Solved

Adding new tunnel to PIX501

Posted on 2006-07-18
3
329 Views
Last Modified: 2010-04-09
Need to add a new tunnel to my pix501 to connect back to a vendor concentrator Here is what I have determined I need to add,

INFO

DEN = home PIX 501
SGF = remote location VPN Concentrator

Peer IP 111.111.111.111
Tunnel auth esp/md5/hmac
Tunnel encrypt 3des-168
IKE proposal 3des/md5/dhg2
Shared secret #################

ADD TO PIX CONFIG?


pixfirewall> name 000.000.000.000 DEN
pixfirewall> name xxx.xxx.xxx.xxx SGF
pixfirewall> access-list sgf permit ip DEN 255.255.255.0 SGF 255.255.255.0
!
pixfirewall> crypto ipsec transform-set new-set esp-3des esp-md5-hmac
pixfirewall> crypto map newmap 20 ipsec-isakmp
pixfirewall> crypto map newmap 20 match address sgf
pixfirewall> crypto map newmap 20 set peer 111.111.111.111
pixfirewall> crypto map newmap 20 set transform-set new-set
!

pixfirewall> isakmp key ################# address 111.111.111.111 netmask 255.255.255.0

pixfirewall> isakmp policy 20 authentication pre-share

pixfirewall> isakmp policy 20 encryption 3des

pixfirewall> isakmp policy 20 hash md5

pixfirewall> isakmp policy 20 group 2

pixfirewall> isakmp policy 20 lifetime 86400

Given that I already have a crypto map newmap 10, and a isakmp policy 10 that uses hash sha not md5 as required, Does this look all I would have to add to my pix to open a new tunnel?       
0
Comment
Question by:Ranman38
  • 2
3 Comments
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 125 total points
ID: 17134434
You have everything covered except for the NAT 0 ACL. If the PIX 501 is acting as an internet gateway for the host inside the network, then chances are you have the nat 0 command. So don't forget to add an ACL entry on the nat 0 acl for the new tunnel.

e.g
access-list nat_acl permit ip DEN 255.255.255.0 SGF 255.255.255.0
nat (inside) 0 nat_acl
0
 

Author Comment

by:Ranman38
ID: 17140058
The Pix is not my gateway, the 2621 router is. Will I ned that entry in it then?
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 17145761
If the PIX is not the gateway being used for internet connection then you don't have to add the nat 0 command. Just make sure that on the 2621 router you have the appropriate static route for the new remote site pointing back to the PIX.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now