?
Solved

Cisco PIX 515E VPN

Posted on 2009-04-28
10
Medium Priority
?
391 Views
Last Modified: 2012-05-06
I am trying to add another peer VPN cisco pix to the config in the hub and spoke (many connect to one) architecture we have. Are these the only commands I need to execute on the hub pix?

access-list mylistname permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
access-list mylistname permit ip 192.168.0.0 255.255.255.0 172.16.12.0 255.255.255.0

crypto map mymap 33 ipsec-isakmp
crypto map mymap 33 match address mylistname
crypto map mymap 33 set peer <remotePublicIP>
crypto map mymap 33 set transform-set myset-set

isakmp key mykey address <remotePublicIP> netmask 255.255.255.255

Is that all?

Thanks much!

Marek
0
Comment
Question by:maredzki
  • 7
  • 3
10 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 24256414
You also need to add them to the nat0 access-list
access-list nat0_acl permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0
access-list nat0_acl permit ip 192.168.0.0 255.255.255.0 172.16.12.0 255.255.255.0

You might have to re-apply the crypto map to the interface after you add the new connection.
0
 
LVL 2

Author Comment

by:maredzki
ID: 24256468
Good to know, and how do you re-apply the crypto map on the interface (I am assuming that is done on the external interface, correct?)?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24256481
Just re-enter the same command that is already there. Should be something like
crypto map mymap interface outside
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
LVL 2

Author Comment

by:maredzki
ID: 24256548
Ok, great! Any of the policy or crypto map names need to be the same on both of the pix's, or is it arbitrary as long as IP addresses are set for peers?

I.e. this is form the hub pix, should i have crypto map 50 on the pix in pittston- the remote site?
crypto map lakehills 50 ipsec-isakmp
crypto map lakehills 50 match address pittston
crypto map lakehills 50 set peer 65.x.x.x
crypto map lakehills 50 set transform-set myset-set
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24256565
The policy names/priority numbers are only relevant to the local PIX.
0
 
LVL 2

Author Comment

by:maredzki
ID: 24256587
Excellent!

Is there a way to PM you? I have another open Q that I would like you to take a look at if possible.

Marek
0
 
LVL 2

Author Comment

by:maredzki
ID: 24269762
Thanks for looking at the other issue I had.

Marek
0
 
LVL 2

Author Comment

by:maredzki
ID: 24269798
Also, now that I look at the config you sent me... I don't need to have that on the hub PIX if I am running split tunnel on the remote site, correct?
access-list nat0_acl permit ip 172.16.10.0 255.255.255.0 172.16.12.0 255.255.255.0

Thanks again!
0
 
LVL 2

Author Comment

by:maredzki
ID: 24276536
Could running this command reset the current tunnels or disrupt current traffic?

crypto map mymap interface outside
0
 
LVL 2

Author Comment

by:maredzki
ID: 24296965
OK, all worked almost perfect adding that remote site up. I needed to make sure that the ASA has the following command up:

crypto ipsec transform-set myname-set esp-3des esp-md5-hmac

0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month13 days, 11 hours left to enroll

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question