In article , wrote: :I have a problem, and I have searched high and low for an answer on :this group. I have a network with 1 main branch running a PIX-506, and :2 branch offices running PIX-501's. I have a successful tunnel between :the main office and 1 branch office, and am trying to get the 2nd :branch office connected to the main office. I have the same setup on :the 2nd branch office as the 1st, but my problem is I don't know how to :configure the main office for multiple tunnels. I have tried all the :configs that I can think of. Any ideas?
On the 506:
1) Copy the ACL that is used to describe the connection to the first branch, change it's name, and change the destination IP addresses to match the second network, and put the result into the 506 configuration.
2) Copy the 'crypto map' entries that are used to describe the connection the first branch, leave the name exactly the same but use a higher number, change the ACL name on the 'match address' entry to match what you created in step 1; and put the result into the 506 configuration.
3) If you are using pre-shared keys (most common on small networks), copy the 'isakmp key' entry used to describe the key for the first connection, change the IP address to match the second branch, change the password; and put the result into the 506 configuration.
4) Look in the 506 configuration for a 'nat (inside) 0 access-list' entry. Examine the access-list named there, copy the lines that match the first branch, change the addresses to the second branch, and add the result to the 506 configuration *using the same ACL name* (i.e., the ACL will now have more entries.)
On the second 501:
5) Change the 'isakmp key' password to match the password you chose in step 3.
Note 1: it is not strictly necessary to use different pre-shared keys for the two 501's, it is just better security.
Note 2: the procedure is a little different if the 501's have dynamic IP addresses.