Whoops...feel like a "rookie" now! ;-}
PS Watch the word wrap on the text file. It has some rather long
statements.
Thanks!
Rik
-----Original Message-----
From: Rik Guyler
Sent: Tuesday, December 26, 2000 1:21 PM
To: Cisco Groupstudy (E-mail)
Cc: '[EMAIL PROTECTED]'
Subject: RE: Over the internet VPN class
Yes, there is a hub involved here, although in my lab, it is just a 3524XL
switch, so I'm not clear on what you mean by "incorporates the other 2
access lists". If this so called "hub" means something other than what we
would most commonly associate with the term "hub", please clue me in.
The sample config from CCO does indeed use the "isakmp identity address"
statement, so that's covered. The "nat 0" statement is there with
"access-list 100", which all looks fine to me.
Attached is one of the sample configs. All 3 look pretty much the same,
just swap addresses where appropriate.
If you have any other hints or things to check, I appreciate everything!
Rik Guyler
-----Original Message-----
From: Austin [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 26, 2000 11:46 AM
To: [EMAIL PROTECTED]
Subject: Re: Over the internet VPN class
Are you trying to have a PIX Hub configuration?
Make sure that you have an access list on the Hub that incorporates the
other 2 access lists. Also, use isakmp identity address and not host name.
And then you might want to take a look at your nat (0) statements on all 3
PIXes.
"Rik Guyler" <[EMAIL PROTECTED]> wrote in message
A15A8664DC88D41197820008C70D908787DA@SMSNTFS2">news:A15A8664DC88D41197820008C70D908787DA@SMSNTFS2...
> Sorry Chuck, meant to send this to the whole list ;-}
>
> Chuck, a little begging here, but would you mind sharing your sanitized
PIX
> config for this VPN setup with me? I have been struggling with a 3-way
VPN
> setup (DES) and so far, have not been able to make it work.
>
> What I'm trying to do is create a 3-way VPN between 3 PIXes. I have used
> the CCO sample configs, but they appear not to work. A coworker of mine
> also had a similar experience with the same config samples in a prior
> attempt to do this.
>
> If anybody has any suggestions on this topic, I'm all ears. I've gone
> through CCO pretty thoroughly (I believe) but haven't been able to find
any
> other truly revealing information. My PIX OS is version 5.1(2)
>
> Thanks,
>
> Rik Guyler
>
> -----Original Message-----
> From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, December 20, 2000 7:59 PM
> To: Cisco Mail List
> Subject: Over the internet VPN class
>
>
> OK, I think I can try this one again.
>
> Through the magic of the internet, I believe I have the means of setting
up
> my lab pod for some live VPN over the internet instruction.
>
> Weds. December 27, 5:00 p.m. Pacific, 8:00 p.m. eastern. I believe that
> comes out to 1:00 a.m. Thursday December 27 GMT ( we're off daylight
> savings, aren't we? :-> )
>
> I have received tentative concurrence from Dale Holmes that it will be ok
to
> use the allnet chatsite as the means for running this informal class.
> http://www.allnetllc.net/chat/ciscochat.htm
>
> Essentially, I will have IPSec 56 bit DES configured. Folks should be able
> to set up VPN tunnels to my routers, and potentially from there reach
> eachother.
>
> I will be finishing up my study on this over the weekend, and will send
out
> another announcement. In the meantime, those who might be interested might
> want to look at how you might connect.
> I have 2501 routers running 12.1 or so with IPSec DES
>
> Please do not e-mail me yet. All the details are not worked out. But mark
> your calendars.
>
> Chuck
> ----------------------
> I am Locutus, a CCIE Lab Proctor. Xx_Brain_dumps_xX are futile. Your life
as
> it has been is over ( if you hope to pass ) From this time forward, you
will
> study US!
> ( apologies to the folks at Star Trek TNG )
>
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> ,
>
> This mail was processed by Mail essentials for Exchange/SMTP,
> the email security & management gateway. Mail essentials adds
> content checking, email encryption, anti spam, anti virus,
> attachment compression, personalised auto responders, archiving
> and more to your Microsoft Exchange Server or SMTP mail server.
> For more information visit http://www.mailessentials.com
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
,
This mail was processed by Mail essentials for Exchange/SMTP,
the email security & management gateway. Mail essentials adds
content checking, email encryption, anti spam, anti virus,
attachment compression, personalised auto responders, archiving
and more to your Microsoft Exchange Server or SMTP mail server.
For more information visit http://www.mailessentials.com
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix_3
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 110 permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 120 permit ip 10.3.3.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list 100 permit ip 10.3.3.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list 100 permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 172.18.124.157 255.255.255.0
ip address inside 10.3.3.1 255.255.255.0
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
nat (inside) 0 access-list 100
route outside 0.0.0.0 0.0.0.0 172.18.124.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer 172.18.124.153
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 120
crypto map newmap 20 set peer 172.18.124.154
crypto map newmap 20 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 172.18.124.153 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address 172.18.124.154 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5
ssh timeout 5
terminal width 80
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
