Pix firewall having two site to site connection - Firewalls

This is a discussion on Pix firewall having two site to site connection - Firewalls ; Hello, I am trying to configure VPN connection between two sites with one pix and two routers. Is it possible that my pix firewall will have two different site to site vpn connections with two routers on different sites? firewall ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Pix firewall having two site to site connection

  1. Pix firewall having two site to site connection

    Hello,

    I am trying to configure VPN connection between two sites with one pix
    and two routers. Is it possible that my pix firewall will have two
    different site to site vpn connections with two routers on different
    sites? firewall has dynamic IP address and both routers have static ip
    addresses. Could anybody help me?


    pix > router1
    v
    router 2

    Best Regards,
    Muhammed Imran


  2. Re: Pix firewall having two site to site connection

    In article <1177424371.176574.85060@s33g2000prh.googlegroups.c om>,
    muhammed.imran@gmail.com wrote:
    >I am trying to configure VPN connection between two sites with one pix
    >and two routers. Is it possible that my pix firewall will have two
    >different site to site vpn connections with two routers on different
    >sites? firewall has dynamic IP address and both routers have static ip
    >addresses.


    Yes. Use the same 'crypto map' name for both, but put the two
    entries into different crypto map policy numbers. If you
    are using shared keys, make sure you have a key for each of them.

    For example,

    crypto map vpn-map 1000 ipsec-isakmp
    crypto map vpn-map 1000 match address vpn2cal-acl
    crypto map vpn-map 1000 set peer CalpixIP
    crypto map vpn-map 1000 set transform-set vca-ea256s
    crypto map vpn-map 1001 ipsec-isakmp
    crypto map vpn-map 1001 match address vpn2sf-acl
    crypto map vpn-map 1001 set peer SFpixIP
    crypto map vpn-map 1001 set transform-set vc-ea256s

    Also note that you need different ACL names for the two sites,
    but your acl for your nat (inside) 0 access-list will have to
    have entries for both destinations.

+ Reply to Thread