[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 400
  • Last Modified:

Configuration for multiple VPNs in Pix 515E

I currently have 1 point-to-point vpn in my pix.

I would like to know what parts of the configuration I need to repeat to add other point-to-points.  I'm looking to add about 6 more.  Most of these will be to other cisco devices (2600 routers), but I might have the occasional SonicWall or SmoothWall.

Here's part of what I have for the current one.

Please let me know what I need to repeat.


This goes to a cisco Pix 505 with a dynamic red IP, but the others will all have static IPs.

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key 1004gchd address netmask
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
  • 2
1 Solution
You need to add remote networks to your no_nat access-list. All remote sites get added to the same list.
You need to define local/remote traffic for each remote with unique acl.
For each remote peer, add a peer entry. You can keep the same global key with

Here's what it might look like with 4 additional remote networks:
Local LAN=
Remote LANs = 192.168.113 - .116.0 /24

access-list NO_NAT permit ip
access-list NO_NAT permit ip
access-list NO_NAT permit ip
access-list NO_NAT permit ip
nat (inside) 0 access-list NO_NAT

access-list VPN_SITE1 permit ip
access-list VPN_SITE2 permit ip
access-list VPN_SITE3 permit ip
access-list VPN_SITE4 permit ip

crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 set transform-set myset
crypto map mymap 10 set peer a.b.c.d
crypto map mymap 10 match address VPN_SITE1

crypto map mymap 12 ipsec-isakmp
crypto map mymap 12 set transform-set myset
crypto map mymap 12 set peer b.c.d.e
crypto map mymap 12 match address VPN_SITE2

crypto map mymap 14 ipsec-isakmp
crypto map mymap 14 set transform-set myset
crypto map mymap 14 set peer e.f.g.h
crypto map mymap 14 match address VPN_SITE3

crypto map mymap 16 ipsec-isakmp
crypto map mymap 16 set transform-set myset
crypto map mymap 16 set peer x.y.z.a
crypto map mymap 16 match address VPN_SITE4

crypto map mymap 200 ipsec-isakmp dynamic cisco  <== dynamic map always has highest number
crypto map mymap interface outside

isakmp identity address

andyowwAuthor Commented:
So the "access-list NO_NAT..." is a seperate access list from what I already have, or can I just add those entries to my current ACL?

It looks like it's easier to seperate them (along with the ACL VPN-SITE) ,but will that mess up my current ACL?
What about isakmp key?
I have a line now that says: "isakmp key ****** address netmask"
Yes, if you already have an inside_nat_acl then you can just extend it.
1 x no_nat / nat0 acl
1 x unique acl for each remote
You can keep the isakmp key the same for all remotes with what you have, or you can create a unique entry for each one, and keep the one you have, too.

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now