06-07-2002 12:10 PM - edited 02-21-2020 11:47 AM
Hi all,
I am trying to tunnel multiple PIX VPNs, to one PIX. I got chooked on how to configure point to multipoint pix to pix VPN. IPsec, sha, 3des
The problem is how can I configure PIX1 to accept IPSec tunnel from the other three. I know that the other three Pixs need to have the same config.
Drawing:
10.20.22.84
|----------------------Pix2 (10.2.1.1)
Pix1 |-----------------------pix 3 (10.3.1.1)
|-------------------------Pix 4 (10.4.1.1)
Here is my confused configuration
access-list 101 permit ip 10.20.22.84 255.255.255.255 10.2.1.1 255.255.255.0
access-list 101 permit ip 10.20.22.84 255.255.255.255 10.3.1.1 255.255.255.0
access-list 101 permit ip 10.20.22.84 255.255.255.255 10.4.1.1 255.255.255.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
Isakmp enable outside
Isakmp identity address
Isakmp Disable Ethernet1
Isakmp disable Ethernet2
Isakmp disable Ethernet3
crypto map engineering interface outside
crypto map engineering 10 match address 101
crypto map engineering 10 set peer 10.4.1.1
crypto map engineering 10 set peer 10.3.1.1
crypto map engineering 10 set peer 10.2.1.1
Isakmp policy 10 encryption 3des
Isakmp policy 10 hash sha
Isakmp policy 10 authentication pre-share
Isakmp policy 10 group 2
Isakmp policy 10 lifetime 28800
crypto ipsec transform-set Head esp-3des esp-sha-hmac
crypto map Head 10 ipsec- isakmp
match address 101
set transform-set Head
crypto ipsec security-association lifetime 3600
vpngroup vpn address-pool ippool
vpngroup vpn dns-server X.X.X.X
vpngroup vpn wins-server X.X.X.X
vpngroup vpn default-domain Next_Kins.com
vpngroup vpn idle-time 1800
vpngroup vpn password ********
vpngroup vpn split-tunnel 101
telnet timeout 5
ssh timeout 5
terminal width 80
PIX520 platform 5.1(2)
Thanks for your help.
Elias
06-14-2002 06:05 AM
Try doing it the following way:
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer 10.4.1.1
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 110
crypto map newmap 20 set peer 10.3.1.1
crypto map newmap 20 set transform-set myset
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide