maredzki
asked on
Cisco PIX 515E VPN
I am trying to add another peer VPN cisco pix to the config in the hub and spoke (many connect to one) architecture we have. Are these the only commands I need to execute on the hub pix?
access-list mylistname permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
access-list mylistname permit ip 192.168.0.0 255.255.255.0 172.16.12.0 255.255.255.0
crypto map mymap 33 ipsec-isakmp
crypto map mymap 33 match address mylistname
crypto map mymap 33 set peer <remotePublicIP>
crypto map mymap 33 set transform-set myset-set
isakmp key mykey address <remotePublicIP> netmask 255.255.255.255
Is that all?
Thanks much!
Marek
access-list mylistname permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
access-list mylistname permit ip 192.168.0.0 255.255.255.0 172.16.12.0 255.255.255.0
crypto map mymap 33 ipsec-isakmp
crypto map mymap 33 match address mylistname
crypto map mymap 33 set peer <remotePublicIP>
crypto map mymap 33 set transform-set myset-set
isakmp key mykey address <remotePublicIP> netmask 255.255.255.255
Is that all?
Thanks much!
Marek
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just re-enter the same command that is already there. Should be something like
crypto map mymap interface outside
crypto map mymap interface outside
ASKER
Ok, great! Any of the policy or crypto map names need to be the same on both of the pix's, or is it arbitrary as long as IP addresses are set for peers?
I.e. this is form the hub pix, should i have crypto map 50 on the pix in pittston- the remote site?
crypto map lakehills 50 ipsec-isakmp
crypto map lakehills 50 match address pittston
crypto map lakehills 50 set peer 65.x.x.x
crypto map lakehills 50 set transform-set myset-set
I.e. this is form the hub pix, should i have crypto map 50 on the pix in pittston- the remote site?
crypto map lakehills 50 ipsec-isakmp
crypto map lakehills 50 match address pittston
crypto map lakehills 50 set peer 65.x.x.x
crypto map lakehills 50 set transform-set myset-set
The policy names/priority numbers are only relevant to the local PIX.
ASKER
Excellent!
Is there a way to PM you? I have another open Q that I would like you to take a look at if possible.
Marek
Is there a way to PM you? I have another open Q that I would like you to take a look at if possible.
Marek
ASKER
Thanks for looking at the other issue I had.
Marek
Marek
ASKER
Also, now that I look at the config you sent me... I don't need to have that on the hub PIX if I am running split tunnel on the remote site, correct?
access-list nat0_acl permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
Thanks again!
access-list nat0_acl permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
Thanks again!
ASKER
Could running this command reset the current tunnels or disrupt current traffic?
crypto map mymap interface outside
crypto map mymap interface outside
ASKER
OK, all worked almost perfect adding that remote site up. I needed to make sure that the ASA has the following command up:
crypto ipsec transform-set myname-set esp-3des esp-md5-hmac
crypto ipsec transform-set myname-set esp-3des esp-md5-hmac
ASKER