12-15-2005 07:58 AM
Hi,
Any info on this issue will be greatly appreciated, my level of knowledge is low when it comes to VPNs. Here is my current issue, I currently have a PIX 506 with VPN enabled on it, some users connect remotely with the Cisco VPN client software. Now I have a remote office with a PIX 515 without any VPN enabled on it. Id like to enable a permanent VPN tunnel between both offices. My concern is I dont want to mess up the current VPN for the remote users. How can I get this done without affecting my current users? Any help or links would be great.
Thanks
12-15-2005 08:26 AM
The two should not affect each other except maybe in amount of bandwidth consumed. One is remote access, the other would be a site to site.
You need to understand what kind of traffic will go across the site to site VPN in order to understand the impact that tunnel will have on your available Internet bandwidth.
Here is an example of PIX to PIX IPSec VPN
Cheers,
12-15-2005 09:37 AM
As per Kevins post, here's the same document without CCO account access:
Hope it helps,
12-15-2005 12:40 PM
Thank you. I will take a look at this.
12-15-2005 02:24 PM
below are the sample codes:
for pix506,
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
ip address outside 1.1.1.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip local pool ippool 10.1.1.11-10.1.1.21
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map myvpn 10 ipsec-isakmp
crypto map myvpn 10 match address 110
crypto map myvpn 10 set peer 1.1.1.2
crypto map myvpn 10 set transform-set vpnset
crypto map myvpn 20 ipsec-isakmp dynamic dynmap
crypto map myvpn client configuration address initiate
crypto map myvpn client configuration address respond
crypto map myvpn client authentication LOCAL
crypto map myvpn interface outside
isakmp enable outside
isakmp key cisco123 address 1.1.1.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpnclient address-pool ippool
vpngroup vpnclient split-tunnel 120
vpngroup vpnclient idle-time 1800
vpngroup vpnclient password cisco456
username cisco password cisco123
aaa-server LOCAL protocol local
crypto map remote_vpn client authentication LOCAL
crypto map remote_vpn client configuration address initiate
crypto map remote_vpn client configuration address respond
for pix515,
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 121 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside 1.1.1.2 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map myvpn 10 ipsec-isakmp
crypto map myvpn 10 match address 121
crypto map myvpn 10 set peer 1.1.1.1
crypto map myvpn 10 set transform-set myset
crypto map myvpn interface outside
isakmp enable outside
isakmp key cisco123 address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide