192 192 | | 100 200 | | 150 150
168----168-| PIX-1 |-100 ---internet---200-|PIX-2|-150---150
1 1 | | 100 200 | | 150 150 x/24 1 11 200 113 112/29
PIX-2 Condig
PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 access-list outside_access_in permit icmp any any log access-list outside_access_in permit tcp any host 150.150.150.114 object-group tcp_114 icmp permit any outside icmp permit any echo-reply outside icmp permit any router-solicitation outside icmp permit any inside ip address outside 200.200.200.200 255.255.254.0 ip address inside 150.150.150.113 255.255.255.248 pdm location 150.150.150.114 255.255.255.255 inside global (outside) 100 interface nat (inside) 0 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 150.150.150.114 150.150.150.114 netmask
255.255.255.255 0 0 route outside 0.0.0.0 0.0.0.0 200.200.200.1 1 aaa authentication ssh console LOCAL http server enable vpdn enable outside
PIX-1 Config interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 access-list outside_access_in permit icmp any any log icmp permit any outside icmp permit any echo-reply outside icmp permit any router-solicitation outside icmp permit any inside ip address outside 100.100.100.11 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 global (outside) 10 interface nat (inside) 10 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 100.100.100.13 192.168.1.28 netmask
255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 83.146.41.9 1 aaa authentication ssh console LOCAL http server enable ssh 0.0.0.0 0.0.0.0 outside vpdn enable outside dhcpd address 192.168.1.30-192.168.1.120 inside
If i want to do VPN site to site than i found somethink like this
PIX-1 - should be
access-list 101 permit ip 192.168.1.0 255.255.255.0 150.150.150.112
255.255.255.248 nat (inside) 0 access-list 101 sysopt connection permit-ipsec no sysopt route dnat esp-des provides 56-bit encryption. crypto ipsec transform-set chevelle esp-des esp-md5-hmac crypto map transam 1 ipsec-isakmp crypto map transam 1 match address 101 crypto map transam 1 set peer 200.200.200.200 crypto map transam 1 set transform-set chevelle crypto map transam interface outside isakmp enable outside isakmp key
********** address 200.200.200.200 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 1000
PIX-2 - Should be
access-list 101 permit ip 150.150.150.112 255.255.255.248 192.168.1.0
255.255.255.0 nat (inside) 0 access-list 101 sysopt connection permit-ipsec no sysopt route dnat esp-des provides 56-bit encryption. crypto ipsec transform-set chevelle esp-des esp-md5-hmac crypto map transam 1 ipsec-isakmp crypto map transam 1 match address 101 crypto map transam 1 set peer 100.100.100.11 crypto map transam 1 set transform-set chevelle crypto map transam interface outside isakmp enable outside isakmp key
********** address 100.100.100.11 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 1000
is this correct?
Robert