Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
295
Views
0
Helpful
3
Replies

Adding an extra VPN tunnel to a PIX515

Go to solution
jamescork
Level 1
Level 1

‎04-11-2005 08:43 AM - edited ‎02-21-2020 01:42 PM

Hi,

I've already built a VPN connection between my head office and our first branch office between two PIX 515s.

I assumed adding another would mean little more than repeating the set up of my first tunnel but with new identifiers for the isakmp policy, access-list and crypto map.

Consequently, I issue these commands:

isakmp policy 9 authentication pre-share

isakmp policy 9 encrypt des

crypto isakmp key cisco1234 address some.public.ip.address

crypto ipsec transform-set strong esp-des esp-sha-hmac

access-list crossvpn permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

nat 0 access-list crossvpn

crypto map tootherpix 20 ipsec-isakmp

crypto map tootherpix 20 match address crossvpn

crypto map tootherpix 20 set transform-set strong

crypto map tootherpix 20 set peer some.public.ip.address

And all is fine, however, the moment I issue:

crypto map tootherpix interface outside

The original tunnel drops and the running-config shows the line:

crypto map originallink interface outside

Has disappeared, which I assume is the reason.

How can I get multiple end points on one PIX?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mostiguy
Level 6
Level 6

‎04-11-2005 10:45 AM

You can only have one map per interface.

What you want:

1. A unified ACL for all no natting - must have lines for all sites for which there are tunnels

2. Unique ACLs for each site for crypto ACL purposes, aka access-list siteA, access-list siteB, etc.

3.

crypto map xxxxx 5 match address siteA

crypto map xxxxx 5 set peer site.a.ip.here

crypto map xxxxx 10 match address siteB

crypto map xxxxx 10 set peer site.b.ip.here

crypto map xxxxx interface outside

isakmp key ***** address site.a.ip.here netmask 255.255.255.255

isakmp key ***** address site.b.ip.here netmask 255.255.255.255

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mostiguy
Level 6
Level 6

‎04-11-2005 10:45 AM

You can only have one map per interface.

What you want:

1. A unified ACL for all no natting - must have lines for all sites for which there are tunnels

2. Unique ACLs for each site for crypto ACL purposes, aka access-list siteA, access-list siteB, etc.

3.

crypto map xxxxx 5 match address siteA

crypto map xxxxx 5 set peer site.a.ip.here

crypto map xxxxx 10 match address siteB

crypto map xxxxx 10 set peer site.b.ip.here

crypto map xxxxx interface outside

isakmp key ***** address site.a.ip.here netmask 255.255.255.255

isakmp key ***** address site.b.ip.here netmask 255.255.255.255

0 Helpful

Go to solution
jamescork
Level 1
Level 1
In response to mostiguy

‎04-12-2005 01:53 AM

Thanks for that, seems blindingly obvious in hindsite.

The tunnel is up and whilst I can ping hosts on either side - I can't seem to get any other traffic through. My nonat ACL and crossvpn ACL are active otherwise I assume I would not be able to ping over the tunnel and they both specify "ip" as the data type.

Any thoughts on what could be missing?

0 Helpful

Go to solution
jamescork
Level 1
Level 1
In response to mostiguy

‎04-12-2005 02:29 AM

Sorted, so busy looking at the tunnel...I forgot to add the change required to my inside_in ACL!

Thanks for your help!

0 Helpful
Customers Also Viewed These Support Documents