Pix 506 & 501 site-to-site VPN question.

Hi all,
I currently have a Cisco Pix 506e setup at our main office. I also have a
PIX 506e at a remote office. I've succesfully configured a Site-to-Site VPN
tunnel between these two locations. I've purchased an additional Pix 501
for another remote office and wish to do the same (site to site from remote2
to main) I've configured everything properly (from what I can see) and from
comparing to the other configuration it should work but its not. Is there
restriction on the main office 506 to only allow 1 set of site-to-site vpn?
I have 50 connectivity lisences for the 506 so lisencing Shouldn't be an
issue as far as I know? Any input would be appreciated, thank you.
Silvan
Reply to
Silvan Jappert
Loading thread data ...
The 506e has a max limit of 20 IPsec tunnels so you should be ok for licensing. One problem I came across with multiple tunnels is that you can't have more than one crypto map. Instead, you have to give each additional tunnel a new priority. For example:
no crypto map outside_map1 10 match address outside1 no crypto map outside_map1 10 set peer 10.10.0.3 no crypto map outside_map1 10 set transform-set ESP-3DES-SHA
no crypto map outside_map2 10 match address outside2 no crypto map outside_map2 10 set peer 10.20.0.3 no crypto map outside_map2 10 set transform-set ESP-3DES-SHA
crypto map outside_map 10 match address outside_cryptomap_10 crypto map outside_map 10 set peer 10.10.0.3 crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 10.20.0.3 crypto map outside_map 20 set transform-set ESP-3DES-SHA
access-list outside_cryptomap_10 extended permit ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0 access-list outside_cryptomap_20 extended permit ip 10.2.0.0 255.255.0.0 192.168.2.0 255.255.255.0
tunnel-group 10.10.0.3 type ipsec-l2l tunnel-group 10.10.0.3 ipsec-attributes pre-shared-key foo
tunnel-group 10.20.0.3 type ipsec-l2l tunnel-group 10.20.0.3 ipsec-attributes pre-shared-key bar
Reply to
Gary
ok this is part of my current config at the main office pix 506.
access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 #This is internal local Office IP access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 #This is the remote Office1 IP (the one that works) access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0 #This is the remote Office2 IP (one i'm trying to setup) access-list Split-Tun permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 #Remote Office1 access-list Split-Tun3 permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0 #Remote Office2 ..... timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute ...... sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set Trans-1 esp-3des esp-sha-hmac crypto dynamic-map CovConn-Dyno 10 set transform-set Trans-1 crypto map CovConn-VPN 10 ipsec-isakmp dynamic CovConn-Dyno crypto map CovConn-VPN client authentication MS-IAS crypto map CovConn-VPN interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup CovConn-Group1 address-pool IP-Pool1 #CovConn-Group1 is used for home users to vpn to network. vpngroup CovConn-Group1 dns-server 192.168.0.5 192.168.0.6 vpngroup CovConn-Group1 default-domain cci.local vpngroup CovConn-Group1 idle-time 1800 vpngroup CovConn-Group1 password ******** vpngroup CovConn-Group2 address-pool IP-Pool2 #CovConn-Group2 is used for Remote Office1 VPN Tunnel, which currently works. vpngroup CovConn-Group2 dns-server 192.168.0.5 192.168.0.6 vpngroup CovConn-Group2 default-domain cci.local vpngroup CovConn-Group2 split-tunnel Split-Tun vpngroup CovConn-Group2 idle-time 1800 vpngroup CovConn-Group2 password ******** vpngroup CovConn-Group3 address-pool IP-Pool3 #CovConn-Group3 is the one not working i'm trying to setup. vpngroup CovConn-Group3 dns-server 192.168.0.5 192.168.0.6 vpngroup CovConn-Group3 default-domain cci.local vpngroup CovConn-Group3 split-tunnel Split-Tun3 vpngroup CovConn-Group3 idle-time 1800 vpngroup CovConn-Group3 password ********
This is the config of the pix501 at Remote Office2.
..... ip address outside pppoe setroute ip address inside 192.168.3.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ...... global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local ..... vpdn group PPPOE request dialout pppoe vpdn group PPPOE localname ***** vpdn group PPPOE ppp authentication pap vpdn username ******* password ********* dhcpd address 192.168.3.50-192.168.3.65 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside dhcprelay timeout 60 username ****** password ****** encrypted privilege 15 vpnclient server *IP ADDRESS OF OUTSIDE MAIN OFFICE* vpnclient mode network-extension-mode vpnclient vpngroup CovConn-Group3 password ******** vpnclient username ******* password ****** vpnclient enable
Reply to
Silvan Jappert
Please post the IPsec portion of your 501's config. Also, what version of firmware are you using on the two devices. I see vpdn commands so it's definitely < 7.
Thanks, Gary
Reply to
Gary
the pix 501 is using PIX version 6.3(4) and the 506 is using 6.3(3)
there's no IPsec commands on the 501. I posted any of the relevent vpn info. I've made 1 change on the 506 last night and it seems to be working now.
Reply to
Silvan Jappert

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.