Solved

Adding new tunnel to PIX501

Posted on 2006-07-18
3
373 Views
Last Modified: 2010-04-09
Need to add a new tunnel to my pix501 to connect back to a vendor concentrator Here is what I have determined I need to add,

INFO

DEN = home PIX 501
SGF = remote location VPN Concentrator

Peer IP 111.111.111.111
Tunnel auth esp/md5/hmac
Tunnel encrypt 3des-168
IKE proposal 3des/md5/dhg2
Shared secret #################

ADD TO PIX CONFIG?


pixfirewall> name 000.000.000.000 DEN
pixfirewall> name xxx.xxx.xxx.xxx SGF
pixfirewall> access-list sgf permit ip DEN 255.255.255.0 SGF 255.255.255.0
!
pixfirewall> crypto ipsec transform-set new-set esp-3des esp-md5-hmac
pixfirewall> crypto map newmap 20 ipsec-isakmp
pixfirewall> crypto map newmap 20 match address sgf
pixfirewall> crypto map newmap 20 set peer 111.111.111.111
pixfirewall> crypto map newmap 20 set transform-set new-set
!

pixfirewall> isakmp key ################# address 111.111.111.111 netmask 255.255.255.0

pixfirewall> isakmp policy 20 authentication pre-share

pixfirewall> isakmp policy 20 encryption 3des

pixfirewall> isakmp policy 20 hash md5

pixfirewall> isakmp policy 20 group 2

pixfirewall> isakmp policy 20 lifetime 86400

Given that I already have a crypto map newmap 10, and a isakmp policy 10 that uses hash sha not md5 as required, Does this look all I would have to add to my pix to open a new tunnel?       
0
Comment
Question by:Ranman38
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 125 total points
ID: 17134434
You have everything covered except for the NAT 0 ACL. If the PIX 501 is acting as an internet gateway for the host inside the network, then chances are you have the nat 0 command. So don't forget to add an ACL entry on the nat 0 acl for the new tunnel.

e.g
access-list nat_acl permit ip DEN 255.255.255.0 SGF 255.255.255.0
nat (inside) 0 nat_acl
0
 

Author Comment

by:Ranman38
ID: 17140058
The Pix is not my gateway, the 2621 router is. Will I ned that entry in it then?
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 17145761
If the PIX is not the gateway being used for internet connection then you don't have to add the nat 0 command. Just make sure that on the 2621 router you have the appropriate static route for the new remote site pointing back to the PIX.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 1 71
BOVPN Created but cant Ping the whole local network from remote host 3 36
Logging pfSense on Kiwi 4 78
Windows Firewall Rules for WMI and multiple subnets 4 100
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question