[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 420
  • Last Modified:

Adding new tunnel to PIX501

Need to add a new tunnel to my pix501 to connect back to a vendor concentrator Here is what I have determined I need to add,

INFO

DEN = home PIX 501
SGF = remote location VPN Concentrator

Peer IP 111.111.111.111
Tunnel auth esp/md5/hmac
Tunnel encrypt 3des-168
IKE proposal 3des/md5/dhg2
Shared secret #################

ADD TO PIX CONFIG?


pixfirewall> name 000.000.000.000 DEN
pixfirewall> name xxx.xxx.xxx.xxx SGF
pixfirewall> access-list sgf permit ip DEN 255.255.255.0 SGF 255.255.255.0
!
pixfirewall> crypto ipsec transform-set new-set esp-3des esp-md5-hmac
pixfirewall> crypto map newmap 20 ipsec-isakmp
pixfirewall> crypto map newmap 20 match address sgf
pixfirewall> crypto map newmap 20 set peer 111.111.111.111
pixfirewall> crypto map newmap 20 set transform-set new-set
!

pixfirewall> isakmp key ################# address 111.111.111.111 netmask 255.255.255.0

pixfirewall> isakmp policy 20 authentication pre-share

pixfirewall> isakmp policy 20 encryption 3des

pixfirewall> isakmp policy 20 hash md5

pixfirewall> isakmp policy 20 group 2

pixfirewall> isakmp policy 20 lifetime 86400

Given that I already have a crypto map newmap 10, and a isakmp policy 10 that uses hash sha not md5 as required, Does this look all I would have to add to my pix to open a new tunnel?       
0
Ranman38
Asked:
Ranman38
  • 2
1 Solution
 
stressedout2004Commented:
You have everything covered except for the NAT 0 ACL. If the PIX 501 is acting as an internet gateway for the host inside the network, then chances are you have the nat 0 command. So don't forget to add an ACL entry on the nat 0 acl for the new tunnel.

e.g
access-list nat_acl permit ip DEN 255.255.255.0 SGF 255.255.255.0
nat (inside) 0 nat_acl
0
 
Ranman38Author Commented:
The Pix is not my gateway, the 2621 router is. Will I ned that entry in it then?
0
 
stressedout2004Commented:
If the PIX is not the gateway being used for internet connection then you don't have to add the nat 0 command. Just make sure that on the 2621 router you have the appropriate static route for the new remote site pointing back to the PIX.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now