01-18-2007 12:58 PM - edited 03-11-2019 02:21 AM
we have a vpn on PIX515E, and now I need to setup another VPN with a outside peer. However, when I configure the PIX, I use the following command:
isakmp key <Keystring> address A.B.C.D [netmask mask]. However, after I type in this, the previous command for the exisiting peer just disappeared. Can the isakmp key command only be used once?
The same thing happened when I use the command: crypto map MapName interface outside.
I really don't know PIX much, thanks for your help in advance.
01-18-2007 02:59 PM
HI .. you can definetely have more than one peer (check your licence) .. the crypto map you can attach to an interface is only one .. but you can create policy numbers to identify the different peers.
Please see the below example for two peers ..
crypto ipsec transform-set AWU_Transform ah-sha-hmac esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set AWU_Transform
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set pfs group2
crypto map outside_map 40 set peer y.y.y.y
crypto map outside_map 40 set transform-set AWU_Transform
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address y.y.y.y netmask 255.255.255.255
access-list outside_cryptomap_20 permit ip 192.101.1.0 255.255.255.0 Rock 255.255.255.0
access-list outside_cryptomap_40 permit ip 192.101.1.0 255.255.255.0 MtIsa 255.255.255.0
I hope it helps .. please rate it if it does !!!
01-19-2007 07:04 AM
The current configuration is as following:
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set myset ah-md5-hmac esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set peer 216.66.124.140
crypto dynamic-map dynmap 10 set transform-set ESP-DES-MD5 ESP-DES-SHA myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 216.66.124.140
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
If I follow your advice, I need to define another entry for crypto map other than 65535. However, everytime I add one, our internal network will lose the access to the Internet. Is there anything special of seq-num 65535?
01-19-2007 10:49 AM
My current configuration is as following:
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set myset ah-md5-hmac esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 match address 102
crypto dynamic-map dynmap 10 set peer 47.234.0.60
crypto dynamic-map dynmap 10 set transform-set ESP-DES-MD5 ESP-DES-SHA myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 47.234.0.60 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
nat (inside) 0 access-list 102
access-list 102 permit ip host 207.1.44.59 host 198.206.164.1
but it's not working properly. anybody can help me out with this problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide