RE: PIX VPN question

From: Szabo, Vilmos (VS183600@exchange.UnitedKingdom.NCR.COM)
Date: Tue Jun 10 2003 - 13:04:41 GMT-3

• Next message: Gene_Thorne@doh.state.fl.us: "RE: Smartnet entitle to hard copy document?"
• Previous message: Jay Hennigan: "Re: CCIE Group Study Archived / Outlook Express"
• Maybe in reply to: stefan vogt: "PIX VPN question"
• Next in thread: MMoniz: "RE: PIX VPN question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Stefan,

Sorry! I made a mistake I did not see that the host in your acl is
192.168.0.1 while the peer is 192.168.100.1

Throw away my previuos e-mail!

Some question:
- route is OK?
- sysopt is OK?
- IPSec traffic is excluded from nat?

Vilmos

-----Original Message-----
From: Szabo, Vilmos
Sent: 10 June 2003 16:55
To: 'stefan vogt'; security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: RE: PIX VPN question

Stefan,

You defined the interesting traffic that should be encrypted to the same IP
address (host 192.168.0.1) as IPSec tunnel termination point (a.k.a. peer)
that is not correct.

acl defines interesting traffic
peer defines tunnel termination point

These should be different unless you wnat to use transport mode, but as I
guess you want to use tunnel mode.

Regards,

Vilmos

-----Original Message-----
From: stefan vogt [mailto:stefan-uwe_vogt@web.de]
Sent: 10 June 2003 16:15
To: security@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: PIX VPN question

Hello all,

Can somebody help me out with a sample configuration for the following
scenario.
I have 2 PIX FW at different sites which should be connected using a vpn
tunnel with preshared keys. On my local PIX, only specific traffic should be
sent via the tunnel. The remaining traffic should be sent without encryption
to the internet.

I tryed the following config (addresses changed ;)), but seems I'm missing
something, since the 'normal' internet connectivity is broken.

---snip---
access-list myacl permit ip host 172.30.0.1 host 192.168.0.1
access-list myacl permit ip host 172.30.0.2 host 192.168.0.1

crypto ipsec transform-set mytransformset esp-3des esp-sha-hmac

crypto map mymap 10 ipsec isakmp
crypto map mymap 10 match address myacl
crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer 192.168.100.1
crypto map mymap 10 set transform-set mytransformset

crypto map mymap interface outside

isakmp enable outside
isakmp key yyy address 192.168.100.1 netmask 255.255.255.255
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
---snip---

Any input/link/sample config is very wellcome.

TIA,
Stefan

• Next message: Gene_Thorne@doh.state.fl.us: "RE: Smartnet entitle to hard copy document?"
• Previous message: Jay Hennigan: "Re: CCIE Group Study Archived / Outlook Express"
• Maybe in reply to: stefan vogt: "PIX VPN question"
• Next in thread: MMoniz: "RE: PIX VPN question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:56 GMT-3