PIX / ASA 8.0(4)16 - Site to Site VPN Sample Config

Sunday, 26 April 2009 19:03

Firewalls - Cisco - PIX

Below is a sample config for 2 site to site vpns from a PIX running 8.0(4)16. One peer being 192.168.2.100, and the other 192.168.1.100.

Please note : This isn't a tutorial but merely just a sample config that can be used as a reference point.

isakmp enable outside
isakmp policy 10

 encryption des
 hash md5
 authentication pre-share
 group 1
 lifetime 86400

isakmp key CISCO1 address 192.168.1.100 netmask 255.255.255.255 no-xauth
isakmp key CISCO1 address 192.168.2.100 netmask 255.255.255.255 no-xauth

access-list JuniperEncDomain permit ip 172.16.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list CheckpointEncDomain permit ip 172.16.3.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat permit ip  172.16.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip  172.16.3.0 255.255.255.0 172.28.16.0 255.255.255.0
nat (inside) 0 access-list nonat

crypto ipsec transform-set trans-set esp-des esp-md5-hmac
Crypto map crypto_map 10 ipsec-isakmp
Crypto map crypto_map 10 match address JuniperEncDomain
Crypto map crypto_map 10 set peer 192.168.1.100
Crypto map crypto_map 10 set transform-set trans-set
Crypto map crypto_map 10 set security-association lifetime seconds 3600

Crypto map crypto_map 20 ipsec-isakmp
Crypto map crypto_map 20 match address CheckpointEncDomain
Crypto map crypto_map 20 set peer 192.168.2.100
Crypto map crypto_map 20 set transform-set trans-set
Crypto map crypto_map 20 set security-association lifetime seconds 3600

Crypto map crypto_map interface outside
Crypto isakmp identity address 

Things to note :

1. The number that comes after the crypto map and the isakmp policy number is a sequence (priority) number.
2. Only one crypto map can be assigned to the same interface.
3. For use in the access-lists a object group including the encryption domains may be useful for future VPN administration