Cisco Pix 506E Site-to-Site-to-Site VPN Configuration
Hi Experts,
I have the following scenario.
Site A
-------
Internal IP Range: 10.0.0.0 / 255.255.255.0
Example Site A has 1 Static IP from ISP = 61.88.99.100
Cisco 506E -> ADSL Modem
Site B
-------
Internal IP Range: 10.0.1.0 / 255.255.255.0
Example Site B has 1 Static IP from ISP = 61.88.99.103
Cisco 506E -> ADSL Modem
Site C
-------
Internal IP Range: 10.0.2.0 / 255.255.255.0
Example Site C has 1 Static IP from ISP = 61.88.99.106
Cisco 506E -> ADSL Modem
This is my first time at setting up Cisco hardware. How do I go about creating a VPN between all three sites. I have heard the VPN Wizard is a good place to start. Can you please describe in absolute detail as I will be documenting the whole process to my colleagues. I will also be setting up the hardware onsite for a client tomorrow at three locations and allowing all three sites to communicate via VPN.
We also require each site to be able to have internet Access via it's own Gateway. Example.
Site A - Site B - Site C are all connected via VPN. We would like all external internet traffic for each site to go through each site and not via VPN Tunnel. We can't have all the resources being chewed up at one end. The only traffic we would like to see go down the VPN tunnel is that traffic which is only for the VPN tunnel. i.e 10.0.0.0, 10.0.1.0, 10.0.2.0 etc.
I really appreciate all the help Experts. Many Thanks in advance.
PS. This is the first time I am setting up Cisco hardware so I really need a step by step on how to go about setting up each Cisco 506E Appliance. A basic secure VPN between all three sites is all I require.
I have the following scenario.
Site A
-------
Internal IP Range: 10.0.0.0 / 255.255.255.0
Example Site A has 1 Static IP from ISP = 61.88.99.100
Cisco 506E -> ADSL Modem
Site B
-------
Internal IP Range: 10.0.1.0 / 255.255.255.0
Example Site B has 1 Static IP from ISP = 61.88.99.103
Cisco 506E -> ADSL Modem
Site C
-------
Internal IP Range: 10.0.2.0 / 255.255.255.0
Example Site C has 1 Static IP from ISP = 61.88.99.106
Cisco 506E -> ADSL Modem
This is my first time at setting up Cisco hardware. How do I go about creating a VPN between all three sites. I have heard the VPN Wizard is a good place to start. Can you please describe in absolute detail as I will be documenting the whole process to my colleagues. I will also be setting up the hardware onsite for a client tomorrow at three locations and allowing all three sites to communicate via VPN.
We also require each site to be able to have internet Access via it's own Gateway. Example.
Site A - Site B - Site C are all connected via VPN. We would like all external internet traffic for each site to go through each site and not via VPN Tunnel. We can't have all the resources being chewed up at one end. The only traffic we would like to see go down the VPN tunnel is that traffic which is only for the VPN tunnel. i.e 10.0.0.0, 10.0.1.0, 10.0.2.0 etc.
I really appreciate all the help Experts. Many Thanks in advance.
PS. This is the first time I am setting up Cisco hardware so I really need a step by step on how to go about setting up each Cisco 506E Appliance. A basic secure VPN between all three sites is all I require.
ASKER
When I type in "crypto map VPN 1 match address 101" I get this
ERROR: unable to locate access-list 101
command failed
All the other command where working till I got to that point.
ERROR: unable to locate access-list 101
command failed
All the other command where working till I got to that point.
Sorry, you'll have to type the "access-list" commands for each router first.
The pix can't apply an access list if you haven't created it yet.
You should see the access-lists above under the specific pix.
i.e.
Pix1
access-list 101 permit ip <lan1> <lan2>
access-list 102 permit ip <lan1> <lan3>
The pix can't apply an access list if you haven't created it yet.
You should see the access-lists above under the specific pix.
i.e.
Pix1
access-list 101 permit ip <lan1> <lan2>
access-list 102 permit ip <lan1> <lan3>
One thing that needs added, is to let the pixes know not to nat the traffic destined for vpn peers.
*PIX 1
access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
PIX 2
access-list nonat permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
pix 3
access-list nonat permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
On all 3 pixes, do this...
nat (inside) 0 access-list nonat
*PIX 1
access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
PIX 2
access-list nonat permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
pix 3
access-list nonat permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
On all 3 pixes, do this...
nat (inside) 0 access-list nonat
ASKER
Our client has decided they will not be introducing the third site until February. I will only need to configure Site-to-Site VPN for now. With the ability to add another 3 or 4. I also forgot to mention that each site is using PPPoE. Can I configure the PPPoE client on the 506E PIX to work with the Site-Site VPN.
Example
--------------------------
Site A Site B
--------------------------
| 506E - PPPoE Client | -----> |ADSL Modem|-------|Internet| ------| ADSL Modem|<------|506E - PPPoE Client |
--------------------------
IP: 61.9.152.174 IP: 60.230.47.59
--------------------------
The ADSL Modem is setup in bridge mode and the PIX 506E is using it's built in PPPoE client. The PPPoE client is then given a static IP address from our ISP. This is the current code I have compiled based on everything I have been reading and this board.
I havn't programmed the Cisco 506e Yet but I have put together a txt file with everything I am going to put in it. Here we go. This is a copy of the txt file.
--------------------------
Site A = PPPoE with Static IP (61.9.152.174). The static IP is assigned from the ISP upon login.|
--------------------------
!Initial Connection Via Hyper Terminal
!=========================
configure terminal
!Configure Firewall Basic - TLSCRANBOURNE
!=========================
hostname TLSCRANBOURNE
pager lines 24
interface ethernet1 auto
interface ethernet1 auto
ip address inside 10.0.0.254 255.255.255.0
nat (inside) 0 61.9.152.174
mtu outside 1492
mtu inside 1500
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside
!Configure VPN TLSCRANBOURNE -> TLSPAKENHAM
!=========================
isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encrypt 3des
crypto isakmp key ******** address 60.230.47.59
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 90 permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
nat 0 access-list 90
nat (inside) 1 0 0
global (outside) 1 61.9.152.174
crypto map toTLSPAKENHAM 20 ipsec-isakmp
crypto map toTLSPAKENHAM 20 match address 90
crypto map toTLSPAKENHAM 20 set transform-set strong
crypto map toTLSPAKENHAM 20 set peer 60.230.47.59
crypto map toTLSPAKENHAM interface outside
sysopt connection permit-ipsec
!Configure PPPoE ADSL - TLSCRANBOURNE
!=========================
vpdn group TLSCRANBOURNE request dialout pppoe
vpdn group TLSCRANBOURNE ppp authentication PAP
vpdn group TLSCRANBOURNE localname myusername
vpdn username myusername password ******** [store-local]
ip address ifName pppoe [setroute]
ip address outside pppoe
ip address outside dhcp [setroute] [retry retry_cnt]
!Configure Inside DHCP Server - TLSCRANBOURNE
!=========================
dhcpd address 10.0.0.40-10.0.0.90 inside
dhcpd dns 144.140.70.30 144.140.71.16
dhcpd lease 691200
dhcpd domain mydomain.com
dhcpd enable inside
!Save Configuration
============
write memory
--------------------------
--------------------------
Site B = PPPoE with Static IP (60.230.47.59). The static IP is assigned from the ISP upon login.|
--------------------------
!Initial Connection Via Hyper Terminal
!=========================
configure terminal
!Configure Firewall Basic - TLSPAKENHAM
!=========================
hostname TLSPAKENHAM
pager lines 24
interface ethernet1 auto
interface ethernet1 auto
ip address inside 10.0.1.254 255.255.255.0
nat (inside) 0 60.230.47.59
mtu outside 1492
mtu inside 1500
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside
!Configure VPN TLSPAKENHAM -> TLSCRANBOURNE
!=========================
isakmp enable outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encrypt 3des
crypto isakmp key ******** address 61.9.152.174
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 80 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
nat 0 access-list 80
nat (inside) 1 0 0
global (outside) 1 60.230.47.59
crypto map TLSCRANBOURNE 20 ipsec-isakmp
crypto map TLSCRANBOURNE 20 match address 80
crypto map TLSCRANBOURNE 20 set transform-set strong
crypto map TLSCRANBOURNE 20 set peer 61.9.152.174
crypto map TLSCRANBOURNE interface outside
sysopt connection permit-ipsec
!Configure PPPoE ADSL - TLSPAKENHAM
!=========================
vpdn group TLSPAKENHAM request dialout pppoe
vpdn group TLSPAKENHAM ppp authentication PAP
vpdn group TLSPAKENHAM localname myusername
vpdn username myusername password ******** [store-local]
ip address ifName pppoe [setroute]
ip address outside pppoe
ip address outside dhcp [setroute] [retry retry_cnt]
!Configure Inside DHCP Server - TLSPAKENHAM
!=========================
dhcpd address 10.0.1.40-10.0.1.90 inside
dhcpd dns 144.140.70.30 144.140.71.16
dhcpd lease 691200
dhcpd domain mydomain.com
dhcpd enable inside
!Save Configuration
============
write memory
--------------------------
Will the above configuration work for a Site-to-Site VPN. Also will it allow me to add another couple of sites later on should the client request it. I don't know what the code above means but in reading everything and trying to break it down in steps I am hoping that I have covered all area's. This is my first time at trying to program Cisco equipment.
Really appreciate all the help guys. If I missed any steps please correct me. I really only have one shot to get this installed right.
Thanks heaps.
Example
--------------------------
Site A Site B
--------------------------
| 506E - PPPoE Client | -----> |ADSL Modem|-------|Internet| ------| ADSL Modem|<------|506E - PPPoE Client |
--------------------------
IP: 61.9.152.174 IP: 60.230.47.59
--------------------------
The ADSL Modem is setup in bridge mode and the PIX 506E is using it's built in PPPoE client. The PPPoE client is then given a static IP address from our ISP. This is the current code I have compiled based on everything I have been reading and this board.
I havn't programmed the Cisco 506e Yet but I have put together a txt file with everything I am going to put in it. Here we go. This is a copy of the txt file.
--------------------------
Site A = PPPoE with Static IP (61.9.152.174). The static IP is assigned from the ISP upon login.|
--------------------------
!Initial Connection Via Hyper Terminal
!=========================
configure terminal
!Configure Firewall Basic - TLSCRANBOURNE
!=========================
hostname TLSCRANBOURNE
pager lines 24
interface ethernet1 auto
interface ethernet1 auto
ip address inside 10.0.0.254 255.255.255.0
nat (inside) 0 61.9.152.174
mtu outside 1492
mtu inside 1500
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside
!Configure VPN TLSCRANBOURNE -> TLSPAKENHAM
!=========================
isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encrypt 3des
crypto isakmp key ******** address 60.230.47.59
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 90 permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
nat 0 access-list 90
nat (inside) 1 0 0
global (outside) 1 61.9.152.174
crypto map toTLSPAKENHAM 20 ipsec-isakmp
crypto map toTLSPAKENHAM 20 match address 90
crypto map toTLSPAKENHAM 20 set transform-set strong
crypto map toTLSPAKENHAM 20 set peer 60.230.47.59
crypto map toTLSPAKENHAM interface outside
sysopt connection permit-ipsec
!Configure PPPoE ADSL - TLSCRANBOURNE
!=========================
vpdn group TLSCRANBOURNE request dialout pppoe
vpdn group TLSCRANBOURNE ppp authentication PAP
vpdn group TLSCRANBOURNE localname myusername
vpdn username myusername password ******** [store-local]
ip address ifName pppoe [setroute]
ip address outside pppoe
ip address outside dhcp [setroute] [retry retry_cnt]
!Configure Inside DHCP Server - TLSCRANBOURNE
!=========================
dhcpd address 10.0.0.40-10.0.0.90 inside
dhcpd dns 144.140.70.30 144.140.71.16
dhcpd lease 691200
dhcpd domain mydomain.com
dhcpd enable inside
!Save Configuration
============
write memory
--------------------------
--------------------------
Site B = PPPoE with Static IP (60.230.47.59). The static IP is assigned from the ISP upon login.|
--------------------------
!Initial Connection Via Hyper Terminal
!=========================
configure terminal
!Configure Firewall Basic - TLSPAKENHAM
!=========================
hostname TLSPAKENHAM
pager lines 24
interface ethernet1 auto
interface ethernet1 auto
ip address inside 10.0.1.254 255.255.255.0
nat (inside) 0 60.230.47.59
mtu outside 1492
mtu inside 1500
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside
!Configure VPN TLSPAKENHAM -> TLSCRANBOURNE
!=========================
isakmp enable outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encrypt 3des
crypto isakmp key ******** address 61.9.152.174
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 80 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
nat 0 access-list 80
nat (inside) 1 0 0
global (outside) 1 60.230.47.59
crypto map TLSCRANBOURNE 20 ipsec-isakmp
crypto map TLSCRANBOURNE 20 match address 80
crypto map TLSCRANBOURNE 20 set transform-set strong
crypto map TLSCRANBOURNE 20 set peer 61.9.152.174
crypto map TLSCRANBOURNE interface outside
sysopt connection permit-ipsec
!Configure PPPoE ADSL - TLSPAKENHAM
!=========================
vpdn group TLSPAKENHAM request dialout pppoe
vpdn group TLSPAKENHAM ppp authentication PAP
vpdn group TLSPAKENHAM localname myusername
vpdn username myusername password ******** [store-local]
ip address ifName pppoe [setroute]
ip address outside pppoe
ip address outside dhcp [setroute] [retry retry_cnt]
!Configure Inside DHCP Server - TLSPAKENHAM
!=========================
dhcpd address 10.0.1.40-10.0.1.90 inside
dhcpd dns 144.140.70.30 144.140.71.16
dhcpd lease 691200
dhcpd domain mydomain.com
dhcpd enable inside
!Save Configuration
============
write memory
--------------------------
Will the above configuration work for a Site-to-Site VPN. Also will it allow me to add another couple of sites later on should the client request it. I don't know what the code above means but in reading everything and trying to break it down in steps I am hoping that I have covered all area's. This is my first time at trying to program Cisco equipment.
Really appreciate all the help guys. If I missed any steps please correct me. I really only have one shot to get this installed right.
Thanks heaps.
I'm at work right now, and don't have enough time to give you full complete configuration for both boxes, but you're on the right track. Here are a couple things i see right away that you need....
Apply these changes to both pixes, replace ip's where necessary.
no nat (inside) 0 61.9.152.174 !!!!Site A,replace ip for site B
nat (inside) 1 0.0.0.0 0.0.0.0 0 0 !!Site A and B
isakmp policy 9 hash sha !!!!!For site A only
isakmp policy 9 group 2 !!!!For site A only
isakmp policy 8 hash sha !!! site B
isakmp policy 8 group 2 !!!site B
no global (outside) 1 61.9.152.174 !!Site A,replace ip for site B
global (outside) 1 interface !Site A and B
isakmp identity address !!!site A and B
isakmp nat-traversal 20 !!!site A and B
*instead of "crypto isakmp key ******** address 60.230.47.59" use
crypto isakmp key ******** address 60.230.47.59 no-xauth
replace ip for other site of course
To add other sites, you just replicate the information in incrementing policy numbers, like so..
crypto map TLSCRANBOURNE 30 ipsec-isakmp
crypto map TLSCRANBOURNE 30 match address 80 !!Add new rule to acl 80 for inside ip range of new site!!!
crypto map TLSCRANBOURNE 30 set transform-set strong
crypto map TLSCRANBOURNE 30 set peer x.x.x.x ! ip of new site
Basically, you make sure all of the information is the same for every site when it comes to isakmp, etc policies - you just replace ip's where necessary.
I hope this helps. Haven't spent but 10 minutes on this....
Apply these changes to both pixes, replace ip's where necessary.
no nat (inside) 0 61.9.152.174 !!!!Site A,replace ip for site B
nat (inside) 1 0.0.0.0 0.0.0.0 0 0 !!Site A and B
isakmp policy 9 hash sha !!!!!For site A only
isakmp policy 9 group 2 !!!!For site A only
isakmp policy 8 hash sha !!! site B
isakmp policy 8 group 2 !!!site B
no global (outside) 1 61.9.152.174 !!Site A,replace ip for site B
global (outside) 1 interface !Site A and B
isakmp identity address !!!site A and B
isakmp nat-traversal 20 !!!site A and B
*instead of "crypto isakmp key ******** address 60.230.47.59" use
crypto isakmp key ******** address 60.230.47.59 no-xauth
replace ip for other site of course
To add other sites, you just replicate the information in incrementing policy numbers, like so..
crypto map TLSCRANBOURNE 30 ipsec-isakmp
crypto map TLSCRANBOURNE 30 match address 80 !!Add new rule to acl 80 for inside ip range of new site!!!
crypto map TLSCRANBOURNE 30 set transform-set strong
crypto map TLSCRANBOURNE 30 set peer x.x.x.x ! ip of new site
Basically, you make sure all of the information is the same for every site when it comes to isakmp, etc policies - you just replace ip's where necessary.
I hope this helps. Haven't spent but 10 minutes on this....
omg, ie7 died when i hit submit and i thought for sure i lost all that i just wrote. I'm using opera now, thank God for opera! (i've been testing ie7, but not happy with it)
ASKER
Based on the previous recommendations I have made the alterations. Is this OK?
--------------------------
Site A = PPPoE with Static IP (61.9.152.174). The static IP is assigned from the ISP upon login.|
--------------------------
!Initial Connection Via Hyper Terminal
!=========================
configure terminal
!Configure Firewall Basic - TLSCRANBOURNE
!=========================
hostname TLSCRANBOURNE
pager lines 24
interface ethernet1 auto
interface ethernet1 auto
ip address inside 10.0.0.254 255.255.255.0
no nat (inside) 0 61.9.152.174
mtu outside 1492
mtu inside 1500
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside
!Configure VPN TLSCRANBOURNE -> TLSPAKENHAM
!=========================
isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encrypt 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp identity address
isakmp nat-traversal 20
crypto isakmp key ******** address 60.230.47.59 no-xauth
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 90 permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
nat 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0
no global (outside) 1 61.9.152.174
global (outside) 1 interface
crypto map toTLSPAKENHAM 20 ipsec-isakmp
crypto map toTLSPAKENHAM 20 match address 90
crypto map toTLSPAKENHAM 20 set transform-set strong
crypto map toTLSPAKENHAM 20 set peer 60.230.47.59
crypto map toTLSPAKENHAM interface outside
sysopt connection permit-ipsec
!Configure PPPoE ADSL - TLSCRANBOURNE
!=========================
vpdn group TLSCRANBOURNE request dialout pppoe
vpdn group TLSCRANBOURNE ppp authentication PAP
vpdn group TLSCRANBOURNE localname myusername
vpdn username myusername password ******** [store-local]
ip address ifName pppoe [setroute]
ip address outside pppoe
ip address outside dhcp [setroute] [retry retry_cnt]
!Configure Inside DHCP Server - TLSCRANBOURNE
!=========================
dhcpd address 10.0.0.40-10.0.0.90 inside
dhcpd dns 144.140.70.30 144.140.71.16
dhcpd lease 691200
dhcpd domain mydomain.com
dhcpd enable inside
!Save Configuration
============
write memory
--------------------------
--------------------------
Site B = PPPoE with Static IP (60.230.47.59). The static IP is assigned from the ISP upon login.|
--------------------------
!Initial Connection Via Hyper Terminal
!=========================
configure terminal
!Configure Firewall Basic - TLSPAKENHAM
!=========================
hostname TLSPAKENHAM
pager lines 24
interface ethernet1 auto
interface ethernet1 auto
ip address inside 10.0.1.254 255.255.255.0
no nat (inside) 0 60.230.47.59
mtu outside 1492
mtu inside 1500
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside
!Configure VPN TLSPAKENHAM -> TLSCRANBOURNE
!=========================
isakmp enable outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encrypt 3des
isakmp policy 8 hash sha
isakmp policy 8 group 2
isakmp identity address
isakmp nat-traversal 20
crypto isakmp key ******** address 61.9.152.174 no-xauth
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 80 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
nat 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0
no global (outside) 1 60.230.47.59
global (outside) 1 interface
crypto map TLSCRANBOURNE 20 ipsec-isakmp
crypto map TLSCRANBOURNE 20 match address 80
crypto map TLSCRANBOURNE 20 set transform-set strong
crypto map TLSCRANBOURNE 20 set peer 61.9.152.174
crypto map TLSCRANBOURNE interface outside
sysopt connection permit-ipsec
!Configure PPPoE ADSL - TLSPAKENHAM
!=========================
vpdn group TLSPAKENHAM request dialout pppoe
vpdn group TLSPAKENHAM ppp authentication PAP
vpdn group TLSPAKENHAM localname myusername
vpdn username myusername password ******** [store-local]
ip address ifName pppoe [setroute]
ip address outside pppoe
ip address outside dhcp [setroute] [retry retry_cnt]
!Configure Inside DHCP Server - TLSPAKENHAM
!=========================
dhcpd address 10.0.1.40-10.0.1.90 inside
dhcpd dns 144.140.70.30 144.140.71.16
dhcpd lease 691200
dhcpd domain mydomain.com
dhcpd enable inside
!Save Configuration
============
write memory
--------------------------
Once we have all agreed on the final command I will put them into the Cisco PIX 506E. Is there anything I am missing or anything which needs alteration.
We are hoping to achieve the following.
1. Secure VPN between both sites
2. Traffic for for each local network to pass through VPN. All other traffic to go through local gateway to internet.
I'm sorry to burden you all with such newbie questions. I am really learning alot though. Thanks heaps guys.
--------------------------
Site A = PPPoE with Static IP (61.9.152.174). The static IP is assigned from the ISP upon login.|
--------------------------
!Initial Connection Via Hyper Terminal
!=========================
configure terminal
!Configure Firewall Basic - TLSCRANBOURNE
!=========================
hostname TLSCRANBOURNE
pager lines 24
interface ethernet1 auto
interface ethernet1 auto
ip address inside 10.0.0.254 255.255.255.0
no nat (inside) 0 61.9.152.174
mtu outside 1492
mtu inside 1500
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside
!Configure VPN TLSCRANBOURNE -> TLSPAKENHAM
!=========================
isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encrypt 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp identity address
isakmp nat-traversal 20
crypto isakmp key ******** address 60.230.47.59 no-xauth
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 90 permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
nat 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0
no global (outside) 1 61.9.152.174
global (outside) 1 interface
crypto map toTLSPAKENHAM 20 ipsec-isakmp
crypto map toTLSPAKENHAM 20 match address 90
crypto map toTLSPAKENHAM 20 set transform-set strong
crypto map toTLSPAKENHAM 20 set peer 60.230.47.59
crypto map toTLSPAKENHAM interface outside
sysopt connection permit-ipsec
!Configure PPPoE ADSL - TLSCRANBOURNE
!=========================
vpdn group TLSCRANBOURNE request dialout pppoe
vpdn group TLSCRANBOURNE ppp authentication PAP
vpdn group TLSCRANBOURNE localname myusername
vpdn username myusername password ******** [store-local]
ip address ifName pppoe [setroute]
ip address outside pppoe
ip address outside dhcp [setroute] [retry retry_cnt]
!Configure Inside DHCP Server - TLSCRANBOURNE
!=========================
dhcpd address 10.0.0.40-10.0.0.90 inside
dhcpd dns 144.140.70.30 144.140.71.16
dhcpd lease 691200
dhcpd domain mydomain.com
dhcpd enable inside
!Save Configuration
============
write memory
--------------------------
--------------------------
Site B = PPPoE with Static IP (60.230.47.59). The static IP is assigned from the ISP upon login.|
--------------------------
!Initial Connection Via Hyper Terminal
!=========================
configure terminal
!Configure Firewall Basic - TLSPAKENHAM
!=========================
hostname TLSPAKENHAM
pager lines 24
interface ethernet1 auto
interface ethernet1 auto
ip address inside 10.0.1.254 255.255.255.0
no nat (inside) 0 60.230.47.59
mtu outside 1492
mtu inside 1500
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside
!Configure VPN TLSPAKENHAM -> TLSCRANBOURNE
!=========================
isakmp enable outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encrypt 3des
isakmp policy 8 hash sha
isakmp policy 8 group 2
isakmp identity address
isakmp nat-traversal 20
crypto isakmp key ******** address 61.9.152.174 no-xauth
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 80 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
nat 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0
no global (outside) 1 60.230.47.59
global (outside) 1 interface
crypto map TLSCRANBOURNE 20 ipsec-isakmp
crypto map TLSCRANBOURNE 20 match address 80
crypto map TLSCRANBOURNE 20 set transform-set strong
crypto map TLSCRANBOURNE 20 set peer 61.9.152.174
crypto map TLSCRANBOURNE interface outside
sysopt connection permit-ipsec
!Configure PPPoE ADSL - TLSPAKENHAM
!=========================
vpdn group TLSPAKENHAM request dialout pppoe
vpdn group TLSPAKENHAM ppp authentication PAP
vpdn group TLSPAKENHAM localname myusername
vpdn username myusername password ******** [store-local]
ip address ifName pppoe [setroute]
ip address outside pppoe
ip address outside dhcp [setroute] [retry retry_cnt]
!Configure Inside DHCP Server - TLSPAKENHAM
!=========================
dhcpd address 10.0.1.40-10.0.1.90 inside
dhcpd dns 144.140.70.30 144.140.71.16
dhcpd lease 691200
dhcpd domain mydomain.com
dhcpd enable inside
!Save Configuration
============
write memory
--------------------------
Once we have all agreed on the final command I will put them into the Cisco PIX 506E. Is there anything I am missing or anything which needs alteration.
We are hoping to achieve the following.
1. Secure VPN between both sites
2. Traffic for for each local network to pass through VPN. All other traffic to go through local gateway to internet.
I'm sorry to burden you all with such newbie questions. I am really learning alot though. Thanks heaps guys.
A couple things I notice right away on your nat statements
Instead of
nat 0 access-list 90 (for site A)
should be
nat (inside) 0 access-list 90
Same for site B
As for your pppoe config, i can't remember off the top of my head what its supposed to be. I just configured a 506 for pppoe last week, so I should know! too much going on and i'm sickly this afternoon.
You simply need this for your pppoe...i think.
ip address outside pppoe setroute
vpdn group 1 request dialout pppoe
vpdn group 1 localname xxxxxx@xxxxx.com
vpdn group 1 ppp authentication pap
vpdn username xxxxx@xxxxx.com password *********
your dhcp configuration looks good.
Give it a shot! If you get errors upon entering your isakmp/ipsec commands, let me know. They aren't in quite the right order the way you have them, but may still work, even though it complains. You must also enter in all access lists before you can actually call them, as well.
Good luck!
Instead of
nat 0 access-list 90 (for site A)
should be
nat (inside) 0 access-list 90
Same for site B
As for your pppoe config, i can't remember off the top of my head what its supposed to be. I just configured a 506 for pppoe last week, so I should know! too much going on and i'm sickly this afternoon.
You simply need this for your pppoe...i think.
ip address outside pppoe setroute
vpdn group 1 request dialout pppoe
vpdn group 1 localname xxxxxx@xxxxx.com
vpdn group 1 ppp authentication pap
vpdn username xxxxx@xxxxx.com password *********
your dhcp configuration looks good.
Give it a shot! If you get errors upon entering your isakmp/ipsec commands, let me know. They aren't in quite the right order the way you have them, but may still work, even though it complains. You must also enter in all access lists before you can actually call them, as well.
Good luck!
ASKER
I will put the modification to replace (Site A) nat 0 access-list 90 & (Site B) nat 0 access-list 80
with
Site A
nat (inside) 0 access-list 90
&
Site B
nat (inside) 0 access-list 80
--------------------------
It's amazing how with all this Cisco stuff the code changes every time. \o/
Is it safe to assume we all agree on the configuration? Including the exact order it should be in?
Big Thanks again guys. This is great.
with
Site A
nat (inside) 0 access-list 90
&
Site B
nat (inside) 0 access-list 80
--------------------------
It's amazing how with all this Cisco stuff the code changes every time. \o/
Is it safe to assume we all agree on the configuration? Including the exact order it should be in?
Big Thanks again guys. This is great.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
To test, add this configuration to both. Just a real quick indicator.
management-access inside
Then, do this, from site A to Site B
ping inside 10.0.1.254
Hopefully you'll be seeing replies. But, just because you see replies, does not mean its working perfect. If there is a host you can ping on the other end inside the remote network, do that. its possible that you can ping the inside int of the remote pix, and still not have your nat setup correctly so vpn bound traffic from remotes hosts gets nat'd instead of being passed over the vpn.
Then from the other side
management-access inside
ping inside 10.0.0.254
Again, test a host inside remote network if you can.
Good luck!
management-access inside
Then, do this, from site A to Site B
ping inside 10.0.1.254
Hopefully you'll be seeing replies. But, just because you see replies, does not mean its working perfect. If there is a host you can ping on the other end inside the remote network, do that. its possible that you can ping the inside int of the remote pix, and still not have your nat setup correctly so vpn bound traffic from remotes hosts gets nat'd instead of being passed over the vpn.
Then from the other side
management-access inside
ping inside 10.0.0.254
Again, test a host inside remote network if you can.
Good luck!
ASKER
I really appreciate all the help you guys have put into helping me.
I will be onsite today and will report back the results. Many Thanks all you Experts.
God Bless you All.
I will be onsite today and will report back the results. Many Thanks all you Experts.
God Bless you All.
ASKER
I get this when trying to access the Cisco Pix using the PDM.
'pdm does not support multiple uses of access control list'
I get this error after using the above configuration. Is that normal?
'pdm does not support multiple uses of access control list'
I get this error after using the above configuration. Is that normal?
I thought something might come of the fact that you are using the same acl to specify what traffic is not to be nat'd, and the acl that instructs the pix which traffic to send over the vpn.
So, do this.
Site A
access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
no nat (inside) 0 access-list 90
nat (inside) 0 access-list nonat
Site B
access-list nonat permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
no nat (inside) 0 access-list 80
nat (inside) 0 access-list nonat
do a 'wri mem' on both of them, and you're done.
Try pdm again after doing that.
So, do this.
Site A
access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
no nat (inside) 0 access-list 90
nat (inside) 0 access-list nonat
Site B
access-list nonat permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
no nat (inside) 0 access-list 80
nat (inside) 0 access-list nonat
do a 'wri mem' on both of them, and you're done.
Try pdm again after doing that.
ASKER
Thanks gmooney. PDM Now working. About to go onsite in 2 hours. Praying everything works. Will post back soon.
ASKER
GMooney I can't thank you enough. Everything is working really well. I played around alittle more with some extra port forwarding but everything as it was listed above worked a treat.
Just one more question though. I can ping back and forward between both sites but I cannot ping each router from another site.
Example.
Site A can ping Site A PIX
Site A cannot ping Site B PIX
This problem is at both sites.
But I can successfully Ping all other address' between sites. Site A Computers can ping Site B Computers and vice versa. I just can't ping the Routers or manage them via telnet TCP/IP between sites.
Thanks again GMooney your a life saver.
God Bless you.
Just one more question though. I can ping back and forward between both sites but I cannot ping each router from another site.
Example.
Site A can ping Site A PIX
Site A cannot ping Site B PIX
This problem is at both sites.
But I can successfully Ping all other address' between sites. Site A Computers can ping Site B Computers and vice versa. I just can't ping the Routers or manage them via telnet TCP/IP between sites.
Thanks again GMooney your a life saver.
God Bless you.
A quick and dirty solution is this, but I don't recommend using conduits for anything else unless you can help it...
conduit permit icmp any any
I don't think the pdm will complain about this if I remember right. If you mix too many conduits and acl's, the pdm will not let you enter configuration mode because it cant support the use of mixed conduits/acl's.
conduit permit icmp any any
I don't think the pdm will complain about this if I remember right. If you mix too many conduits and acl's, the pdm will not let you enter configuration mode because it cant support the use of mixed conduits/acl's.
You might also add
management-access inside
and also do this, where x.x.x.x is the public ip address of the remote pix that you want to administer the local pix from
ssh x.x.x.x 255.255.255.x outside
telnet x.x.x.x 255.255.255.x outside
management-access inside
and also do this, where x.x.x.x is the public ip address of the remote pix that you want to administer the local pix from
ssh x.x.x.x 255.255.255.x outside
telnet x.x.x.x 255.255.255.x outside
sysopt connection permit-ipsec
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
crypto ipsec transform-set VPN_TS esp-3des esp-md5-hmac
crypto map VPN 1 ipsec-isakmp
crypto map VPN 1 match address 101
crypto map VPN 1 set transform-set VPN_TS
crypto map VPN 2 ipsec-isakmp
crypto map VPN 2 match address 102
crypto map VPN 2 set transform-set VPN_TS
On the below commands replace <key> with a "password" type string. This will be your VPN encryption key. Also replace <pix1> <pix2> <pix3> with the outside ip addresses of the pix devices.
<lan1> <lan2> <lan3> should be the local lan network in the following format:
Network Subnet Mask
192.168.0.0 255.255.255.0
On Pix1 :
access-list 101 permit ip <lan1> <lan2>
access-list 102 permit ip <lan1> <lan3>
isakmp key <key> address <pix2> mask 255.255.255.255
isakmp key <key> address <pix3> mask 255.255.255.255
crypto map VPN 1 set peer <pix2>
crypto map VPN 2 set peer <pix3>
On Pix2 :
access-list 101 permit ip <lan2> <lan1>
access-list 102 permit ip <lan2> <lan3>
isakmp key <key> address <pix1> mask 255.255.255.255
isakmp key <key> address <pix3> mask 255.255.255.255
crypto map VPN 1 set peer <pix1>
crypto map VPN 2 set peer <pix3>
On Pix3 :
access-list 101 permit ip <lan3> <lan1>
access-list 102 permit ip <lan3> <lan2>
isakmp key <key> address <pix1> mask 255.255.255.255
isakmp key <key> address <pix2> mask 255.255.255.255
crypto map VPN 1 set peer <pix1>
crypto map VPN 2 set peer <pix2>
Finally on each device :
isakmp enable outside
This will enable the VPN.
I think that's about it. You should now have a functional vpn between your 3 sites.
If you are looking for detailed information about each command and what it does, my suggestion would be to get a book about VPNs on Cisco PIX firewalls. It will explain this all so much better than I can here.
Good Luck.