Cisco PIX 515E VPN

I am trying to add another peer VPN cisco pix to the config in the hub and spoke (many connect to one) architecture we have. Are these the only commands I need to execute on the hub pix?

access-list mylistname permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
access-list mylistname permit ip 192.168.0.0 255.255.255.0 172.16.12.0 255.255.255.0

crypto map mymap 33 ipsec-isakmp
crypto map mymap 33 match address mylistname
crypto map mymap 33 set peer <remotePublicIP>
crypto map mymap 33 set transform-set myset-set

isakmp key mykey address <remotePublicIP> netmask 255.255.255.255

Is that all?

Thanks much!

Marek
LVL 2
maredzkiAsked:
Who is Participating?
 
lrmooreCommented:
You also need to add them to the nat0 access-list
access-list nat0_acl permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
access-list nat0_acl permit ip 192.168.0.0 255.255.255.0 172.16.12.0 255.255.255.0

You might have to re-apply the crypto map to the interface after you add the new connection.
0
 
maredzkiAuthor Commented:
Good to know, and how do you re-apply the crypto map on the interface (I am assuming that is done on the external interface, correct?)?
0
 
lrmooreCommented:
Just re-enter the same command that is already there. Should be something like
crypto map mymap interface outside
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
maredzkiAuthor Commented:
Ok, great! Any of the policy or crypto map names need to be the same on both of the pix's, or is it arbitrary as long as IP addresses are set for peers?

I.e. this is form the hub pix, should i have crypto map 50 on the pix in pittston- the remote site?
crypto map lakehills 50 ipsec-isakmp
crypto map lakehills 50 match address pittston
crypto map lakehills 50 set peer 65.x.x.x
crypto map lakehills 50 set transform-set myset-set
0
 
lrmooreCommented:
The policy names/priority numbers are only relevant to the local PIX.
0
 
maredzkiAuthor Commented:
Excellent!

Is there a way to PM you? I have another open Q that I would like you to take a look at if possible.

Marek
0
 
maredzkiAuthor Commented:
Thanks for looking at the other issue I had.

Marek
0
 
maredzkiAuthor Commented:
Also, now that I look at the config you sent me... I don't need to have that on the hub PIX if I am running split tunnel on the remote site, correct?
access-list nat0_acl permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0

Thanks again!
0
 
maredzkiAuthor Commented:
Could running this command reset the current tunnels or disrupt current traffic?

crypto map mymap interface outside
0
 
maredzkiAuthor Commented:
OK, all worked almost perfect adding that remote site up. I needed to make sure that the ASA has the following command up:

crypto ipsec transform-set myname-set esp-3des esp-md5-hmac

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.