Firewall Wizards mailing list archives
Re: VPN LAN to LAN
From: vbwilliams () neb rr com
Date: Wed, 20 Sep 2006 08:43:15 -0500
I guess I don't understand what your question is. What exactly doesn't work? And how are you proving that there is 3 VPN tunnels being established and not one? ----- Original Message ----- From: Anand Subramanian <anand.sowmya () gmail com> Date: Wednesday, September 20, 2006 7:55 am Subject: [fw-wiz] VPN LAN to LAN To: firewall-wizards () listserv cybertrust com
Hello All, Following is my scenario. 3550 Switch (10.5.25.50) -> (inside 10.5.25.1) PIX1 (outside 10.5.26.254) -> Internet -> (outside 172.25.34.7) PIX2 (inside 10.80.2.7) -> 3550 Switch (10.80.2.5,10.80.1.10, 10.80.0.10) Based on the above scenario, I have established a VPN tunnel from 10.5.25.0network to 10.80.2.0 network. It works perfectly fine. 1) 3550 switch with IP address 10.5.25.50 has default gateway as 10.5.25.1(PIX1)2) 3550 switch with IP address 10.80.2.5 has route statements to 10.5.25.0through 10.80.2.7 3) PIX1 has routes to 172.25.34.0 and 10.80.2.0 defined. 4) PIX2 has routes defined for 10.5.25.0 and 10.5.26.0 5) PIX2 has routes defined for 10.80.1.0 and 10.80.0.0 pointing to 10.80.2.56) All subnets are /24 subnets throughout. 7) All PIXes run ver 6.3. Please find below the VPN configurations for PIX1 and PIX2. The thing that really bothers me is that the existing configuration willestablish three VPN tunnels as follows. 1) 10.5.25.0 to 10.80.2.0 2) 10.5.25.0 to 10.80.1.0 3) 10.5.25.0 to 10.80.0.0 I am hoping that there is a way out of this and I would be able to routetraffic from 10.5.25.0 to 10.80.1.0 with only one VPN tunnel between10.5.25.0 and 10.80.2.0 I have searched all over the internet for any sample configuration and I am not able to find it. There should be an easy way to do this. Please help. PIX1 configuration object-group network Remote-Networks network-object 10.80.2.0 255.255.255.0 network-object 10.80.1.0 255.255.255.0 network-object 10.80.0.0 255.255.255.0 object-group network NoNAT-Networks network-object 10.80.2.0 255.255.255.0 network-object 10.80.1.0 255.255.255.0 network-object 10.80.0.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 10.5.25.0 255.255.255.0object-group NoNAT-Networks access-list Remote_cryptomap_20 permit ip 10.5.25.0 255.255.255.0object-group Remote-Networks nat (inside) 0 access-list inside_outbound_nat0_acl sysopt connection permit-ipsec isakmp enable outside isakmp key REMOTENET address 172.25.34.7 netmask 255.255.255.255 isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map DCA 20 ipsec-isakmp crypto map DCA 20 match address Remote_cryptomap_20 crypto map DCA 20 set peer 172.25.34.7 crypto map DCA 20 set transform-set ESP-3DES-MD5 crypto map DCA interface outside route outside 0.0.0.0 0.0.0.0 10.5.26.1 PIX2 configuration object-group network Local-Networks network-object 10.80.2.0 255.255.255.0 network-object 10.80.1.0 255.255.255.0 network-object 10.80.0.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip object-group Local- Networks10.5.25.0 255.255.255.0 access-list Corp_cryptomap_20 permit ip object-group Local-Networks 10.5.25.0 255.255.255.0 nat (inside) 0 access-list inside_outbound_nat0_acl sysopt connection permit-ipsec isakmp enable outside isakmp key REMOTENET address 10.5.26.254 netmask 255.255.255.255 isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map Management 20 ipsec-isakmp crypto map Management 20 match address Corp_cryptomap_20 crypto map Management 20 set peer 10.5.26.254 crypto map Management 20 set transform-set ESP-3DES-MD5 route outside 10.5.25.0 255.255.255.0 172.25.34.1 route outside 10.5.26.0 255.255.255.0 172.25.34.1 With regards, Anand
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN LAN to LAN Anand Subramanian (Sep 20)
- Re: VPN LAN to LAN vbwilliams (Sep 20)
- Re: VPN LAN to LAN Anand Subramanian (Sep 22)
- Re: VPN LAN to LAN Prabhu Gurumurthy (Sep 23)
- Re: VPN LAN to LAN Anand Subramanian (Sep 22)
- Re: VPN LAN to LAN Krzysztof Pior (Sep 20)
- Re: VPN LAN to LAN Anand Subramanian (Sep 22)
- Re: VPN LAN to LAN vbwilliams (Sep 20)