10-12-2004 09:21 AM
Hi
I want to create a vpn connectivity between two firewalls located at two diffrent countries ,from branch office to main office
the main office is currently connected to internet with lease line , also the branch office will connect to internet with lease line , i want to create a vpn tunnel so the we can manage the branch office remotly , but at the same time the branch office users must be using internet locally using the same lease line , also the main office users must be accessing the internet locally using same lease line
please let me know if it is possible and what is the best solution that i can immplement
thankyou
10-12-2004 09:51 AM
If you access the Internet local on the same Firewall as you are using the VPN there is NO problem.
VPN tunnel traffic uses local, private IPs, and all internet traffic uses public IPs.
See examples:
http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration
10-13-2004 02:06 AM
can u please tell what steps to be taken
10-13-2004 04:28 PM
Config Site 2 Site VPN example:
PIX Firewall configuration version 6.3.x
access-list acs-outside permit udp host VPNPeer host MyPublicIP eq isakmp
access-list acs-outside permit esp host VPNPeer host MyPublicIP
access-list acs-outside permit ah host VPNPeer host MyPublicIP
access-group acs-outside in interface outside
STEP 1 - Configure IKE
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Isakmp identity address
isakmp key your-vpn-password address PEER-IP netmask 255.255.255.255
STEP 2 - Configure IPSEC
access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list VPN permit ip Internalnet ISubnet Externalnet Esubnet
crypto ipsec transform-set TRANS esp-des esp-md5-hmac
crypto map REMOTE 10 ipsec-isakmp
crypto map REMOTE 10 match address VPN
crypto map REMOTE 10 set peer PEER-IP
crypto map REMOTE 10 set transform-set TRANS
crypto map REMOTE interface outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide