RE: PIX VPN question

From: Steve Smith (ssmith@teksell.com)
Date: Tue Jun 10 2003 - 12:49:07 GMT-3

• Next message: Szabo, Vilmos: "RE: PIX VPN question"
• Previous message: Wright, Jeremy: "RE: PIX VPN question"
• Maybe in reply to: stefan vogt: "PIX VPN question"
• Next in thread: Szabo, Vilmos: "RE: PIX VPN question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

May be over kill but try this. Just sub you ip's remote and local for
these.
Do it on both just reverse your ip's. Works great.

access-list 101 permit ip 10.1.2.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list 101 permit ip 10.1.0.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list 101 permit ip 10.1.2.0 255.255.255.0 10.1.6.0 255.255.255.0
access-list 101 permit ip 10.1.0.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list 101 permit ip 10.1.2.0 255.255.255.0 10.1.5.0 255.255.255.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set chat esp-des esp-md5-hmac

crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address 101
crypto map vpn 10 set peer 208.218.210.20
crypto map vpn 10 set transform-set chat
crypto map vpn interface outside

isakmp enable outside
isakmp key chatvpn address 208.218.210.20 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

access-list 101 permit ip 10.1.2.0 255.255.255.0 10.1.6.0 255.255.255.0

-----Original Message-----
From: stefan vogt [mailto:stefan-uwe_vogt@web.de]
Sent: Tuesday, June 10, 2003 10:15 AM
To: security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: PIX VPN question

Hello all,

Can somebody help me out with a sample configuration for the following
scenario.
I have 2 PIX FW at different sites which should be connected using a vpn
tunnel with preshared keys. On my local PIX, only specific traffic
should be sent via the tunnel. The remaining traffic should be sent
without encryption to the internet.

I tryed the following config (addresses changed ;)), but seems I'm
missing something, since the 'normal' internet connectivity is broken.

---snip---
access-list myacl permit ip host 172.30.0.1 host 192.168.0.1
access-list myacl permit ip host 172.30.0.2 host 192.168.0.1

crypto ipsec transform-set mytransformset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec isakmp
crypto map mymap 10 match address myacl
crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer 192.168.100.1
crypto map mymap 10 set transform-set mytransformset

crypto map mymap interface outside

isakmp enable outside
isakmp key yyy address 192.168.100.1 netmask 255.255.255.255
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
---snip---

Any input/link/sample config is very wellcome.

TIA,
Stefan

• Next message: Szabo, Vilmos: "RE: PIX VPN question"
• Previous message: Wright, Jeremy: "RE: PIX VPN question"
• Maybe in reply to: stefan vogt: "PIX VPN question"
• Next in thread: Szabo, Vilmos: "RE: PIX VPN question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:56 GMT-3