Solved

PIX Remote Access and Site-to-Site Tunnel

Posted on 2006-06-21
5
475 Views
Last Modified: 2010-04-11
Hi guys,

I have a scenario. I was wondering whether its possible to use a PIX 501 for both remote-access and site-to-site tunnel? Assume there's 3 networks, PIX internal network, ISA internal network and the PUBLIC internet. Both PIX and ISA has client machines behind em and they are both VPN servers for remote users with laptops. IPSEC VPN is working fine. Lets say I wanted to join both networks, both having different subnets, so users on the ISA network can ping machines behind the PIX network and vice versa. I also wanted to keep the capability of giving users to VPN into the PIX.
I tried creating some crypto map, I can only bind one active crypto map to the outside interface, one at a time. Are there any guides to make it work so that existing VPN users wont be affected, and the new network is the joined ISA and PIX network?
0
Comment
Question by:coolsaintz
  • 3
  • 2
5 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16952573
you can do both RA and L2L VPN  at the same time.  however you can only apply one crypto map to an interface at a time (this is true of any pix/asa).  what you do is give the RA crypto map application a priority of 64000 and then the L2L tunnels a priority of say 10.  This way when negotiating the tunnel it will try the priority 10 configuration before the RA.

If you want more help, please post your config so I can take a look at everything to tell you for sure what needs to be done (Just X out the first 3 octets of any public IP and any public fqdn)
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16952591
another note, I believe the only limit for vpn on the 501 is 10 concurrent tunnels and depending upon the license either 10, 50, or unlimited hosts can traverse the firewall at a time (inside hosts that is)
0
 

Author Comment

by:coolsaintz
ID: 16953346
thanx Cyclops.

i appreciate the fast response and comments :). it might take some time for me to edit my pix and blanking out the ips, coz its a freaking long config but i think i am getting the picture. lets take these set of lines for example.

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication myRadius
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local VPNPool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup testGroup address-pool VPNPool
vpngroup testGroup  dns-server x.x.x.x
vpngroup testGroup default-domain abc.net
vpngroup testGroup  idle-time 1800
vpngroup testGroup  password ********

these are my original pix config for RA clients using a radius server.

assuming i have set the ike/ ipsec parameters on the ISA, i will create a new policy that matches it on the pix's end.
i am putting the config for the tunnel, please let me know if this is the right way to do it.

crypto isakmp key mypresharekey address y.y.y.y                              # y.y.y.y = ISA external IP
crypto ipsec transform-set ISAtransform esp-3des esp-sha-hmac
access-list 90 permit ip a.a.a.a 255.255.255.0 b.b.b.b 255.255.255.0         (a.a.a.a = pix network, b.b.b.b = ISA network)
nat 0 access-list 90
nat (inside) 1 0 0

isakmp policy 64000 authentication pre-share
isakmp policy 64000 encryption 3des
isakmp policy 64000 hash sha
isakmp policy 64000 group 2
isakmp policy 64000 lifetime 86400


crypto map mymap 64000 ipsec-isakmp
crypto map mymap 64000 match address 90
crypto map mymap 64000 set transform-set ISAtransform
crypto map mymap 64000 set peer y.y.y.y

.----------------

i cannot test it out now to avoid any interruptions, will probably do it late tonight. but please let me know if i m on the right track. thanks.
0
 

Author Comment

by:coolsaintz
ID: 16953371
oops,
sorry i just realise i had the prioritites reversed. it should be 10 for tunnel, 64000 for remote access, (din know until after it was posted).
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 16953432
That should work.  only one thing.  I would recommend doing up two different acls for the subnet A to subnet B.  One for the nat 0 and one for the match address.  This is because if you need to add ace's to the nonat acl, then you can without affecting the tunnel acl.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question