Configuration on PIX515E

philipsyao · ‎01-18-2007

we have a vpn on PIX515E, and now I need to setup another VPN with a outside peer. However, when I configure the PIX, I use the following command:

isakmp key <Keystring> address A.B.C.D [netmask mask]. However, after I type in this, the previous command for the exisiting peer just disappeared. Can the isakmp key command only be used once?

The same thing happened when I use the command: crypto map MapName interface outside.

I really don't know PIX much, thanks for your help in advance.

Fernando_Meza · ‎01-18-2007

HI .. you can definetely have more than one peer (check your licence) .. the crypto map you can attach to an interface is only one .. but you can create policy numbers to identify the different peers.

Please see the below example for two peers ..

crypto ipsec transform-set AWU_Transform ah-sha-hmac esp-3des esp-sha-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer x.x.x.x

crypto map outside_map 20 set transform-set AWU_Transform

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set pfs group2

crypto map outside_map 40 set peer y.y.y.y

crypto map outside_map 40 set transform-set AWU_Transform

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp key ******** address y.y.y.y netmask 255.255.255.255

access-list outside_cryptomap_20 permit ip 192.101.1.0 255.255.255.0 Rock 255.255.255.0

access-list outside_cryptomap_40 permit ip 192.101.1.0 255.255.255.0 MtIsa 255.255.255.0

I hope it helps .. please rate it if it does !!!

philipsyao · ‎01-19-2007

The current configuration is as following:

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set myset ah-md5-hmac esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set peer 216.66.124.140

crypto dynamic-map dynmap 10 set transform-set ESP-DES-MD5 ESP-DES-SHA myset

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 216.66.124.140

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

If I follow your advice, I need to define another entry for crypto map other than 65535. However, everytime I add one, our internal network will lose the access to the Internet. Is there anything special of seq-num 65535?

philipsyao · ‎01-19-2007

My current configuration is as following:

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set myset ah-md5-hmac esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 match address 102

crypto dynamic-map dynmap 10 set peer 47.234.0.60

crypto dynamic-map dynmap 10 set transform-set ESP-DES-MD5 ESP-DES-SHA myset

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 47.234.0.60 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

nat (inside) 0 access-list 102

access-list 102 permit ip host 207.1.44.59 host 198.206.164.1

but it's not working properly. anybody can help me out with this problem.