Link to home
Create AccountLog in
Avatar of X-quisite
X-quisite

asked on

Configure Multiple Site to Site VPN with Cisco Pix 501

I have managed to configure a site to site vpn using to cisco pix 501
where Site A has static Public IP and Site b has dynamic IP

i now want to add a third site C which will have a dynamic public IP.

1) do i simply enter the same config of Site B into Site C except to change correct local IP addresses?
2) do i need to add config to site A?
2) will site B & C able to access resources either site?


Avatar of mkielar
mkielar
Flag of United States of America image

You would have to post the configs. Does the tunnel get initiated from B to A? Does it initiate from A to B?  If you upload your cleaned configs, it would be easier for us to see how your current environment is.
Here is about all we can say without your configs.
1) Most likely, but have to see configs to be sure
2) Probably not, if only B initiates the tunnel to A. Otherwise you will probably need to config more.
3) If they are setup as Cisco's recommended dyanmic->staticd vpn, probably not. But it is possible.

Avatar of X-quisite
X-quisite

ASKER

mklelar,

i think the tunnel is initiated by site B

Below is the VPN config on the Pix at site A:
isamkmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp key 12345678 address 0.0.0.0 netmask 0.0.0.0
access-list 100 permit ip 192.168.16.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list 100
crypto ipsec transam-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
sysopt connection permit-ipsec

VPN config at site B

isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp key ******** address 217.xx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
access-list NoNat permit ip 192.168.2.0 255.255.255.0 192.168.16.0 255.255.255.0
nat (inside) 0 access-list NoNat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address NoNat
crypto map newmap 20 set peer 217.xx.xx.xx
crypto map newmap 20 set transform-set myset
crypto map newmap interface outside
sysopt connection permit-ipsec



ASKER CERTIFIED SOLUTION
Avatar of mkielar
mkielar
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account