Solved

PIX Remote Access and Site-to-Site Tunnel

Posted on 2006-06-21
5
477 Views
Last Modified: 2010-04-11
Hi guys,

I have a scenario. I was wondering whether its possible to use a PIX 501 for both remote-access and site-to-site tunnel? Assume there's 3 networks, PIX internal network, ISA internal network and the PUBLIC internet. Both PIX and ISA has client machines behind em and they are both VPN servers for remote users with laptops. IPSEC VPN is working fine. Lets say I wanted to join both networks, both having different subnets, so users on the ISA network can ping machines behind the PIX network and vice versa. I also wanted to keep the capability of giving users to VPN into the PIX.
I tried creating some crypto map, I can only bind one active crypto map to the outside interface, one at a time. Are there any guides to make it work so that existing VPN users wont be affected, and the new network is the joined ISA and PIX network?
0
Comment
Question by:coolsaintz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16952573
you can do both RA and L2L VPN  at the same time.  however you can only apply one crypto map to an interface at a time (this is true of any pix/asa).  what you do is give the RA crypto map application a priority of 64000 and then the L2L tunnels a priority of say 10.  This way when negotiating the tunnel it will try the priority 10 configuration before the RA.

If you want more help, please post your config so I can take a look at everything to tell you for sure what needs to be done (Just X out the first 3 octets of any public IP and any public fqdn)
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16952591
another note, I believe the only limit for vpn on the 501 is 10 concurrent tunnels and depending upon the license either 10, 50, or unlimited hosts can traverse the firewall at a time (inside hosts that is)
0
 

Author Comment

by:coolsaintz
ID: 16953346
thanx Cyclops.

i appreciate the fast response and comments :). it might take some time for me to edit my pix and blanking out the ips, coz its a freaking long config but i think i am getting the picture. lets take these set of lines for example.

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication myRadius
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local VPNPool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup testGroup address-pool VPNPool
vpngroup testGroup  dns-server x.x.x.x
vpngroup testGroup default-domain abc.net
vpngroup testGroup  idle-time 1800
vpngroup testGroup  password ********

these are my original pix config for RA clients using a radius server.

assuming i have set the ike/ ipsec parameters on the ISA, i will create a new policy that matches it on the pix's end.
i am putting the config for the tunnel, please let me know if this is the right way to do it.

crypto isakmp key mypresharekey address y.y.y.y                              # y.y.y.y = ISA external IP
crypto ipsec transform-set ISAtransform esp-3des esp-sha-hmac
access-list 90 permit ip a.a.a.a 255.255.255.0 b.b.b.b 255.255.255.0         (a.a.a.a = pix network, b.b.b.b = ISA network)
nat 0 access-list 90
nat (inside) 1 0 0

isakmp policy 64000 authentication pre-share
isakmp policy 64000 encryption 3des
isakmp policy 64000 hash sha
isakmp policy 64000 group 2
isakmp policy 64000 lifetime 86400


crypto map mymap 64000 ipsec-isakmp
crypto map mymap 64000 match address 90
crypto map mymap 64000 set transform-set ISAtransform
crypto map mymap 64000 set peer y.y.y.y

.----------------

i cannot test it out now to avoid any interruptions, will probably do it late tonight. but please let me know if i m on the right track. thanks.
0
 

Author Comment

by:coolsaintz
ID: 16953371
oops,
sorry i just realise i had the prioritites reversed. it should be 10 for tunnel, 64000 for remote access, (din know until after it was posted).
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 16953432
That should work.  only one thing.  I would recommend doing up two different acls for the subnet A to subnet B.  One for the nat 0 and one for the match address.  This is because if you need to add ace's to the nonat acl, then you can without affecting the tunnel acl.
0

Featured Post

SuperAntiSpyware Licenses Discounted by 25% !

Exclusive offer to Experts Exchange Members!
Buy SuperAntiSpyware License(s) from us and save 25% on the regular purchase price.
- Includes Full SuperAntiSpyware Vendor Support Entitlements
- Your Subscription does not begin until you activate your license
- Buy for your friends

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ARP not working as expected 11 81
Trojan 28 119
VPN Exposure 19 45
vpn through Cisco ASA appliance 3 29
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question