VPNPool
vpngroup testGroup  dns-server x.x.x.x
vpngroup testGroup default-domain abc.net
vpngroup testGroup  idle-time 1800
vpngroup testGroup  password ********

these are my original pix config for RA clients using a radius server.

assuming i have set the ike/ ipsec parameters on the ISA, i will create a new policy that matches it on the pix's end.
i am putting the config for the tunnel, please let me know if this is the right way to do it.

crypto isakmp key mypresharekey address y.y.y.y                              # y.y.y.y = ISA external IP
crypto ipsec transform-set ISAtransform esp-3des esp-sha-hmac
access-list 90 permit ip a.a.a.a 255.255.255.0 b.b.b.b 255.255.255.0         (a.a.a.a = pix network, b.b.b.b = ISA network)
nat 0 access-list 90
nat (inside) 1 0 0

isakmp policy 64000 authentication pre-share
isakmp policy 64000 encryption 3des
isakmp policy 64000 hash sha
isakmp policy 64000 group 2
isakmp policy 64000 lifetime 86400


crypto map mymap 64000 ipsec-isakmp
crypto map mymap 64000 match address 90
crypto map mymap 64000 set transform-set ISAtransform
crypto map mymap 64000 set peer y.y.y.y

.----------------

i cannot test it out now to avoid any interruptions, will probably do it late tonight. but please let me know if i m on the right track. thanks.
0
 

Author Comment

by:coolsaintz
ID: 16953371
oops,
sorry i just realise i had the prioritites reversed. it should be 10 for tunnel, 64000 for remote access, (din know until after it was posted).
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 16953432
That should work.  only one thing.  I would recommend doing up two different acls for the subnet A to subnet B.  One for the nat 0 and one for the match address.  This is because if you need to add ace's to the nonat acl, then you can without affecting the tunnel acl.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now