Pix Configuration (PPPoe, VPN, between 3 sites)

Hi All !

I have to configure 3 Pix (on 506 for site1, and two 501 for site2 et site3). VPNs are between site1 and site2, and between site1 and site3. Default route is given by PPPoe connexion.

I have done these configurations :

********************** PIX506 site1

interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password aqDfVcZqfuZSyNaS encrypted passwd aqDfVcZqfuZSyNaS encrypted hostname SITE1 domain-name site1.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 9.1.1.0 SITE2 name 9.1.2.0 SITE3 access-list inside_outbound_nat0_acl permit ip 9.1.0.0 255.255.255.0 SITE2 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 9.1.0.0 255.255.255.0 SITE3 255.255.255.0 access-list outside_cryptomap_20 permit ip 9.1.0.0 255.255.255.0 SITE2

255.255.255.0 access-list outside_cryptomap_40 permit ip 9.1.0.0 255.255.255.0 SITE3 255.255.255.0 access-list inside_access_in permit ip any any access-list inside_access_in permit icmp any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside pppoe ip address inside 9.1.0.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 9.1.0.0 255.255.255.0 inside pdm location SITE2 255.255.255.0 outside pdm location SITE3 255.255.255.0 outside pdm location SITE2 255.255.255.0 inside pdm location SITE3 255.255.255.0 inside pdm location 9.1.0.0 255.255.0.0 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group inside_access_in in interface inside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 9.1.0.0 255.255.255.0 inside http xx.xx.xx.xx 255.255.255.255 outside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 1x.xx.xx.xx crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 40 ipsec-isakmp crypto map outside_map 40 match address outside_cryptomap_40 crypto map outside_map 40 set peer 2x.xx.xx.xx crypto map outside_map 40 set transform-set ESP-3DES-SHA crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 1x.xx.xx.xx netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 2x.xx.xx.xx netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 telnet 9.1.0.0 255.255.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group pppoe_group request dialout pppoe vpdn group pppoe_group localname LOGIN vpdn group pppoe_group ppp authentication chap vpdn username LOGIN password ******** dhcpd auto_config outside terminal width 80 Cryptochecksum:ea53ef68470328980e860818f78341b2

*************************

PIX 501 SITE2

interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password aqDfVcZqfuZSyNaS encrypted passwd aqDfVcZqfuZSyNaS encrypted hostname SITE2 domain-name SITE2.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 9.1.0.0 SITE1 access-list inside_outbound_nat0_acl permit ip 9.1.1.0 255.255.255.0 SITE1 255.255.255.0 access-list outside_cryptomap_20 permit ip 9.1.1.0 255.255.255.0 SITE1

255.255.255.0 access-list inside_access_in permit ip any any access-list inside_access_in permit icmp any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside pppoe ip address inside 9.1.1.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 9.1.1.0 255.255.255.0 inside pdm location SITE1 255.255.255.0 outside pdm location SITE1 255.255.0.0 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group inside_access_in in interface inside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 9.1.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer xx.xx.xx.xx crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map interface outside isakmp enable outside isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 telnet 9.1.1.0 255.255.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group pppoe_group request dialout pppoe vpdn group pppoe_group localname LOGIN vpdn group pppoe_group ppp authentication chap vpdn username LOGIN password ******** dhcpd auto_config outside terminal width 80 Cryptochecksum:ea9e2e1cca089a12ead7ea53149e04b0

*********************

PIX501 SITE3

interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password aqDfVcZqfuZSyNaS encrypted passwd aqDfVcZqfuZSyNaS encrypted hostname SITE3 domain-name SITE3.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 9.1.0.0 SITE1 access-list outside_cryptomap_20 permit ip 9.1.2.0 255.255.255.0 SITE1

255.255.255.0 access-list inside_outbound_nat0_acl permit ip 9.1.2.0 255.255.255.0 SITE1 255.255.255.0 access-list inside_access_in permit ip any any access-list inside_access_in permit icmp any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside pppoe ip address inside 9.1.2.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 9.1.2.0 255.255.255.0 inside pdm location SITE1 255.255.255.0 outside pdm location SITE1 255.255.0.0 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group inside_access_in in interface inside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 9.1.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer xx.xx.xx.xx crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map interface outside isakmp enable outside isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 telnet 9.1.2.0 255.255.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group pppoe_group request dialout pppoe vpdn group pppoe_group localname LOGIN vpdn group pppoe_group ppp authentication chap vpdn username LOGIN password ******** dhcpd auto_config outside terminal width 80 Cryptochecksum:98d1050545d90facb158f3e58a458963

********************************

Do you think it's OK ?

Thans a lot !

Jov