Re: OT: Help P2P PIX2PIX VPN

From: Tommy C (tkc9789@xxxxxxxxxxx)
Date: Fri Jun 07 2002 - 19:58:13 GMT-3

• Next message: Edward Monk: "RE: igrp question"
• Previous message: Sharif ow: "RE: about login with vty"
• Maybe in reply to: Elias Udechime: "OT: Help P2P PIX2PIX VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I believe you need to define multiple entries for crypto map engineering.
Sequence 10 for one site, 20 for the second and 30 for the other site.

HTH

Tommy

>From: Elias Udechime <euchime@yahoo.com>
>Reply-To: Elias Udechime <euchime@yahoo.com>
>To: ccielab@groupstudy.com
>Subject: OT: Help P2P PIX2PIX VPN
>Date: Fri, 7 Jun 2002 12:48:28 -0700 (PDT)
>
>Hi all,
>
>I am trying to tunnel multiple PIX VPNs, to one PIX. I
>got chooked on how to configure point to multipoint
>pix to pix VPN. IPsec, sha, 3des
>
>The problem is how can I configure PIX1 to accept
>IPSec tunnel from the other three. I know that the
>other three Pixs need to have the same config.
>
>
>Drawing:
>
>10.20.22.84
> |----------------------Pix2 (10.2.1.1)
> Pix1 |-----------------------pix 3 (10.3.1.1)
> |-------------------------Pix 4 (10.4.1.1)
>
>
>Here is my confused configuration
>
>access-list 101 permit ip 10.20.22.84 255.255.255.255
>10.2.1.1 255.255.255.0
>access-list 101 permit ip 10.20.22.84 255.255.255.255
>10.3.1.1 255.255.255.0
>access-list 101 permit ip 10.20.22.84 255.255.255.255
>10.4.1.1 255.255.255.0
>nat (inside) 0 access-list 101
>sysopt connection permit-ipsec
>Isakmp enable outside
>Isakmp identity address
>Isakmp Disable Ethernet1
>Isakmp disable Ethernet2
>Isakmp disable Ethernet3
>crypto map engineering interface outside
>crypto map engineering 10 match address 101
>crypto map engineering 10 set peer 10.4.1.1
>crypto map engineering 10 set peer 10.3.1.1
>crypto map engineering 10 set peer 10.2.1.1
>Isakmp policy 10 encryption 3des
>Isakmp policy 10 hash sha
>Isakmp policy 10 authentication pre-share
>Isakmp policy 10 group 2
>Isakmp policy 10 lifetime 28800
>crypto ipsec transform-set Head esp-3des esp-sha-hmac
>crypto map Head 10 ipsec- isakmp
>match address 101
>set transform-set Head
>crypto ipsec security-association lifetime 3600
>
>vpngroup vpn address-pool ippool
>vpngroup vpn dns-server X.X.X.X
>vpngroup vpn wins-server X.X.X.X
> vpngroup vpn default-domain Next_Kins.com
> vpngroup vpn idle-time 1800
> vpngroup vpn password ********
>vpngroup vpn split-tunnel 101
> telnet timeout 5
> ssh timeout 5
> terminal width 80
>
>PIX520 platform 5.1(2)
>
>Thanks for your help.
>
>Elias
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

• Next message: Edward Monk: "RE: igrp question"
• Previous message: Sharif ow: "RE: about login with vty"
• Maybe in reply to: Elias Udechime: "OT: Help P2P PIX2PIX VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 02 2002 - 08:12:28 GMT-3