09-08-2005 03:30 AM - edited 02-21-2020 01:57 PM
Hi all. I have a PIX 515-E (OS 6.3) doing a IPsec tunnel with another PIX (remote site). That works fine.
Now, my question is how to establish additional tunnels to different peers from/to this PIX. Has anyone a config example for that?
Thanks
Patrik
09-08-2005 04:48 AM
Consider two tunnels with peers 1.1.1.1 & 2.2.2.2
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp key key1 address 1.1.1.1 netmask 255.255.255.0
isakmp key key2 address 2.2.2.2 netmask 255.255.255.0
crypto ipsec transform-set trans1 esp-3des esp-md5-hmac
crypto ipsec transform-set trans2 esp-3des esp-sha-hmac
access-list 105 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 106 permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 set transform-set trans1
crypto map mymap 10 match address 105
crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 set transform-set trans2
crypto map mymap 20 match address 106
crypto map mymap 20 set peer 2.2.2.2
crypto map mymap interface outside
HTH
Regards,
Shijo George.
09-08-2005 05:02 AM
Thank you. I tried this but the NAT 0 command can only have one ACL assigned.
My current config:
access-list ACLVPNTAG permit ip 172.17.x.x 255.255.252.0 10.0.x.x 255.255.252.0 log
ip address outside 212.x.x.x 255.255.255.192
ip address inside 172.17.x.x 255.255.252.0
global (outside) 1 interface
nat (inside) 0 access-list ACLVPNTAG
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set TRANSVPNTAG esp-aes esp-md5-hmac
crypto map CMAPVPNTAG 1 ipsec-isakmp
crypto map CMAPVPNTAG 1 match address ACLVPNTAG
crypto map CMAPVPNTAG 1 set peer 213.x.x.x
crypto map CMAPVPNTAG 1 set transform-set TRANSVPNTAG
crypto map CMAPVPNTAG interface outside
isakmp enable outside
isakmp key ******** address 213.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
Regards
Patrik
09-08-2005 05:11 AM
In this case, you need to use a seperate ACL for nat 0 which includes both the remote VPN subnets.
nat 0 ACL:
----------
access-list nonat_acl permit ip 172.17.x.x 255.255.252.0 10.0.x.x 255.255.252.0
access-list nonat_acl permit ip 172.17.x.x 255.255.252.0 <2nd tunnel internal ip>
nat (inside) 0 access-list nonat_acl
VPN1 Crypto ACL: (Same as it is now)
VPN2 Crypto ACL: access-list vpn2_acl permit ip 172.17.x.x 255.255.252.0 <2nd tunnel internal ip>
HTH
Regards,
Shijo George.
09-08-2005 05:31 AM
Thank you. I will try this.
Regards Patrik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide