Re: vpn creation

saviopereira · ‎11-19-2004

Hi i want to create site to site vpn connection

i have pix 515e with IOS 6.1(2) on one side and

pix 515e with IOS 6.3(3) on other end , will i able to create vpn this these versions

jmia · ‎11-19-2004

Yes you can create site-to-site vpn with your existing pix's, here's a document to get you going:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Let me know how you get on.

Jay

mikevm · ‎11-19-2004

It that scenario, what if the remote office use PPPoe w/ a dynamic IP, is the vpn tunnel still possible?

sachinraja · ‎11-20-2004

hello mike..

in this case, have a loopback IP on the remote router and terminate the tunnel over this IP... this loopback will be routed by the ISP across the PPPoE connection..

hope this helps !!

mikevm · ‎11-23-2004

Great, thanks. Now, I notice in the configuration example, the command that tells the PIX not to NAT "interesting traffic" nat (inside) 0 access-list 101 causes a problem when opening the PDM. It says PDM does not support nultiple uses of a given access list (there is also a command later that assigns interesting traffic to 101) . Is there another way to write the nat command so this does not happen? I 'd like to examine what happens in PDM after I create the VPN. (it works well by the way)

jmia · ‎11-24-2004

Mike,

The reason PDM causes that problem (multiple uses of a given ACL) -

PDM will do this if you use one access-list in two separate locations

(http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdmrn30.htm#94255). I'm assuming you have something like the following in your config:

access-list nonat permit ip 10.x.x.x 192.168.x.x

nat (inside) 0 access-list nonat

crypto map 10 mymap match address nonat

PDM will not allow this and put you into monitor mode. What you need to do (which is a better configuration method anyway), is separate the ACL's with the following:

access-list nonat permit ip 10.x.x.x 192.168.x.x

nat (inside) 0 access-list nonat

access-list 100 permit ip 10.x.x.x 192.168.x.x

crypto map 10 mymap match address 100

This separates your crypto and your nonat ACL's. When you only have one IPSec peer then a lot of people do use the same ACL for both, which is fine, but as you've seen it makes PDM barf. Separating the two ACL's is much better because if at some point later you add a second, third, etc IPSec peer, you simply add a new encryption ACL for the new traffic, and add that to your existing nonat ACL.

Hope this explains it and please rate this post it helps so that it will help others who may be experiencing the same problem.

Jay

mikevm · ‎11-24-2004

Thanks a lot for this very useful information. I created a separate ACL and applied to the NAT exepption pool, and it worked great!

Now, can I add another saparate vpn for "dial-up" clients ? I tried configuring one and got as far as establishing a connection the MS client via PPTP but not succesful via LT2P. I thought LT2P and MS client was supported. (using a pre-shared key). And what address pool should I assign? Should it be a different network than the hardware vpn (which uses 192.168.1.x) ?

I got as far as creating an IP pool of 192.168.2.x and connecting via PPTP, however once I connect, I cannot get to any of the inside (10.x.x.x) hosts. I am afraid of changing the NAT exemption without adversely affecting the hardware vpn.

I really appreciate the input.