Solved

Cisco Pix 506E Site-to-Site-to-Site VPN Configuration

Posted on 2006-11-28
19
908 Views
Last Modified: 2008-01-09
Hi Experts,

I have the following scenario.

Site A
-------
Internal IP Range: 10.0.0.0 / 255.255.255.0

Example Site A has 1 Static IP from ISP = 61.88.99.100

Cisco 506E -> ADSL Modem

Site B
-------
Internal IP Range: 10.0.1.0 / 255.255.255.0

Example Site B has 1 Static IP from ISP = 61.88.99.103

Cisco 506E -> ADSL Modem


Site C
-------
Internal IP Range: 10.0.2.0 / 255.255.255.0

Example Site C has 1 Static IP from ISP = 61.88.99.106

Cisco 506E -> ADSL Modem


This is my first time at setting up Cisco hardware. How do I go about creating a VPN between all three sites. I have heard the VPN Wizard is a good place to start. Can you please describe in absolute detail as I will be documenting the whole process to my colleagues. I will also be setting up the hardware onsite for a client tomorrow at three locations and allowing all three sites to communicate via VPN.

We also require each site to be able to have internet Access via it's own Gateway. Example.

Site A - Site B - Site C  are all connected via VPN. We would like all external internet traffic for each site to go through each site and not via VPN Tunnel. We can't have all the resources being chewed up at one end. The only traffic we would like to see go down the VPN tunnel is that traffic which is only for the VPN tunnel. i.e 10.0.0.0, 10.0.1.0, 10.0.2.0 etc.

I really appreciate all the help Experts. Many Thanks in advance.

PS. This is the first time I am setting up Cisco hardware so I really need a step by step on how to go about setting up each  Cisco 506E Appliance. A basic secure VPN between all three sites is all I require.
0
Comment
Question by:logicsolutions
  • 9
  • 8
  • 2
19 Comments
 
LVL 1

Expert Comment

by:Sean64
ID: 18032487
On each PIX enter the following commands :
sysopt connection permit-ipsec
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
crypto ipsec transform-set VPN_TS esp-3des esp-md5-hmac
crypto map VPN 1 ipsec-isakmp
crypto map VPN 1 match address 101
crypto map VPN 1 set transform-set VPN_TS
crypto map VPN 2 ipsec-isakmp
crypto map VPN 2 match address 102
crypto map VPN 2 set transform-set VPN_TS


On the below commands replace <key> with a "password" type string.  This will be your VPN encryption key.  Also replace <pix1> <pix2> <pix3> with the outside ip addresses of the pix devices.
<lan1> <lan2> <lan3> should be the local lan network in the following format:
Network     Subnet Mask
192.168.0.0 255.255.255.0

On Pix1 :
access-list 101 permit ip <lan1> <lan2>
access-list 102 permit ip <lan1> <lan3>
isakmp key <key> address <pix2> mask 255.255.255.255
isakmp key <key> address <pix3> mask 255.255.255.255
crypto map VPN 1 set peer <pix2>
crypto map VPN 2 set peer <pix3>

On Pix2 :
access-list 101 permit ip <lan2> <lan1>
access-list 102 permit ip <lan2> <lan3>
isakmp key <key> address <pix1> mask 255.255.255.255
isakmp key <key> address <pix3> mask 255.255.255.255
crypto map VPN 1 set peer <pix1>
crypto map VPN 2 set peer <pix3>

On Pix3 :
access-list 101 permit ip <lan3> <lan1>
access-list 102 permit ip <lan3> <lan2>
isakmp key <key> address <pix1> mask 255.255.255.255
isakmp key <key> address <pix2> mask 255.255.255.255
crypto map VPN 1 set peer <pix1>
crypto map VPN 2 set peer <pix2>


Finally on each device :
isakmp enable outside

This will enable the VPN.

I think that's about it.  You should now have a functional vpn between your 3 sites.
If you are looking for detailed information about each command and what it does, my suggestion would be to get a book about VPNs on Cisco PIX firewalls.  It will explain this all so much better than I can here.

Good Luck.

0
 
LVL 1

Author Comment

by:logicsolutions
ID: 18033100
When I type in "crypto map VPN 1 match address 101" I get this

ERROR: unable to locate access-list 101
command failed

All the other command where working till I got to that point.
0
 
LVL 1

Expert Comment

by:Sean64
ID: 18033529
Sorry, you'll have to type the "access-list" commands for each router first.
The pix can't apply an access list if you haven't created it yet.

You should see the access-lists above under the specific pix.

i.e.
Pix1
access-list 101 permit ip <lan1> <lan2>
access-list 102 permit ip <lan1> <lan3>
0
 
LVL 4

Expert Comment

by:gmooney7
ID: 18033758
One thing that needs added, is to let the pixes know not to nat the traffic destined for vpn peers.

*PIX 1
access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0

PIX 2
access-list nonat permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

pix 3
access-list nonat permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

On all 3 pixes, do this...
nat (inside) 0 access-list nonat

0
 
LVL 1

Author Comment

by:logicsolutions
ID: 18045084
Our client has decided they will not be introducing the third site until February. I will only need to configure Site-to-Site VPN for now. With the ability to add another 3 or 4. I also forgot to mention that each site is using PPPoE. Can I configure the PPPoE client on the 506E PIX to work with the Site-Site VPN.  

Example

------------------------------------ Site to Site VPN with PPPoE enabled on Cisco 506E ------------------------------------

                                 Site A                                                                               Site B

--------------------------           -----------------          -----------         -----------------           -------------------------
| 506E - PPPoE Client | -----> |ADSL Modem|-------|Internet| ------| ADSL Modem|<------|506E - PPPoE Client |
--------------------------           -----------------          -----------         -----------------           -------------------------

                         IP:  61.9.152.174                                                                IP: 60.230.47.59
------------------------------------------------------------------------------------------------------------------------------------

The ADSL Modem is setup in bridge mode and the PIX 506E is using it's built in PPPoE client. The PPPoE client is then given a static IP address from our ISP. This is the current code I have compiled based on everything I have been reading and this board.

I havn't programmed the Cisco 506e Yet but I have put together a txt file with everything I am going to put in it. Here we go. This is a copy of the txt file.


-------------------------------------------------------------------------------------------------------------
Site A = PPPoE with Static IP (61.9.152.174). The static IP is assigned from the ISP upon login.|
-------------------------------------------------------------------------------------------------------------

!Initial Connection Via Hyper Terminal
!=====================================
configure terminal

!Configure Firewall Basic - TLSCRANBOURNE
!======================================
hostname TLSCRANBOURNE
pager lines 24
interface ethernet1 auto
interface ethernet1 auto
ip address inside 10.0.0.254 255.255.255.0
nat (inside) 0 61.9.152.174
mtu outside 1492
mtu inside 1500
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside

!Configure VPN TLSCRANBOURNE -> TLSPAKENHAM
!==========================================
isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encrypt 3des
crypto isakmp key ******** address 60.230.47.59
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 90 permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
nat 0 access-list 90
nat (inside) 1 0 0
global (outside) 1 61.9.152.174
crypto map toTLSPAKENHAM 20 ipsec-isakmp
crypto map toTLSPAKENHAM 20 match address 90
crypto map toTLSPAKENHAM 20 set transform-set strong
crypto map toTLSPAKENHAM 20 set peer 60.230.47.59
crypto map toTLSPAKENHAM interface outside
sysopt connection permit-ipsec

!Configure PPPoE ADSL - TLSCRANBOURNE
!====================================
vpdn group TLSCRANBOURNE request dialout pppoe
vpdn group TLSCRANBOURNE ppp authentication PAP
vpdn group TLSCRANBOURNE localname myusername
vpdn username myusername password ******** [store-local]
ip address ifName pppoe [setroute]
ip address outside pppoe
ip address outside dhcp [setroute] [retry retry_cnt]


!Configure Inside DHCP Server - TLSCRANBOURNE
!================================
dhcpd address 10.0.0.40-10.0.0.90 inside
dhcpd dns 144.140.70.30 144.140.71.16
dhcpd lease 691200
dhcpd domain mydomain.com
dhcpd enable inside

!Save Configuration
============
write memory

-----------------------------------------------------------------


-------------------------------------------------------------------------------------------------------------
Site B = PPPoE with Static IP (60.230.47.59). The static IP is assigned from the ISP upon login.|
-------------------------------------------------------------------------------------------------------------


!Initial Connection Via Hyper Terminal
!=====================================
configure terminal


!Configure Firewall Basic - TLSPAKENHAM
!======================================
hostname TLSPAKENHAM
pager lines 24
interface ethernet1 auto
interface ethernet1 auto
ip address inside 10.0.1.254 255.255.255.0
nat (inside) 0 60.230.47.59
mtu outside 1492
mtu inside 1500
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside



!Configure VPN TLSPAKENHAM -> TLSCRANBOURNE
!==========================================
isakmp enable outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encrypt 3des
crypto isakmp key ******** address 61.9.152.174
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 80 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
nat 0 access-list 80
nat (inside) 1 0 0
global (outside) 1 60.230.47.59
crypto map TLSCRANBOURNE 20 ipsec-isakmp
crypto map TLSCRANBOURNE 20 match address 80
crypto map TLSCRANBOURNE 20 set transform-set strong
crypto map TLSCRANBOURNE 20 set peer 61.9.152.174
crypto map TLSCRANBOURNE interface outside
sysopt connection permit-ipsec

!Configure PPPoE ADSL - TLSPAKENHAM
!==================================
vpdn group TLSPAKENHAM request dialout pppoe
vpdn group TLSPAKENHAM ppp authentication PAP
vpdn group TLSPAKENHAM localname myusername
vpdn username myusername password ******** [store-local]
ip address ifName pppoe [setroute]
ip address outside pppoe
ip address outside dhcp [setroute] [retry retry_cnt]

!Configure Inside DHCP Server - TLSPAKENHAM
!==============================
dhcpd address 10.0.1.40-10.0.1.90 inside
dhcpd dns 144.140.70.30 144.140.71.16
dhcpd lease 691200
dhcpd domain mydomain.com
dhcpd enable inside


!Save Configuration
============
write memory

----------------------------------------------------------------------


Will the above configuration work for a Site-to-Site VPN. Also will it allow me to add another couple of sites later on should the client request it. I don't know what the code above means but in reading everything and trying to break it down in steps I am hoping that I have covered all area's. This is my first time at trying to program Cisco equipment.

Really appreciate all the help guys. If I missed any steps please correct me. I really only have one shot to get this installed right.

Thanks heaps.


0
 
LVL 4

Expert Comment

by:gmooney7
ID: 18046411
I'm at work right now, and don't have enough time to give you full complete configuration for both boxes, but you're on the right track.  Here are a couple things i see right away that you need....

Apply these changes to both pixes, replace ip's where necessary.  


no nat (inside) 0 61.9.152.174  !!!!Site A,replace ip for site B
nat (inside) 1 0.0.0.0 0.0.0.0 0 0 !!Site A and B
isakmp policy 9 hash sha    !!!!!For site A only
isakmp policy 9 group 2  !!!!For site A only
isakmp policy 8 hash sha !!! site B
isakmp policy 8 group 2 !!!site B
no global (outside) 1 61.9.152.174  !!Site A,replace ip for site B
global (outside) 1 interface  !Site A and B
isakmp identity address  !!!site A and B
isakmp nat-traversal 20  !!!site A and B

*instead of "crypto isakmp key ******** address 60.230.47.59"  use
crypto isakmp key ******** address 60.230.47.59 no-xauth

replace ip for other site of course


To add other sites, you just replicate the information in incrementing policy numbers, like so..

crypto map TLSCRANBOURNE 30 ipsec-isakmp
crypto map TLSCRANBOURNE 30 match address 80 !!Add new rule to acl 80 for inside ip range of new site!!!
crypto map TLSCRANBOURNE 30 set transform-set strong
crypto map TLSCRANBOURNE 30 set peer x.x.x.x ! ip of new site


Basically, you make sure all of the information is the same for every site when it comes to isakmp, etc policies - you just replace ip's where necessary.

I hope this helps.  Haven't spent but 10 minutes on this....
0
 
LVL 4

Expert Comment

by:gmooney7
ID: 18046507
omg, ie7 died when i hit submit and i thought for sure i lost all that i just wrote.  I'm using opera now, thank God for opera! (i've been testing ie7, but not happy with it)
0
 
LVL 1

Author Comment

by:logicsolutions
ID: 18049491
Based on the previous recommendations I have made the alterations. Is this OK?

-------------------------------------------------------------------------------------------------------------
Site A = PPPoE with Static IP (61.9.152.174). The static IP is assigned from the ISP upon login.|
-------------------------------------------------------------------------------------------------------------

!Initial Connection Via Hyper Terminal
!=====================================
configure terminal

!Configure Firewall Basic - TLSCRANBOURNE
!======================================
hostname TLSCRANBOURNE
pager lines 24
interface ethernet1 auto
interface ethernet1 auto
ip address inside 10.0.0.254 255.255.255.0
no nat (inside) 0 61.9.152.174
mtu outside 1492
mtu inside 1500
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside

!Configure VPN TLSCRANBOURNE -> TLSPAKENHAM
!==========================================
isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encrypt 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp identity address
isakmp nat-traversal 20
crypto isakmp key ******** address 60.230.47.59 no-xauth
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 90 permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
nat 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0
no global (outside) 1 61.9.152.174
global (outside) 1 interface
crypto map toTLSPAKENHAM 20 ipsec-isakmp
crypto map toTLSPAKENHAM 20 match address 90
crypto map toTLSPAKENHAM 20 set transform-set strong
crypto map toTLSPAKENHAM 20 set peer 60.230.47.59
crypto map toTLSPAKENHAM interface outside
sysopt connection permit-ipsec

!Configure PPPoE ADSL - TLSCRANBOURNE
!====================================
vpdn group TLSCRANBOURNE request dialout pppoe
vpdn group TLSCRANBOURNE ppp authentication PAP
vpdn group TLSCRANBOURNE localname myusername
vpdn username myusername password ******** [store-local]
ip address ifName pppoe [setroute]
ip address outside pppoe
ip address outside dhcp [setroute] [retry retry_cnt]


!Configure Inside DHCP Server - TLSCRANBOURNE
!================================
dhcpd address 10.0.0.40-10.0.0.90 inside
dhcpd dns 144.140.70.30 144.140.71.16
dhcpd lease 691200
dhcpd domain mydomain.com
dhcpd enable inside

!Save Configuration
============
write memory

-----------------------------------------------------------------


-------------------------------------------------------------------------------------------------------------
Site B = PPPoE with Static IP (60.230.47.59). The static IP is assigned from the ISP upon login.|
-------------------------------------------------------------------------------------------------------------


!Initial Connection Via Hyper Terminal
!=====================================
configure terminal


!Configure Firewall Basic - TLSPAKENHAM
!======================================
hostname TLSPAKENHAM
pager lines 24
interface ethernet1 auto
interface ethernet1 auto
ip address inside 10.0.1.254 255.255.255.0
no nat (inside) 0 60.230.47.59
mtu outside 1492
mtu inside 1500
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside



!Configure VPN TLSPAKENHAM -> TLSCRANBOURNE
!==========================================
isakmp enable outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encrypt 3des
isakmp policy 8 hash sha
isakmp policy 8 group 2
isakmp identity address
isakmp nat-traversal 20
crypto isakmp key ******** address 61.9.152.174 no-xauth
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 80 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
nat 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0
no global (outside) 1 60.230.47.59
global (outside) 1 interface
crypto map TLSCRANBOURNE 20 ipsec-isakmp
crypto map TLSCRANBOURNE 20 match address 80
crypto map TLSCRANBOURNE 20 set transform-set strong
crypto map TLSCRANBOURNE 20 set peer 61.9.152.174
crypto map TLSCRANBOURNE interface outside
sysopt connection permit-ipsec

!Configure PPPoE ADSL - TLSPAKENHAM
!==================================
vpdn group TLSPAKENHAM request dialout pppoe
vpdn group TLSPAKENHAM ppp authentication PAP
vpdn group TLSPAKENHAM localname myusername
vpdn username myusername password ******** [store-local]
ip address ifName pppoe [setroute]
ip address outside pppoe
ip address outside dhcp [setroute] [retry retry_cnt]

!Configure Inside DHCP Server - TLSPAKENHAM
!==============================
dhcpd address 10.0.1.40-10.0.1.90 inside
dhcpd dns 144.140.70.30 144.140.71.16
dhcpd lease 691200
dhcpd domain mydomain.com
dhcpd enable inside


!Save Configuration
============
write memory

----------------------------------------------------------------------

Once we have all agreed on the final command I will put them into the Cisco PIX 506E. Is there anything I am missing or anything which needs alteration.

We are hoping to achieve the following.

1. Secure VPN between both sites
2. Traffic for for each local network to pass through VPN. All other traffic to go through local gateway to internet.

I'm sorry to burden you all with such newbie questions. I am really learning alot though. Thanks heaps guys.
0
 
LVL 4

Expert Comment

by:gmooney7
ID: 18049625
A couple things I notice right away on your nat statements
Instead of
nat 0 access-list 90 (for site A)
should be
nat (inside) 0 access-list 90

Same for site B

As for your pppoe config, i can't remember off the top of my head what its supposed to be.  I just configured a 506 for pppoe last week, so I should know! too much going on and i'm sickly this afternoon.

You simply need this for your pppoe...i think.
ip address outside pppoe setroute
vpdn group 1 request dialout pppoe
vpdn group 1 localname xxxxxx@xxxxx.com
vpdn group 1 ppp authentication pap
vpdn username xxxxx@xxxxx.com password *********

your dhcp configuration looks good.

Give it a shot!  If you get errors upon entering your isakmp/ipsec commands, let me know.  They aren't in quite the right order the way you have them, but may still work, even though it complains.  You must also enter in all access lists before you can actually call them, as well.

Good luck!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:logicsolutions
ID: 18050194
I will put the modification to replace (Site A) nat 0 access-list 90 & (Site B) nat 0 access-list 80

with

Site A

nat (inside) 0 access-list 90


&

Site B

nat (inside) 0 access-list 80

-----------------------------------------

It's amazing how with all this Cisco stuff the code changes every time. \o/

Is it safe to assume we all agree on the configuration? Including the exact order it should be in?

Big Thanks again guys. This is great.
0
 
LVL 4

Accepted Solution

by:
gmooney7 earned 250 total points
ID: 18050944
Site A
!!!!
hostname TLSCRANBOURNE
domain-name yourdomainname
pager lines 24
interface ethernet1 auto
interface ethernet1 auto
ip address inside 10.0.0.254 255.255.255.0
ip address outside pppoe setroute
no nat (inside) 0 61.9.152.174
mtu outside 1492
mtu inside 1500
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-list 90 permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-group inbound in interface outside
nat (inside) 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0
no global (outside) 1 61.9.152.174
global (outside) 1 interface
sysopt connection permit-ipsec
crypto isakmp key ******** address 60.230.47.59 no-xauth
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toTLSPAKENHAM 20 ipsec-isakmp
crypto map toTLSPAKENHAM 20 match address 90
crypto map toTLSPAKENHAM 20 set transform-set strong
crypto map toTLSPAKENHAM 20 set peer 60.230.47.59
crypto map toTLSPAKENHAM interface outside
isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encrypt 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp identity address
isakmp nat-traversal 20
vpdn group TLSCRANBOURNE request dialout pppoe
vpdn group TLSCRANBOURNE ppp authentication PAP
vpdn group TLSCRANBOURNE localname myusername
vpdn username myusername password ********
dhcpd address 10.0.0.40-10.0.0.90 inside
dhcpd dns 144.140.70.30 144.140.71.16
dhcpd lease 691200
dhcpd domain mydomain.com
dhcpd enable inside
!For remote access with telnet, including interface
telnet 10.0.0.0 255.255.255.0 inside
telnet 10.0.1.0 255.255.255.0 outside
!For ssh access
ca generate rsa key 1024
ca save all
!Allowed ssh hosts along with interfaces allowed in on
ssh 10.0.0.0 255.255.255.0 inside
ssh 10.0.1.0 255.255.255.0 outside
!pdm access
http server enable
http 10.0.0.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 outside
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.0.1.0 255.255.255.0 outside
wri mem


Site B
hostname TLSPAKENHAM
domain-name yourdomainname
pager lines 24
interface ethernet1 auto
interface ethernet1 auto
ip address inside 10.0.1.254 255.255.255.0
ip address outside pppoe setroute
no nat (inside) 0 60.230.47.59
mtu outside 1492
mtu inside 1500
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-list 80 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-group inbound in interface outside
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0
no global (outside) 1 60.230.47.59
global (outside) 1 interface
sysopt connection permit-ipsec
crypto isakmp key ******** address 61.9.152.174 no-xauth
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map TLSCRANBOURNE 20 ipsec-isakmp
crypto map TLSCRANBOURNE 20 match address 80
crypto map TLSCRANBOURNE 20 set transform-set strong
crypto map TLSCRANBOURNE 20 set peer 61.9.152.174
crypto map TLSCRANBOURNE interface outside
isakmp enable outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encrypt 3des
isakmp policy 8 hash sha
isakmp policy 8 group 2
isakmp identity address
isakmp nat-traversal 20
vpdn group TLSPAKENHAM request dialout pppoe
vpdn group TLSPAKENHAM ppp authentication PAP
vpdn group TLSPAKENHAM localname myusername
vpdn username myusername password ********
dhcpd address 10.0.1.40-10.0.1.90 inside
dhcpd dns 144.140.70.30 144.140.71.16
dhcpd lease 691200
dhcpd domain mydomain.com
dhcpd enable inside
!For remote access with telnet, including interface
telnet 10.0.0.0 255.255.255.0 outside
telnet 10.0.1.0 255.255.255.0 inside
!For ssh access
ca generate rsa key 1024
ca save all
!Allowed ssh hosts along with interfaces allowed in on
ssh 10.0.0.0 255.255.255.0 outside
ssh 10.0.1.0 255.255.255.0 inside
!pdm access
http server enable
http 10.0.0.0 255.255.255.0 outside
http 10.0.1.0 255.255.255.0 inside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location 10.0.1.0 255.255.255.0 inside
write memory
!


Let me know if you experience any trouble.  These SHOULD work, should being the key word.  cross your fingers. If it doesn't, it isn't a long way off from being right.  
0
 
LVL 4

Expert Comment

by:gmooney7
ID: 18050964
To test, add this configuration to both.  Just a real quick indicator.

management-access inside

Then, do this, from site A to Site B
ping inside 10.0.1.254

Hopefully you'll be seeing replies.  But, just because you see replies, does not mean its working perfect.  If there is a host you can ping on the other end inside the remote network, do that.  its possible that you can ping the inside int of the remote pix, and still not have your nat setup correctly so vpn bound traffic from remotes hosts gets nat'd instead of being passed over the vpn.

Then from the other side
management-access inside
ping inside 10.0.0.254

Again, test a host inside remote network if you can.

Good luck!
0
 
LVL 1

Author Comment

by:logicsolutions
ID: 18063054
I really appreciate all the help you guys have put into helping me.

I will be onsite today and will report back the results. Many Thanks all you Experts.

God Bless you All.
0
 
LVL 1

Author Comment

by:logicsolutions
ID: 18065541
I get this when trying to access the Cisco Pix using the PDM.

'pdm does not support multiple uses of access control list'

I get this error after using the above configuration. Is that normal?
0
 
LVL 4

Expert Comment

by:gmooney7
ID: 18065579
I thought something might come of the fact that you are using the same acl to specify what traffic is not to be nat'd, and the acl that instructs the pix which traffic to send over the vpn.

So, do this.
Site A
access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
no nat (inside) 0 access-list 90
nat (inside) 0 access-list nonat

Site B
access-list nonat permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
no nat (inside) 0 access-list 80
nat (inside) 0 access-list nonat

do a 'wri mem' on both of them, and you're done.

Try pdm again after doing that.


0
 
LVL 1

Author Comment

by:logicsolutions
ID: 18066067
Thanks gmooney. PDM Now working. About to go onsite in 2 hours. Praying everything works. Will post back soon.
0
 
LVL 1

Author Comment

by:logicsolutions
ID: 18145450
GMooney I can't thank you enough. Everything is working really well. I played around alittle more with some extra port forwarding but everything as it was listed above worked a treat.

Just one more question though. I can ping back and forward between both sites but I cannot ping each router from another site.

Example.

Site A can ping Site A PIX

Site A cannot ping Site B PIX

This problem is at both sites.

But I can successfully Ping all other address' between sites. Site A Computers can ping Site B Computers and vice versa. I just can't ping the Routers or manage them via telnet TCP/IP between sites.

Thanks again GMooney your a life saver.

God Bless you.
0
 
LVL 4

Expert Comment

by:gmooney7
ID: 18146166
A quick and dirty solution is this, but I don't recommend using conduits for anything else unless you can help it...

conduit permit icmp any any

I don't think the pdm will complain about this if I remember right.  If you mix too many conduits and acl's, the pdm will not let you enter configuration mode because it cant support the use of mixed conduits/acl's.
0
 
LVL 4

Expert Comment

by:gmooney7
ID: 18146201
You might also add
management-access inside

and also do this, where x.x.x.x is the public ip address of the remote pix that you want to administer the local pix from
ssh x.x.x.x 255.255.255.x outside
telnet x.x.x.x 255.255.255.x outside

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now