Solved

Adding new tunnel to PIX501

Posted on 2006-07-18
3
355 Views
Last Modified: 2010-04-09
Need to add a new tunnel to my pix501 to connect back to a vendor concentrator Here is what I have determined I need to add,

INFO

DEN = home PIX 501
SGF = remote location VPN Concentrator

Peer IP 111.111.111.111
Tunnel auth esp/md5/hmac
Tunnel encrypt 3des-168
IKE proposal 3des/md5/dhg2
Shared secret #################

ADD TO PIX CONFIG?


pixfirewall> name 000.000.000.000 DEN
pixfirewall> name xxx.xxx.xxx.xxx SGF
pixfirewall> access-list sgf permit ip DEN 255.255.255.0 SGF 255.255.255.0
!
pixfirewall> crypto ipsec transform-set new-set esp-3des esp-md5-hmac
pixfirewall> crypto map newmap 20 ipsec-isakmp
pixfirewall> crypto map newmap 20 match address sgf
pixfirewall> crypto map newmap 20 set peer 111.111.111.111
pixfirewall> crypto map newmap 20 set transform-set new-set
!

pixfirewall> isakmp key ################# address 111.111.111.111 netmask 255.255.255.0

pixfirewall> isakmp policy 20 authentication pre-share

pixfirewall> isakmp policy 20 encryption 3des

pixfirewall> isakmp policy 20 hash md5

pixfirewall> isakmp policy 20 group 2

pixfirewall> isakmp policy 20 lifetime 86400

Given that I already have a crypto map newmap 10, and a isakmp policy 10 that uses hash sha not md5 as required, Does this look all I would have to add to my pix to open a new tunnel?       
0
Comment
Question by:Ranman38
  • 2
3 Comments
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 125 total points
ID: 17134434
You have everything covered except for the NAT 0 ACL. If the PIX 501 is acting as an internet gateway for the host inside the network, then chances are you have the nat 0 command. So don't forget to add an ACL entry on the nat 0 acl for the new tunnel.

e.g
access-list nat_acl permit ip DEN 255.255.255.0 SGF 255.255.255.0
nat (inside) 0 nat_acl
0
 

Author Comment

by:Ranman38
ID: 17140058
The Pix is not my gateway, the 2621 router is. Will I ned that entry in it then?
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 17145761
If the PIX is not the gateway being used for internet connection then you don't have to add the nat 0 command. Just make sure that on the 2621 router you have the appropriate static route for the new remote site pointing back to the PIX.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now