Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Adding new tunnel to PIX501

Posted on 2006-07-18
3
363 Views
Last Modified: 2010-04-09
Need to add a new tunnel to my pix501 to connect back to a vendor concentrator Here is what I have determined I need to add,

INFO

DEN = home PIX 501
SGF = remote location VPN Concentrator

Peer IP 111.111.111.111
Tunnel auth esp/md5/hmac
Tunnel encrypt 3des-168
IKE proposal 3des/md5/dhg2
Shared secret #################

ADD TO PIX CONFIG?


pixfirewall> name 000.000.000.000 DEN
pixfirewall> name xxx.xxx.xxx.xxx SGF
pixfirewall> access-list sgf permit ip DEN 255.255.255.0 SGF 255.255.255.0
!
pixfirewall> crypto ipsec transform-set new-set esp-3des esp-md5-hmac
pixfirewall> crypto map newmap 20 ipsec-isakmp
pixfirewall> crypto map newmap 20 match address sgf
pixfirewall> crypto map newmap 20 set peer 111.111.111.111
pixfirewall> crypto map newmap 20 set transform-set new-set
!

pixfirewall> isakmp key ################# address 111.111.111.111 netmask 255.255.255.0

pixfirewall> isakmp policy 20 authentication pre-share

pixfirewall> isakmp policy 20 encryption 3des

pixfirewall> isakmp policy 20 hash md5

pixfirewall> isakmp policy 20 group 2

pixfirewall> isakmp policy 20 lifetime 86400

Given that I already have a crypto map newmap 10, and a isakmp policy 10 that uses hash sha not md5 as required, Does this look all I would have to add to my pix to open a new tunnel?       
0
Comment
Question by:Ranman38
  • 2
3 Comments
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 125 total points
ID: 17134434
You have everything covered except for the NAT 0 ACL. If the PIX 501 is acting as an internet gateway for the host inside the network, then chances are you have the nat 0 command. So don't forget to add an ACL entry on the nat 0 acl for the new tunnel.

e.g
access-list nat_acl permit ip DEN 255.255.255.0 SGF 255.255.255.0
nat (inside) 0 nat_acl
0
 

Author Comment

by:Ranman38
ID: 17140058
The Pix is not my gateway, the 2621 router is. Will I ned that entry in it then?
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 17145761
If the PIX is not the gateway being used for internet connection then you don't have to add the nat 0 command. Just make sure that on the 2621 router you have the appropriate static route for the new remote site pointing back to the PIX.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question