• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 179
  • Last Modified:

VPN setup for 5 sites using PIX 506

Folks,I need to setup VPN links between 5 sites,PPTP or IPSEC.Will Cisco PIX 506 work to connect all the 5 sites?Any suggestions pls.
0
Musafeer79
Asked:
Musafeer79
  • 2
  • 2
1 Solution
 
cstosgaleCommented:
Yes this would be no problem. I believe the 506 supports up to 25 tunnels. I would recommend using ipsec as it is easier to configure on a pix and more secure.

You can terminate the VPNs at the remote sites using any cisco routers or pixes.
0
 
Musafeer79Author Commented:
Thanks,any sample config for connecting more than 2 sites using pix 506.I will use that as reference in configuring the 5 sites.
0
 
cstosgaleCommented:
Hi,

The easiest way to configure this if you haven't done it before iis upgrade to at least version7 of the pix software and use ASDM. This will do a lot of hte hard work for you.

here's a config for two sites. The 1.1.1.1 and 2.2.2.2 addresses are the remote peer public addresses. the nonat access list needs to be applied to the nat 0 command. This is modified from a real config hence the random ip address ranges. Basically, the access lists specify what traffic you want to ecrypt for each site. The config on the remote pixes need to use the exact inverse of these access lists. Also make sure that the traffic is allowed through the inside interface of the pix:-


access-list Site1-VPN permit ip 10.0.0.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list Site1-VPN permit ip 10.10.0.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list Site1-VPN permit ip host inside_snmpc 10.10.11.0 255.255.255.0
access-list Site1-VPN permit ip 10.150.1.0 255.255.255.0 10.150.3.0 255.255.255.0
access-list Site1-VPN permit ip 10.150.2.0 255.255.255.0 10.150.3.0 255.255.255.0
access-list Site1-VPN permit ip 10.20.0.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list nonat_inside permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list nonat_inside permit ip host inside_snmpc 10.0.0.0 255.0.0.0
access-list Site2-VPN permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Site2-VPN permit ip 10.0.0.0 255.255.255.0 10.150.2.0 255.255.255.0
access-list Site2-VPN permit ip 10.150.1.0 255.255.255.0 10.150.2.0 255.255.255.0
access-list Site2-VPN permit ip 10.10.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Site2-VPN permit ip host inside_snmpc 10.10.10.0 255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address Site2-VPN
crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address Site1-VPN
crypto map mymap 20 set peer 2.2.2.2
crypto map mymap 20 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 7200
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 7200
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
 
Musafeer79Author Commented:
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now