Solved

VPN setup for 5 sites using PIX 506

Posted on 2007-11-18
4
165 Views
Last Modified: 2010-04-21
Folks,I need to setup VPN links between 5 sites,PPTP or IPSEC.Will Cisco PIX 506 work to connect all the 5 sites?Any suggestions pls.
0
Comment
Question by:Musafeer79
  • 2
  • 2
4 Comments
 
LVL 10

Expert Comment

by:cstosgale
ID: 20309095
Yes this would be no problem. I believe the 506 supports up to 25 tunnels. I would recommend using ipsec as it is easier to configure on a pix and more secure.

You can terminate the VPNs at the remote sites using any cisco routers or pixes.
0
 

Author Comment

by:Musafeer79
ID: 20310161
Thanks,any sample config for connecting more than 2 sites using pix 506.I will use that as reference in configuring the 5 sites.
0
 
LVL 10

Accepted Solution

by:
cstosgale earned 500 total points
ID: 20314502
Hi,

The easiest way to configure this if you haven't done it before iis upgrade to at least version7 of the pix software and use ASDM. This will do a lot of hte hard work for you.

here's a config for two sites. The 1.1.1.1 and 2.2.2.2 addresses are the remote peer public addresses. the nonat access list needs to be applied to the nat 0 command. This is modified from a real config hence the random ip address ranges. Basically, the access lists specify what traffic you want to ecrypt for each site. The config on the remote pixes need to use the exact inverse of these access lists. Also make sure that the traffic is allowed through the inside interface of the pix:-


access-list Site1-VPN permit ip 10.0.0.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list Site1-VPN permit ip 10.10.0.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list Site1-VPN permit ip host inside_snmpc 10.10.11.0 255.255.255.0
access-list Site1-VPN permit ip 10.150.1.0 255.255.255.0 10.150.3.0 255.255.255.0
access-list Site1-VPN permit ip 10.150.2.0 255.255.255.0 10.150.3.0 255.255.255.0
access-list Site1-VPN permit ip 10.20.0.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list nonat_inside permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list nonat_inside permit ip host inside_snmpc 10.0.0.0 255.0.0.0
access-list Site2-VPN permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Site2-VPN permit ip 10.0.0.0 255.255.255.0 10.150.2.0 255.255.255.0
access-list Site2-VPN permit ip 10.150.1.0 255.255.255.0 10.150.2.0 255.255.255.0
access-list Site2-VPN permit ip 10.10.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Site2-VPN permit ip host inside_snmpc 10.10.10.0 255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address Site2-VPN
crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address Site1-VPN
crypto map mymap 20 set peer 2.2.2.2
crypto map mymap 20 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 7200
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 7200
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
 

Author Closing Comment

by:Musafeer79
ID: 31409831
Thanks
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question