Solved

VPN setup for 5 sites using PIX 506

Posted on 2007-11-18
4
166 Views
Last Modified: 2010-04-21
Folks,I need to setup VPN links between 5 sites,PPTP or IPSEC.Will Cisco PIX 506 work to connect all the 5 sites?Any suggestions pls.
0
Comment
Question by:Musafeer79
  • 2
  • 2
4 Comments
 
LVL 10

Expert Comment

by:cstosgale
ID: 20309095
Yes this would be no problem. I believe the 506 supports up to 25 tunnels. I would recommend using ipsec as it is easier to configure on a pix and more secure.

You can terminate the VPNs at the remote sites using any cisco routers or pixes.
0
 

Author Comment

by:Musafeer79
ID: 20310161
Thanks,any sample config for connecting more than 2 sites using pix 506.I will use that as reference in configuring the 5 sites.
0
 
LVL 10

Accepted Solution

by:
cstosgale earned 500 total points
ID: 20314502
Hi,

The easiest way to configure this if you haven't done it before iis upgrade to at least version7 of the pix software and use ASDM. This will do a lot of hte hard work for you.

here's a config for two sites. The 1.1.1.1 and 2.2.2.2 addresses are the remote peer public addresses. the nonat access list needs to be applied to the nat 0 command. This is modified from a real config hence the random ip address ranges. Basically, the access lists specify what traffic you want to ecrypt for each site. The config on the remote pixes need to use the exact inverse of these access lists. Also make sure that the traffic is allowed through the inside interface of the pix:-


access-list Site1-VPN permit ip 10.0.0.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list Site1-VPN permit ip 10.10.0.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list Site1-VPN permit ip host inside_snmpc 10.10.11.0 255.255.255.0
access-list Site1-VPN permit ip 10.150.1.0 255.255.255.0 10.150.3.0 255.255.255.0
access-list Site1-VPN permit ip 10.150.2.0 255.255.255.0 10.150.3.0 255.255.255.0
access-list Site1-VPN permit ip 10.20.0.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list nonat_inside permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list nonat_inside permit ip host inside_snmpc 10.0.0.0 255.0.0.0
access-list Site2-VPN permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Site2-VPN permit ip 10.0.0.0 255.255.255.0 10.150.2.0 255.255.255.0
access-list Site2-VPN permit ip 10.150.1.0 255.255.255.0 10.150.2.0 255.255.255.0
access-list Site2-VPN permit ip 10.10.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Site2-VPN permit ip host inside_snmpc 10.10.10.0 255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address Site2-VPN
crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address Site1-VPN
crypto map mymap 20 set peer 2.2.2.2
crypto map mymap 20 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 7200
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 7200
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
 

Author Closing Comment

by:Musafeer79
ID: 31409831
Thanks
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question