Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
374
Views
0
Helpful
2
Replies

Pix to pix plus VPN client, dynamic and static map

ivancarter
Level 1
Level 1

‎10-04-2004 11:33 PM - edited ‎02-21-2020 01:22 PM

I am trying to set up the following VPN between sites and cannot work out the config for the central PIX.

Central Site has a global address on Pix

Site A has a global address on the Pix.

Site B has a DHCP address on the Pix

VPN clients have DHCP addresses

I have managed to get site A and B VPNing into the central site with the following code but i know this is not right as i know you can only have one map assigned to an interface.

crypto ipsec transform-set one esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set one

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

crypto map mapone 10 ipsec-isakmp

crypto map mapone 10 match address 101

crypto map mapone 10 set peer xxx.xxx.xxx.xxx (site A)

crypto map mapone 10 set transform-set one

crypto map mapone 10 set security-association lifetime seconds 300 kilobytes 4608000

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

so where have i gone wrong and how do i setup the vpn client conf on the central Pix. VPN clients will be version 4.

Thanks for you help in advance.

Ivan.

Labels:
0 Helpful
2 Replies 2

scoclayton
Level 7
Level 7

‎10-05-2004 05:48 AM

This config is working for both site A and B? Seems to me that only site B would be working with this config. In order to get both Site A and Site B working on this PIX, just change "dyn-map" in both commands listed below to "mapone":

crypto map mapone 20 ipsec-isakmp dynamic cisco

crypto map mapone interface outside

As for the VPN clients, you will need to add another isakmp policy specifying "group 2". Something like this will be fine:

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

And you will also need to add some "vpngroup" commands. Take a look at the following link for more information on this:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949fb.shtml

Let us know if you have any problems with this.

Scott

0 Helpful

ivancarter
Level 1
Level 1
In response to scoclayton

‎10-06-2004 01:37 PM

Thanks Scott.

With the my original config both sites can VPN to the Central site. The VPNs can only be initiated from site a and b to the central site. If i change the config to what you suggest then i can create a tunnel in either direction for site A, but site b cannot create a connection in at all. All very confusing.

Cheers

Ivan

0 Helpful
Customers Also Viewed These Support Documents