01-21-2003 10:50 AM - edited 02-21-2020 12:17 PM
I have 3 firewalls in 3 locations. the 515e is the main one that all the other locations need to connect to via VPN. I have one VPN working between a 501 and the 515e, and need to get the next one running as well.
so here's my current VPN config, the complication is this is my first multiple VPN setup.
515e:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
names
name x.x.71.8 ConstOffice
access-list acl_outbound permit ip host 192.168.50.10 any
access-list acl_outbound permit ip host 192.168.50.75 any
access-list acl_outbound permit ip host 192.168.50.201 any
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255. 255.0
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host ConstOffice
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host 65.40.81.11
access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.52.0 255.255.255.0
access-list inside_nat0_outbound permit ip host x.x.81.11 192.168.50.0 255.255.255.0
access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
icmp permit any outside
icmp permit any inside
ip address outside pppoe setroute
ip address inside 192.168.50.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.50.0 255.255.255.0 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address inside_nat0_outbound
crypto map vpn1 10 set pfs group2
crypto map vpn1 10 set peer ConstOffice
crypto map vpn1 10 set transform-set myset
crypto map vpn1 20 ipsec-isakmp
crypto map vpn1 20 match address 101
crypto map vpn1 20 set pfs group2
crypto map vpn1 20 set peer x.x.81.11
crypto map vpn1 20 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address ConstOffice netmask 255.255.255.255
isakmp key ******** address x.x.81.11 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet ConstOffice 255.255.255.255 outside
telnet 192.168.51.0 255.255.255.0 outside
telnet 192.168.52.0 255.255.255.0 outside
telnet x.x.81.11 255.255.255.255 outside
telnet 192.168.50.201 255.255.255.255 inside
telnet 192.168.50.202 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
501e:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 host x.x.71.7
access-list inside_nat0_outbound permit ip host x.x.81.11 192.168.50.0 255.255.255.0
access-list acl_outbound permit ip 192.168.52.0 255.255.255.0 any
access-list acl_inbound permit ip host x.x.71.7 any
interface ethernet0 10baset
interface ethernet1 10full
ip address outside x.x.81.11 255.0.0.0
ip address inside 192.168.52.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.52.0 255.255.255.0 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 9 ipsec-isakmp
crypto map vpn1 9 match address inside_nat0_outbound
crypto map vpn1 9 set pfs group2
crypto map vpn1 9 set peer x.x.71.7
crypto map vpn1 9 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address x.x.81.11 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 192.168.50.0 255.255.255.0 outside
telnet x.x.71.7 255.255.255.255 outside
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:f4e78a76793783478f6e56f567e1f9cd
: end
So I must be missing something to get multiple VPN's up,
My debug info from the 515 is as follows:
ISAKMP (0): beginning Quick Mode exchange, M-ID of 299217336:11d5b1b8
crypto_isakmp_process_block: src x.x.81.11, dest x.x.71.7
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 299217336
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-SHA
ISAKMP: group is 2
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block: src x.x.81.11, dest x.x.71.7
ISAKMP (0): processing DELETE payload. message ID = 2059037963
ISAKMP (0): deleting SA: src x.x.71.7, dst x.x.81.11
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x813d3688, conn_id = 0
ISADB: reaper checking SA 0x813d65c8, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:x.x.81.11 Ref cnt decremented to:0 Total VPN Peers:2
VPN Peer: ISAKMP: Deleted peer: ip:x.x.81.11 Total VPN peers:1
ISADB: reaper checking SA 0x813d3688, conn_id = 0
Thx,
Dave
01-31-2003 03:03 PM
Ok, well if someone put it that way and I didnt interpret it properly, I apologize. I'm used to switches and some routing, this is my first set of PIXes, again, I greatly appreciate all of your help guys.
Dave
01-31-2003 05:03 PM
At any rate...CONGRATS and I am glad it is over for you!!!
Until next time...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide