?
Solved

VPN setup for 5 sites using PIX 506

Posted on 2007-11-18
4
Medium Priority
?
170 Views
Last Modified: 2010-04-21
Folks,I need to setup VPN links between 5 sites,PPTP or IPSEC.Will Cisco PIX 506 work to connect all the 5 sites?Any suggestions pls.
0
Comment
Question by:Musafeer79
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 10

Expert Comment

by:cstosgale
ID: 20309095
Yes this would be no problem. I believe the 506 supports up to 25 tunnels. I would recommend using ipsec as it is easier to configure on a pix and more secure.

You can terminate the VPNs at the remote sites using any cisco routers or pixes.
0
 

Author Comment

by:Musafeer79
ID: 20310161
Thanks,any sample config for connecting more than 2 sites using pix 506.I will use that as reference in configuring the 5 sites.
0
 
LVL 10

Accepted Solution

by:
cstosgale earned 2000 total points
ID: 20314502
Hi,

The easiest way to configure this if you haven't done it before iis upgrade to at least version7 of the pix software and use ASDM. This will do a lot of hte hard work for you.

here's a config for two sites. The 1.1.1.1 and 2.2.2.2 addresses are the remote peer public addresses. the nonat access list needs to be applied to the nat 0 command. This is modified from a real config hence the random ip address ranges. Basically, the access lists specify what traffic you want to ecrypt for each site. The config on the remote pixes need to use the exact inverse of these access lists. Also make sure that the traffic is allowed through the inside interface of the pix:-


access-list Site1-VPN permit ip 10.0.0.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list Site1-VPN permit ip 10.10.0.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list Site1-VPN permit ip host inside_snmpc 10.10.11.0 255.255.255.0
access-list Site1-VPN permit ip 10.150.1.0 255.255.255.0 10.150.3.0 255.255.255.0
access-list Site1-VPN permit ip 10.150.2.0 255.255.255.0 10.150.3.0 255.255.255.0
access-list Site1-VPN permit ip 10.20.0.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list nonat_inside permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list nonat_inside permit ip host inside_snmpc 10.0.0.0 255.0.0.0
access-list Site2-VPN permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Site2-VPN permit ip 10.0.0.0 255.255.255.0 10.150.2.0 255.255.255.0
access-list Site2-VPN permit ip 10.150.1.0 255.255.255.0 10.150.2.0 255.255.255.0
access-list Site2-VPN permit ip 10.10.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Site2-VPN permit ip host inside_snmpc 10.10.10.0 255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address Site2-VPN
crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address Site1-VPN
crypto map mymap 20 set peer 2.2.2.2
crypto map mymap 20 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 7200
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 7200
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
 

Author Closing Comment

by:Musafeer79
ID: 31409831
Thanks
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question