pawanopensource
asked on
How to configure Ipsec Tunnel
How to Create Ip Sec Tunnel between FW 1 (PIX) and FW2 (PIX)
1 - R1 is connected to PIX(FW1)
2 - R1 routes are pointed towards FW1
Ip route 0.0.0.0 0.0.0.0 1.1.1.2
3 - On R1 routes of 1.1.1.0, and 4.4.4.0 should be allowed through ipsec
tunnel.
4 - routes of 3.3.3.0 should not be allowed through ipsec tunnel.
##########################
experts please point me to right direction how to achieve this.
How-to-Create-Ipsec-Tunnel.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i have configured R1, FW1,FW2. problem which i am facing.
From R1 i cant ping 2.2.2.1 (FW1) e1
From FW2 i cant ping 1.1.1.2 (FW1) e0
below is the config which i have done in R1,FW1,FW2
##########################
R1#interface Ethernet0/0
ip address 1.1.1.1 255.255.255.0
half-duplex
!
R1#interface Ethernet0/1
ip address 3.3.3.3 255.255.255.0
half-duplex
!
R1#Ethernet0/2
ip address 4.4.4.4 255.255.255.0
half-duplex
!
R1#ip route 0.0.0.0 0.0.0.0 1.1.1.2
##########################
FW1#interface Ethernet0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
FW1#interface Ethernet1
nameif inside
security-level 100
ip address 2.2.2.1 255.255.255.0
FW1#route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
##########################
FW2#interface Ethernet0
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.0
FW2#route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
##########################
thanks
From R1 i cant ping 2.2.2.1 (FW1) e1
From FW2 i cant ping 1.1.1.2 (FW1) e0
below is the config which i have done in R1,FW1,FW2
##########################
R1#interface Ethernet0/0
ip address 1.1.1.1 255.255.255.0
half-duplex
!
R1#interface Ethernet0/1
ip address 3.3.3.3 255.255.255.0
half-duplex
!
R1#Ethernet0/2
ip address 4.4.4.4 255.255.255.0
half-duplex
!
R1#ip route 0.0.0.0 0.0.0.0 1.1.1.2
##########################
FW1#interface Ethernet0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
FW1#interface Ethernet1
nameif inside
security-level 100
ip address 2.2.2.1 255.255.255.0
FW1#route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
##########################
FW2#interface Ethernet0
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.0
FW2#route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
##########################
thanks
I think you got it all mixed together and u didn't read the link i sent you obviously. You have configured inte rface e0 of FW2 as outside interface but you are connecting it to interface e1 of FW1 which you have incorrectly configured as inside interface. The correct thing u need to do is;
FW1 E0 is inside interface and security level should be 0
FW1 E1 is outside interface and security level should be`100
FW2 E0 is outside interface and security level should be100
Also spare just 5 minutes to read the link i sent you for your own education. It is easy you copy a nd paste what we type here and it works but u haven't learnt anything.
FW1 E0 is inside interface and security level should be 0
FW1 E1 is outside interface and security level should be`100
FW2 E0 is outside interface and security level should be100
Also spare just 5 minutes to read the link i sent you for your own education. It is easy you copy a nd paste what we type here and it works but u haven't learnt anything.
ASKER
ok done changes according to u, R1 isable to ping inside interface i.e E0 of FW1but R1 not able to ping outside interface (E1) of FW1.
ASKER
my dear friend, from doing google i came to know that by default pix's outside interface never reply to ping,i think we have to allow icmp for outside int through acl in (FW1)
yes icmp is not allowed by defaul. only tcp is allowed by default. as u said u need to permit icmp protocol.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008055bd85.shtml?referring_site=smartnavRD