1. Home
  2. Cisco Systems
  3. 515 & 501 VPN Tunnel Help

515 & 501 VPN Tunnel Help

I'm fairly new at setting up/configuring Cisco products. I could use some help with a new intall.

Here's a brief outline of my set up and what I'm trying to do. I have one Central Office location (CO) which has a 515 Pix. I also have 8 remote locations; One is connected via fiber across two layer 3 switches (10.128.0.0 to 10.1.0.

0)

The other 7 remote sites are a mix of either DSL or Satellite connections. Some have fixed IP's, while others get there IP's dynamically via their ISPs (hopefully this will change). All will have 501 PIXs installed. Currently I can connect to the CO via VPN software client. I would like to create IPSec tunnels to the CO via the 501's, and if possible, I would like to have access to remote networks from the CO.

Any help would be greatly appreciated. Thanks in advance.

CO - 515 PIX

PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security10 domain-name acsu.k12.vt.us fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 names name 10.128.0.102 dnsserver

access-list aclout permit tcp any host webserver eq 9802

access-list ravpn permit ip 10.1.0.0 255.255.252.0 172.18.10.0 255.255.255.0 access-list nonat permit ip 10.128.0.0 255.255.252.0 172.18.10.0 255.255.255.

0 access-list nonat permit ip 10.128.0.0 255.255.252.0 192.168.1.0 255.255.255. 0 access-list splitt permit ip 10.128.0.0 255.255.252.0 172.18.10.0 255.255.255. 0 pager lines 23 logging on logging trap notifications logging host inside dnsserver mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 207.136.244.194 255.255.255.224 ip address inside 10.128.0.1 255.255.252.0 ip address dmz 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool ra_vpn 172.18.10.1-172.18.10.254 pdm history enable arp timeout 3600 global (outside) 1 207.136.244.215-207.136.244.220 global (outside) 1 207.136.244.195 global (dmz) 1 192.168.0.9-192.168.3.254 nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 192.168.0.0 255.255.255.0 0 0 static (dmz,outside) fcis 192.168.0.4 netmask 255.255.255.255 0 0 static (dmz,outside) bess 192.168.0.5 netmask 255.255.255.255 0 0 static (dmz,outside) webserver 192.168.0.201 netmask 255.255.255.255 0 0 static (inside,outside) SPEDDoc 10.128.0.91 netmask 255.255.255.255 0 0 static (dmz,outside) mailserver 192.168.0.3 netmask 255.255.255.255 0 0 static (dmz,outside) SPAMFilter 192.168.0.8 netmask 255.255.255.255 0 0 static (inside,outside) FMP_Server 10.128.0.94 netmask 255.255.255.255 0 0 access-group aclout in interface outside conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 207.136.244.193 1 route inside 10.1.0.0 255.255.252.0 10.128.0.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server Authinbound protocol radius aaa-server Authinbound (inside) host dnsserver blister834d timeout 10 no snmp-server location no snmp-server contact snmp-server community 098er4jllkdjf no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set acsuset esp-des esp-md5-hmac crypto ipsec transform-set acsuvpn esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set acsuvpn crypto map myvpn 10 ipsec-isakmp dynamic dynmap crypto map myvpn client configuration address initiate crypto map myvpn client configuration address respond crypto map myvpn client authentication Authinbound crypto map myvpn interface outside isakmp enable outside isakmp key ******** address 208.65.163.4 netmask 255.255.255.255 no-xauth no- config-mode isakmp key ******** address 208.65.163.6 netmask 255.255.255.255 no-xauth no- config-mode isakmp identity address isakmp client configuration address-pool local ra_vpn outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup acsuafp4 address-pool ra_vpn vpngroup acsuafp4 dns-server 10.1.0.105 vpngroup acsuafp4 default-domain muhs.acsu.k12.vt.us vpngroup acsuafp4 split-tunnel splitt vpngroup acsuafp4 idle-time 1800 vpngroup acsuafp4 password ******** telnet 10.128.0.0 255.255.0.0 inside telnet timeout 60 ssh 10.128.0.101 255.255.255.255 inside ssh 10.128.2.9 255.255.255.255 inside ssh timeout 60 COFW#

Example of remote 501 Pix

PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname cornwall501 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list nonat permit ip 192.168.1.0 255.255.255.0 10.128.0.0 255.255.255.

0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 208.65.163.6 255.255.255.224 ip address inside 192.168.1.3 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 208.65.163.1 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable crypto ipsec transform-set acsu esp-3des esp-sha-hmac crypto map toacsu 20 ipsec-isakmp crypto map toacsu 20 match address 110 crypto map toacsu 20 set peer 207.136.244.194 crypto map toacsu 20 set transform-set acsu crypto map toacsu interface outside isakmp enable outside isakmp key ******** address 207.136.244.194 netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.4-192.168.1.131 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 : end
Reply to
Rocket Richard
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.