Cisco PIX 506E - How To: Configure New IPsec Tunnel via CLI

Hey folks,

I am brand new to Cisco and have no clue as to what I'm doing, but I really want to learn this. I apologize for my incorrect use of terminology in advance.

OBJECTIVE: My company has a Cisco PIX 506E and we need to set up an IPsec VPN Tunnel to one of our clients. It will be used to connect to them for remote access and support.

CONSIDERATIONS: I think the 506E will support 5 tunnels, currently there are 3 other tunnels that were setup by other people. I DO NOT want to break those! I also do not have the PDM, so this will have to be accomplished through the CLI.

1.) How do I determine if I have the available resources on the PIX to add another tunnel?
2.) How can I ensure that I will not break the other (3)?
3.) What information do I need to from the remote client side? Their public IP, internal IP, and pre-shared key?
4.) What do I need to have from my side?
5.) Is there a step-by-step CLI guide that will walk me through the process of creating this new tunnel?

Thanks so much for your help!!!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Read this>
I hope this will be enough.
What you need from other side is their public IP peer address, set of address of computers included in VPN site to site which you will put in access list, you should exchange information with person who is working on VPN on partner side and aggree with him what will be perameters for SA (security association)  and crypto ipsec transform-set (what type of encryption) and in the end exchange pre-shared key with that person.
This is an example how it should be>

access-list outside remark "your remark"
access-list outside line 1 permit ip host
access-list outside line 2 permit ip host
access-list outside line 3 permit ip host

access-list vpn3 line 1 remark "your remark"
access-list vpn3 line 2 permit tcp host host eq ftp
access-list vpn3 line 3 permit tcp host host eq 3389
access-list vpn3 line 4 permit tcp host host eq ssh

crypto ipsec transform-set set3 esp-3des esp-md5-hmac

crypto map yourmap 40 ipsec-isakmp
crypto map yourmap 40 match address vpn3
crypto map yourmap 40 set peer
crypto map yourmap 40 set transform-set set3
crypto map yourmap 40 set security-association lifetime seconds 3600 kilobytes 2560

isakmp enable outside

isakmp key xxxxxxxxxx address netmask no-xauth no-config-mode
you should fill the blanks (xxxx) with your data. The first access-list is just to permit your PC's out, the second access-list is important because on the other side there shoul be an exact same list, if not the VPN tunnel will not work.
The number behind crypto map yourmap is used for debugging and you can put what ever number you want except those alredy used with your other 3 crypto maps.
Hope this will help you.
One more thing, in access list vpn3 I've put some examples with traffic permited, you should change that in traffic you want to permit.
slandsawAuthor Commented:
Awesome document, thank you! What about the other items or are they a concern?

1.) How do I determine if I have the available resources on the PIX to add another tunnel? (i.e. enough available "tunnels")
2.) How can I ensure that I will not break the other (3)?

1.) I'm assuming I can replace "vpn3" and "yourmap" with different text?

 - We will be connecting to (2) servers on their side , preferrably through VNC or RDP and then remoting out to the various workstations from there, preferrably with VNC or Dameware.

Our client has supplied the following info:


Phase=                  1 
Transport=              udp 
Address=       (MY PUBLIC IP)
ID=                     VPN-ID 
Configuration=          Main-Mode-3DES-SHA-GRP2 
Authentication=         CLIENTSUPPLIEDKEY

Phase=                  2 
ISAKMP-peer=            ISAKMP-peer-MYCOMPANY
Configuration=          Quick-Mode-ESP-3DES-SHA-PFS-GRP2 
Local-ID=               NET-THEIRCOMPANY 
Remote-ID=              NET-MYCOMPANY

ID-type=                IPV4_ADDR_SUBNET 

Open in new window

Depending of the software version of your pix in 6.1 and 6.2 version, the relevant limit is 5 VPN tunnels. In 6.3 the limit became 10. So you don't have to wory about that.
And yes you can replace vpn3 and yourmap with the names you prefer. And if you wont reboot your pix or delete it's configuration you will not break the other tunnels.
Port for VNC by default is tcp 5900, RDP is tcp 3389 and Dameware is I think tcp 6129.

Small correction, PIX 506 should have 25 simultaneus VPN connections posible.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.