- pix 501 - VPN site-to-Site
- Posted by Robert on February 2nd, 2006
Hello
I have 2 pix firewalls
i have vpn site to site
i tried so many times do VPN server and nothing works
this is my VPN config - what do i have to do ot be able connect to Office
via Cisco VPN Client
Office
IP address Outside = 100.100.100.100
IP address inside = 192.168.1.254
access-list 90 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
nat (inside) 0 access-list 90
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toRemote 20 ipsec-isakmp
crypto map toRemote 20 match address 90
crypto map toRemote 20 set peer 90.90.90.90
crypto map toRemote 20 set transform-set strong
crypto map toRemote interface outside
isakmp enable outside
isakmp key ****** address 90.90.90.90 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
Remote office
IP address Outside = 90.90.90.90
IP address inside = 10.0.0.254
access-list 80 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
nat 0 access-list 80
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toOffice 10 ipsec-isakmp
crypto map toOffice 10 match address 80
crypto map toOffice 10 set peer 100.100.100.100
crypto map toOffice 10 set transform-set strong
crypto map toOffice interface outside
isakmp enable outside
isakmp key ****** address 100.100.100.100 netmask 255.255.255.255
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
- Posted by Peter on February 2nd, 2006
Robert wrote:
Anyone got a solution?
- Posted by Walter Roberson on February 4th, 2006
In article <drsths$ftv$1@pop-news.nl.colt.net>,
Robert <mor_feusz@tlen.pl> wrote:
Do not use the same access list name for two different purposes.
Create different ACLs for use with nat 0 access-list and crypto map.
- Posted by Robert on February 8th, 2006
"Walter Roberson" <roberson@hushmail.com> wrote in message
news:xG4Ff.429117$2k.92675@pd7tw1no...
It should be OK
How can I create VPN server (PIX1) - i tried so many things - so i can not
manage this
access-list 90 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list ASCD permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
- Posted by Walter Roberson on February 8th, 2006
In article <LGtGf.9340$37.765@newsfe3-win.ntli.net>,
Robert <mor_feusz@tlen.pl> wrote:
The portion of the configuration you provided looks okay.
I would suggest explicitly putting in the (inside) on the remote office's
nat 0 access-list statement, but it will assume the (inside) anyhow
so it is just a matter of making it easier to read.
Is that the complete policy? You didn't set the group, and you didn't
set the hash? sha is the default, which should not be a problem,
but it is best to specify these things explicitly.
What do you get when you
debug crypto ipsec 2
debug crypto isakmp 2
and try to make a connection ?
- Posted by Robert on February 10th, 2006
it was basic config
it is OK
VPN Site to site works perfect - no problems
I do not know how to access to 1 pix from home Via Cisco VPN client using
vpngroup command
i tried so many things and nothing
Story is
Before VPN site to site was VPN to office and VPN to Remote office - was OK
tan workers said they do not want to enable VPN client to connect to remte
office
I created VPN site to site - but somehow i could not connect using VPN
client
I removed VPN server config and left Site to site
Now users wants to connect to remote office (Site to site) and they want to
work from home using VPN client and i can not to manage this
I did even this
http://www.cisco.com/en/US/products/...0948b8.sht ml
does not work
i am hoples
i do not know how to doit
i do not have Cisco username and password (i am registered but i do not have
access to looooot of stuff)
Robert
