cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
353
Views
0
Helpful
1
Replies

My attempt to configure PTM PIX VPN

eudechime
Level 1
Level 1

Hi all,

I am trying to tunnel multiple PIX VPNs, to one PIX. I got chooked on how to configure point to multipoint pix to pix VPN. IPsec, sha, 3des

The problem is how can I configure PIX1 to accept IPSec tunnel from the other three. I know that the other three Pixs need to have the same config.

Drawing:

10.20.22.84

|----------------------Pix2 (10.2.1.1)

Pix1 |-----------------------pix 3 (10.3.1.1)

|-------------------------Pix 4 (10.4.1.1)

Here is my confused configuration

access-list 101 permit ip 10.20.22.84 255.255.255.255 10.2.1.1 255.255.255.0

access-list 101 permit ip 10.20.22.84 255.255.255.255 10.3.1.1 255.255.255.0

access-list 101 permit ip 10.20.22.84 255.255.255.255 10.4.1.1 255.255.255.0

nat (inside) 0 access-list 101

sysopt connection permit-ipsec

Isakmp enable outside

Isakmp identity address

Isakmp Disable Ethernet1

Isakmp disable Ethernet2

Isakmp disable Ethernet3

crypto map engineering interface outside

crypto map engineering 10 match address 101

crypto map engineering 10 set peer 10.4.1.1

crypto map engineering 10 set peer 10.3.1.1

crypto map engineering 10 set peer 10.2.1.1

Isakmp policy 10 encryption 3des

Isakmp policy 10 hash sha

Isakmp policy 10 authentication pre-share

Isakmp policy 10 group 2

Isakmp policy 10 lifetime 28800

crypto ipsec transform-set Head esp-3des esp-sha-hmac

crypto map Head 10 ipsec- isakmp

match address 101

set transform-set Head

crypto ipsec security-association lifetime 3600

vpngroup vpn address-pool ippool

vpngroup vpn dns-server X.X.X.X

vpngroup vpn wins-server X.X.X.X

vpngroup vpn default-domain Next_Kins.com

vpngroup vpn idle-time 1800

vpngroup vpn password ********

vpngroup vpn split-tunnel 101

telnet timeout 5

ssh timeout 5

terminal width 80

PIX520 platform 5.1(2)

Thanks for your help.

Elias

1 Reply 1

ssoberlik
Level 4
Level 4

Try doing it the following way:

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 110

crypto map newmap 10 set peer 10.4.1.1

crypto map newmap 10 set transform-set myset

crypto map newmap 20 ipsec-isakmp

crypto map newmap 20 match address 110

crypto map newmap 20 set peer 10.3.1.1

crypto map newmap 20 set transform-set myset