Here is an example of a 3-way PIX VPN (DES) using pre-shared keys. I used
these as a template for setting up a VPN for a client of mine.
Rik Guyler
Austin wrote:
> I am looking for sample configs on PIX to PIX VPNs.
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
,
This mail was processed by Mail essentials for Exchange/SMTP,
the email security & management gateway. Mail essentials adds
content checking, email encryption, anti spam, anti virus,
attachment compression, personalised auto responders, archiving
and more to your Microsoft Exchange Server or SMTP mail server.
For more information visit http://www.mailessentials.com
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix2
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 100 permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 101 permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list nonat permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.20 255.255.255.0
ip address inside 10.1.2.1 255.255.255.0
arp timeout 14400
global (outside) 1 192.168.1.21-192.168.1.29
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 192.168.1.75 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 192.168.1.10
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address 101
crypto map mymap 20 set peer 192.168.1.30
crypto map mymap 20 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key cisco123 address 192.168.1.10 netmask 255.255.255.255
isakmp key cisco123 address 192.168.1.30 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 60
terminal width 80
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 100 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.10 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
arp timeout 14400
global (outside) 1 192.168.1.11-192.168.1.19
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 192.168.1.75 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 192.168.1.20
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address 101
crypto map mymap 20 set peer 192.168.1.30
crypto map mymap 20 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key cisco123 address 192.168.1.20 netmask 255.255.255.255
isakmp key cisco123 address 192.168.1.30 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 60
terminal width 80
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix3
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 100 permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 101 permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list nonat permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.30 255.255.255.0
ip address inside 10.1.3.1 255.255.255.0
arp timeout 14400
global (outside) 1 192.168.1.31-192.168.1.39
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 192.168.1.75 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 192.168.1.10
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address 101
crypto map mymap 20 set peer 192.168.1.20
crypto map mymap 20 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key cisco123 address 192.168.1.10 netmask 255.255.255.255
isakmp key cisco123 address 192.168.1.20 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 60
terminal width 80
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
