Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
433
Views
4
Helpful
4
Replies

one Pix with multiple VPN tunnels

patrick.bolt
Level 1
Level 1

‎09-08-2005 03:30 AM - edited ‎02-21-2020 01:57 PM

Hi all. I have a PIX 515-E (OS 6.3) doing a IPsec tunnel with another PIX (remote site). That works fine.

Now, my question is how to establish additional tunnels to different peers from/to this PIX. Has anyone a config example for that?

Thanks

Patrik

Labels:
0 Helpful
4 Replies 4

shijogeorge
Level 1
Level 1

‎09-08-2005 04:48 AM

Consider two tunnels with peers 1.1.1.1 & 2.2.2.2

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption 3des

isakmp policy 2 hash sha

isakmp policy 2 group 2

isakmp key key1 address 1.1.1.1 netmask 255.255.255.0

isakmp key key2 address 2.2.2.2 netmask 255.255.255.0

crypto ipsec transform-set trans1 esp-3des esp-md5-hmac

crypto ipsec transform-set trans2 esp-3des esp-sha-hmac

access-list 105 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 106 permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 set transform-set trans1

crypto map mymap 10 match address 105

crypto map mymap 10 set peer 1.1.1.1

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 set transform-set trans2

crypto map mymap 20 match address 106

crypto map mymap 20 set peer 2.2.2.2

crypto map mymap interface outside

HTH

Regards,

Shijo George.

0 Helpful

patrick.bolt
Level 1
Level 1
In response to shijogeorge

‎09-08-2005 05:02 AM

Thank you. I tried this but the NAT 0 command can only have one ACL assigned.

My current config:

access-list ACLVPNTAG permit ip 172.17.x.x 255.255.252.0 10.0.x.x 255.255.252.0 log

ip address outside 212.x.x.x 255.255.255.192

ip address inside 172.17.x.x 255.255.252.0

global (outside) 1 interface

nat (inside) 0 access-list ACLVPNTAG

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set TRANSVPNTAG esp-aes esp-md5-hmac

crypto map CMAPVPNTAG 1 ipsec-isakmp

crypto map CMAPVPNTAG 1 match address ACLVPNTAG

crypto map CMAPVPNTAG 1 set peer 213.x.x.x

crypto map CMAPVPNTAG 1 set transform-set TRANSVPNTAG

crypto map CMAPVPNTAG interface outside

isakmp enable outside

isakmp key ******** address 213.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

Regards

Patrik

0 Helpful

shijogeorge
Level 1
Level 1
In response to patrick.bolt

‎09-08-2005 05:11 AM

In this case, you need to use a seperate ACL for nat 0 which includes both the remote VPN subnets.

nat 0 ACL:

----------

access-list nonat_acl permit ip 172.17.x.x 255.255.252.0 10.0.x.x 255.255.252.0

access-list nonat_acl permit ip 172.17.x.x 255.255.252.0 <2nd tunnel internal ip>

nat (inside) 0 access-list nonat_acl

VPN1 Crypto ACL: (Same as it is now)

VPN2 Crypto ACL: access-list vpn2_acl permit ip 172.17.x.x 255.255.252.0 <2nd tunnel internal ip>

HTH

Regards,

Shijo George.

patrick.bolt
Level 1
Level 1
In response to shijogeorge

‎09-08-2005 05:31 AM

Thank you. I will try this.

Regards Patrik

0 Helpful
Customers Also Viewed These Support Documents