11-19-2004 12:34 AM
Hi i want to create site to site vpn connection
i have pix 515e with IOS 6.1(2) on one side and
pix 515e with IOS 6.3(3) on other end , will i able to create vpn this these versions
11-19-2004 03:37 AM
Yes you can create site-to-site vpn with your existing pix's, here's a document to get you going:
Let me know how you get on.
Jay
11-19-2004 03:33 PM
It that scenario, what if the remote office use PPPoe w/ a dynamic IP, is the vpn tunnel still possible?
11-20-2004 05:24 AM
hello mike..
in this case, have a loopback IP on the remote router and terminate the tunnel over this IP... this loopback will be routed by the ISP across the PPPoE connection..
hope this helps !!
11-23-2004 12:56 PM
Great, thanks. Now, I notice in the configuration example, the command that tells the PIX not to NAT "interesting traffic" nat (inside) 0 access-list 101 causes a problem when opening the PDM. It says PDM does not support nultiple uses of a given access list (there is also a command later that assigns interesting traffic to 101) . Is there another way to write the nat command so this does not happen? I 'd like to examine what happens in PDM after I create the VPN. (it works well by the way)
11-24-2004 12:38 AM
Mike,
The reason PDM causes that problem (multiple uses of a given ACL) -
PDM will do this if you use one access-list in two separate locations
(http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdmrn30.htm#94255). I'm assuming you have something like the following in your config:
access-list nonat permit ip 10.x.x.x
nat (inside) 0 access-list nonat
crypto map 10 mymap match address nonat
PDM will not allow this and put you into monitor mode. What you need to do (which is a better configuration method anyway), is separate the ACL's with the following:
access-list nonat permit ip 10.x.x.x
nat (inside) 0 access-list nonat
access-list 100 permit ip 10.x.x.x
crypto map 10 mymap match address 100
This separates your crypto and your nonat ACL's. When you only have one IPSec peer then a lot of people do use the same ACL for both, which is fine, but as you've seen it makes PDM barf. Separating the two ACL's is much better because if at some point later you add a second, third, etc IPSec peer, you simply add a new encryption ACL for the new traffic, and add that to your existing nonat ACL.
Hope this explains it and please rate this post it helps so that it will help others who may be experiencing the same problem.
Jay
11-24-2004 11:56 AM
Thanks a lot for this very useful information. I created a separate ACL and applied to the NAT exepption pool, and it worked great!
Now, can I add another saparate vpn for "dial-up" clients ? I tried configuring one and got as far as establishing a connection the MS client via PPTP but not succesful via LT2P. I thought LT2P and MS client was supported. (using a pre-shared key). And what address pool should I assign? Should it be a different network than the hardware vpn (which uses 192.168.1.x) ?
I got as far as creating an IP pool of 192.168.2.x and connecting via PPTP, however once I connect, I cannot get to any of the inside (10.x.x.x) hosts. I am afraid of changing the NAT exemption without adversely affecting the hardware vpn.
I really appreciate the input.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide