Solved

Cisco PIX Site to Site VPN - help

Posted on 2007-04-02
2
227 Views
Last Modified: 2010-04-09
We currently have 2 site to site VPNs one from Brghton to London and one from Newcastle to London.
Im trying to set up another  - Newcastle to Brighton.

Here is the original config of the VPN currently set up on Newcastle to London. (the brighton one is almost identical, but has changes to ip etc..)

-------------------------------------------------------------

access-list inside_outbound_nat0_acl permit ip any London-SN1 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any London-SN2 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 172.16.174.96 255.255.255.240

access-list outside_cryptomap_20 permit ip Newcastle-SN1 255.255.255.0 London-SN1 255.255.255.0
access-list outside_cryptomap_20 permit icmp Newcastle-SN1 255.255.255.0 London-SN1 255.255.255.0
access-list outside_cryptomap_20 permit ip Newcastle-SN1 255.255.255.0 London-SN2 255.255.255.0
access-list outside_cryptomap_20 permit icmp Newcastle-SN1 255.255.255.0 London-SN2 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer London-GW
crypto map outside_map 20 set transform-set ESP-3DES-MD5

isakmp enable outside
isakmp key ******** address London-GW netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

--------------------------------------------------------------

These are the additional settings ive added on newcastle.

--------------------------------------------------------------

access-list inside_outbound_nat0_acl permit ip any Brighton-SN1 255.255.255.0

access-list outside_cryptomap_21 permit ip Newcastle-SN1 255.255.255.0 Brighton-SN1 255.255.255.0
access-list outside_cryptomap_21 permit icmp Newcastle-SN1 255.255.255.0 Brighton-SN1 255.255.255.0

crypto map outside_map 21 ipsec-isakmp
crypto map outside_map 21 match address outside_cryptomap_21
crypto map outside_map 21 set peer Brighton-GW
crypto map outside_map 21 set transform-set ESP-3DES-MD5

isakmp key ******** address Brighton-GW netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400

-----------------------------------------------------------

Ive set up a smiliar one for the brighton config. replacing values etc.. to match the connection.

Anyone see anything wrong with that or if ive missed anything out?
0
Comment
Question by:chouckham
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18836621
Here's a great example for PIX-PIX fully meshed, which is what you are describing:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml

0
 
LVL 3

Author Comment

by:chouckham
ID: 18836652
you STAR!
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Stuck in INIT/DROTHER 2 51
New office setup 2 28
Cisco ISE or Windows NPS for RADIUS and 802.1x 2 51
VTP servers with 3650 switches 5 27
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question