Posted on 2007-07-23
Last Modified: 2008-01-09
Current implementation rtr->pix->isa where the vpn site to tsite is established through the isa and the protocols are forwarded to the pix. want to remove isa due it being a single point of failure and taking advantage of the failover i have implemented on the pix 515E 6.3.3

i started to try config from the isa config

Remote Site X.Y.Z.46
ESP - Triple DES with SHA1 Integrity
IKE Encryption and Diffie-Hellman Group Triple DES with Group 2 (1024-bit prime)
Perfect Forward Secrecy (Disabled)
Compression (Disabled)
Rekey Timeout (08:00:00)  "in hours"
Rekey Data Count (None)
ISAKMP Retransmission Interval (1440)  "in minutes"
ISAKMP Retransmission Max Attempts (4)
Pre-Shared Key ( to be negotiated )

Network routing on our side (hosts):

My Site

Our Endpoint X.X.X.173
ESP  Triple DES with SHA1 Integrity
IKE Encryption and Diffie-Hellman Group Triple DES with Group 2 (1024-bit prime)
Perfect Forward Secrecy (Disabled)
Rekey Timeout 28800 seconds = 8 hours
Rekey Data Count (None)
Pre-Shared Key (to be negotiated)

This is what i started to create, some guidance please

isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encrypt 3des
crypto isakmp key 12345678 address X.Y.Z.46
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 90 permit ip host X.Y.Z.46

networks on my side /24 /22

hosts on remote site

Question by:adrianjfx
    LVL 8

    Accepted Solution

    here is a standard configuration for VPN on pix :

     isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
     isakmp policy 10 group 2
     isakmp policy 10 hash md5
     isakmp policy 10 lifetime 86400
     isakmp enable outside
     isakmp identity address
     isakmp key abc123 address netmask
     nat (inside) 0 access list 90
    access-list 90 permit ip
     crypto ipsec transform-set strong esp-3des esp-md5-hmac
     crypto ipsec security-association lifetime seconds 900
    crypto map gonder 10 ipsec-isakmp
    crypto map gonder 10 match address 90
    crypto map gonder 10 set transform-set strong
    crypto map gonder 10 set peer
    crypto map gonder interface outside
    sysopt connection permit-ipsec

    these are just some basic set of commands which necessarily be there for creating a site to site VPN

    you can get futrher information from this link :

    Author Comment

    thanks charan
    will try it out

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Suggested Solutions

    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now