PIX SITE TO SITE FROM (ISA)

Current implementation rtr->pix->isa where the vpn site to tsite is established through the isa and the protocols are forwarded to the pix. want to remove isa due it being a single point of failure and taking advantage of the failover i have implemented on the pix 515E 6.3.3

i started to try config from the isa config

Remote Site X.Y.Z.46
ESP - Triple DES with SHA1 Integrity
IKE Encryption and Diffie-Hellman Group Triple DES with Group 2 (1024-bit prime)
Perfect Forward Secrecy (Disabled)
Compression (Disabled)
Rekey Timeout (08:00:00)  "in hours"
Rekey Data Count (None)
ISAKMP Retransmission Interval (1440)  "in minutes"
ISAKMP Retransmission Max Attempts (4)
Pre-Shared Key ( to be negotiated )

Network routing on our side (hosts):
10.48.239.56
10.48.239.75
10.48.239.199



My Site

Our Endpoint X.X.X.173
ESP  Triple DES with SHA1 Integrity
IKE Encryption and Diffie-Hellman Group Triple DES with Group 2 (1024-bit prime)
Perfect Forward Secrecy (Disabled)
Rekey Timeout 28800 seconds = 8 hours
Rekey Data Count (None)
Pre-Shared Key (to be negotiated)

This is what i started to create, some guidance please

isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encrypt 3des
crypto isakmp key 12345678 address X.Y.Z.46
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 90 permit ip host X.Y.Z.46

networks on my side
10.168.4.0 /24
10.168.0.0 /22

hosts on remote site
10.48.239.56
10.48.239.75
10.48.239.199

adrianjfxAsked:
Who is Participating?
 
charan_jeetsinghCommented:
here is a standard configuration for VPN on pix :

 isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
 isakmp policy 10 group 2
 isakmp policy 10 hash md5
 isakmp policy 10 lifetime 86400
 isakmp enable outside
 isakmp identity address
 isakmp key abc123 address 192.168.2.1 netmask 255.255.255.255
 nat (inside) 0 access list 90
access-list 90 permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
 crypto ipsec transform-set strong esp-3des esp-md5-hmac
 crypto ipsec security-association lifetime seconds 900
crypto map gonder 10 ipsec-isakmp
crypto map gonder 10 match address 90
crypto map gonder 10 set transform-set strong
crypto map gonder 10 set peer 192.168.2.1
crypto map gonder interface outside
sysopt connection permit-ipsec

these are just some basic set of commands which necessarily be there for creating a site to site VPN

you can get futrher information from this link :
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html
0
 
adrianjfxAuthor Commented:
thanks charan
will try it out
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.