Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

VPN setup for 5 sites using PIX 506

Posted on 2007-11-18
4
Medium Priority
?
173 Views
Last Modified: 2010-04-21
Folks,I need to setup VPN links between 5 sites,PPTP or IPSEC.Will Cisco PIX 506 work to connect all the 5 sites?Any suggestions pls.
0
Comment
Question by:Musafeer79
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 10

Expert Comment

by:cstosgale
ID: 20309095
Yes this would be no problem. I believe the 506 supports up to 25 tunnels. I would recommend using ipsec as it is easier to configure on a pix and more secure.

You can terminate the VPNs at the remote sites using any cisco routers or pixes.
0
 

Author Comment

by:Musafeer79
ID: 20310161
Thanks,any sample config for connecting more than 2 sites using pix 506.I will use that as reference in configuring the 5 sites.
0
 
LVL 10

Accepted Solution

by:
cstosgale earned 2000 total points
ID: 20314502
Hi,

The easiest way to configure this if you haven't done it before iis upgrade to at least version7 of the pix software and use ASDM. This will do a lot of hte hard work for you.

here's a config for two sites. The 1.1.1.1 and 2.2.2.2 addresses are the remote peer public addresses. the nonat access list needs to be applied to the nat 0 command. This is modified from a real config hence the random ip address ranges. Basically, the access lists specify what traffic you want to ecrypt for each site. The config on the remote pixes need to use the exact inverse of these access lists. Also make sure that the traffic is allowed through the inside interface of the pix:-


access-list Site1-VPN permit ip 10.0.0.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list Site1-VPN permit ip 10.10.0.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list Site1-VPN permit ip host inside_snmpc 10.10.11.0 255.255.255.0
access-list Site1-VPN permit ip 10.150.1.0 255.255.255.0 10.150.3.0 255.255.255.0
access-list Site1-VPN permit ip 10.150.2.0 255.255.255.0 10.150.3.0 255.255.255.0
access-list Site1-VPN permit ip 10.20.0.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list nonat_inside permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list nonat_inside permit ip host inside_snmpc 10.0.0.0 255.0.0.0
access-list Site2-VPN permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Site2-VPN permit ip 10.0.0.0 255.255.255.0 10.150.2.0 255.255.255.0
access-list Site2-VPN permit ip 10.150.1.0 255.255.255.0 10.150.2.0 255.255.255.0
access-list Site2-VPN permit ip 10.10.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Site2-VPN permit ip host inside_snmpc 10.10.10.0 255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address Site2-VPN
crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address Site1-VPN
crypto map mymap 20 set peer 2.2.2.2
crypto map mymap 20 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 7200
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 7200
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
 

Author Closing Comment

by:Musafeer79
ID: 31409831
Thanks
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question