Multiple IPsec VPNs between PIX
- From: Al <bernala@xxxxxxxxx>
- Date: 31 May 2007 09:21:47 -0700
Hey all, I could really use some help. I have a head office and branch
office, both with a PIX. We set up an IPSEC VPN between them like so:
PIX at HQ:
access-list no_NAT ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list to_branch1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
nat (inside) 0 no_NAT
sysopt connection permit-ipsec
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto map MYMAP 100 ipsec-isakmp
crypto map MYMAP 100 match address to_branch1
crypto map MYMAP 100 set peer 222.222.222.222
crypto map MYMAP 100 set transform-set MYSET
crypto map MYMAP interface outside
isakmp key MYKEY address 222.222.222.222 netmask 255.255.255.240
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 50000
PIX at Branch:
access-list no_NAT ip 192.168.2.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list to_HQ permit ip 192.168.2.0 255.255.255.0 192.168.1.0
255.255.255.0
nat (inside) 0 no_NAT
sysopt connection permit-ipsec
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto map MYMAP 100 ipsec-isakmp
crypto map MYMAP 100 match address to_HQ
crypto map MYMAP 100 set peer 111.111.111.111
crypto map MYMAP 100 set transform-set MYSET
crypto map MYMAP interface outside
isakmp key MYKEY address 111.111.111.111 netmask 255.255.255.240
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 50000
All of this has worked fine for months.
We just opened a new branch office, branch2, and I want to set up the
IPSEC VPN Tunnels between branch1 and branch2.
the PIX at branch2 is configured as follows:
access-list no_NAT ip 192.168.3.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list to_branch1 permit ip 192.168.3.0 255.255.255.0 192.168.2.0
255.255.255.0
nat (inside) 0 no_NAT
sysopt connection permit-ipsec
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto map MYMAP 200 ipsec-isakmp
crypto map MYMAP 200 match address to_branch1
crypto map MYMAP 200 set peer 222.222.222.222
crypto map MYMAP 200 set transform-set MYSET
crypto map MYMAP interface outside
isakmp key INTERBRANCHKEY address 222.222.222.222 netmask
255.255.255.240
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 50000
Now here's my problem... In order to bring up the VPN between branch1
and branch2, I added the following to the PIX at branch1:
access-list no_NAT ip 192.168.2.0 255.255.255.0 192.168.3.0
255.255.255.0
access-list to_branch2 permit ip 192.168.2.0 255.255.255.0 192.168.3.0
255.255.255.0
crypto map MYMAP 200 ipsec-isakmp
crypto map MYMAP 200 match address to_branch2
crypto map MYMAP 200 set peer 333.333.333.333 (I know there is no such
addr...)
crypto map MYMAP 200 set transform-set MYSET
isakmp key INTERBRANCHKEY address 333.333.333.333 netmask
255.255.255.240
.... and nothing. I cant ping anything in bracnh2 from inside branch1,
nor vice versa. My addresses are all OK. My preshared key is the same
on both, my access-lists are ok... what am I not getting? Can anyone
tell me if I messed something? Do the PIXes need to be rebooted? Is
some other parameter required to be reset? Thanks for your help.
Al
.
- Follow-Ups:
- Re: Multiple IPsec VPNs between PIX
- From: Al
- Re: Multiple IPsec VPNs between PIX
- Prev by Date: Configuring IPSEC tunnel through the firewall with dynamic NAT
- Next by Date: PIX VPN w/MPLS routing
- Previous by thread: Configuring IPSEC tunnel through the firewall with dynamic NAT
- Next by thread: Re: Multiple IPsec VPNs between PIX
- Index(es):
Relevant Pages
|
