I guess I don't understand what your question is. What exactly doesn't
work? And how are you proving that there is 3 VPN tunnels being
established and not one?

----- Original Message -----
From: Anand Subramanian
Date: Wednesday, September 20, 2006 7:55 am
Subject: [fw-wiz] VPN LAN to LAN
To: firewall-wizards@listserv.cybertrust.com

> Hello All,
>
> Following is my scenario.
>
> 3550 Switch (10.5.25.50) -> (inside 10.5.25.1) PIX1 (outside
> 10.5.26.254) ->
> Internet ->
> (outside 172.25.34.7) PIX2 (inside 10.80.2.7) -> 3550 Switch
> (10.80.2.5,10.80.1.10, 10.80.0.10)
>
> Based on the above scenario, I have established a VPN tunnel from
> 10.5.25.0network to
> 10.80.2.0 network. It works perfectly fine.
>
> 1) 3550 switch with IP address 10.5.25.50 has default gateway as
> 10.5.25.1(PIX1)2) 3550 switch with IP address 10.80.2.5 has route
> statements to
> 10.5.25.0through
> 10.80.2.7
> 3) PIX1 has routes to 172.25.34.0 and 10.80.2.0 defined.
> 4) PIX2 has routes defined for 10.5.25.0 and 10.5.26.0
> 5) PIX2 has routes defined for 10.80.1.0 and 10.80.0.0 pointing to
> 10.80.2.56) All subnets are /24 subnets throughout.
> 7) All PIXes run ver 6.3.
>
> Please find below the VPN configurations for PIX1 and PIX2.
>
> The thing that really bothers me is that the existing configuration
> willestablish three VPN tunnels as follows.
>
> 1) 10.5.25.0 to 10.80.2.0
> 2) 10.5.25.0 to 10.80.1.0
> 3) 10.5.25.0 to 10.80.0.0
>
> I am hoping that there is a way out of this and I would be able to
> routetraffic from 10.5.25.0 to 10.80.1.0 with only one VPN tunnel
> between10.5.25.0 and 10.80.2.0
>
> I have searched all over the internet for any sample configuration
> and I am
> not able to find it. There should be an easy way to do this. Please
> help.
> PIX1 configuration
>
> object-group network Remote-Networks
> network-object 10.80.2.0 255.255.255.0
> network-object 10.80.1.0 255.255.255.0
> network-object 10.80.0.0 255.255.255.0
>
> object-group network NoNAT-Networks
> network-object 10.80.2.0 255.255.255.0
> network-object 10.80.1.0 255.255.255.0
> network-object 10.80.0.0 255.255.255.0
>
> access-list inside_outbound_nat0_acl permit ip 10.5.25.0
> 255.255.255.0object-group NoNAT-Networks
> access-list Remote_cryptomap_20 permit ip 10.5.25.0
> 255.255.255.0object-group Remote-Networks
>
> nat (inside) 0 access-list inside_outbound_nat0_acl
>
> sysopt connection permit-ipsec
> isakmp enable outside
> isakmp key REMOTENET address 172.25.34.7 netmask 255.255.255.255
> isakmp identity address
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto map DCA 20 ipsec-isakmp
> crypto map DCA 20 match address Remote_cryptomap_20
> crypto map DCA 20 set peer 172.25.34.7
> crypto map DCA 20 set transform-set ESP-3DES-MD5
> crypto map DCA interface outside
>
> route outside 0.0.0.0 0.0.0.0 10.5.26.1
>
> PIX2 configuration
>
> object-group network Local-Networks
> network-object 10.80.2.0 255.255.255.0
> network-object 10.80.1.0 255.255.255.0
> network-object 10.80.0.0 255.255.255.0
>
> access-list inside_outbound_nat0_acl permit ip object-group Local-
> Networks10.5.25.0 255.255.255.0
> access-list Corp_cryptomap_20 permit ip object-group Local-Networks
> 10.5.25.0 255.255.255.0
>
> nat (inside) 0 access-list inside_outbound_nat0_acl
>
> sysopt connection permit-ipsec
> isakmp enable outside
> isakmp key REMOTENET address 10.5.26.254 netmask 255.255.255.255
> isakmp identity address
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto map Management 20 ipsec-isakmp
> crypto map Management 20 match address Corp_cryptomap_20
> crypto map Management 20 set peer 10.5.26.254
> crypto map Management 20 set transform-set ESP-3DES-MD5
>
> route outside 10.5.25.0 255.255.255.0 172.25.34.1
> route outside 10.5.26.0 255.255.255.0 172.25.34.1
>
> With regards,
> Anand
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards