PIX – VPN – Site 2 Site

Below shows the configuration syntax for configuring a Site to Site VPN on a Cisco PIX firewall.

Configuration

(config)#isakmp enable outside
(config)#isakmp policy 10
(config-isakmp-policy)# encryption aes-256
(config-isakmp-policy)# hash sha
(config-isakmp-policy)# authentication pre-share
(config-isakmp-policy)# group 1
(config-isakmp-policy)# lifetime 86400

(config)#isakmp key shabba address 1.1.1.1 netmask 255.255.255.255 no-xauth

(config)#access-list ED permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0

(config)#access-list nonat permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0
(config)#nat (inside) 0 access-list nonat

(config)#crypto ipsec transform-set TRAN esp-aes-256 esp-sha-hmac
(config)#Crypto map MYFW_MAP 10 ipsec-isakmp
(config)#Crypto map MYFW_MAP 10 match address ED
(config)#Crypto map MYFW_MAP 10 set peer 1.1.1.1
(config)#Crypto map MYFW_MAP 10 set transform-set TRAN
(config)#Crypto map MYFW_MAP 10 set security-association lifetime seconds 3600
(config)#Crypto map MYFW_MAP interface outside
(config)#Crypto isakmp identity address

Debug/Show/Clear Commands

• show isakmp                                               display all isakmp configurations  
• show isakmp policy                                    display only configured ISAKMP policies
• show crypto ipsec transform-set              display all configured ipsec transform-sets
• show crypto map                                         display all configured crypto map entries
• show crypto isakmp sa                              display the status of current IKE SAs  
• show crypto ipsec sa                                  displays the status of current IPSec SAs
• show crypto ipsec sa [peer <addr>]
• show crypto ipsec sa [peer <addr>] | i (remote ident)
• show crypto engine connection active
• clear crypto isakmp sa                               clear all active ISAKMP SAs
• clear crypto ipsec sa                                   clear all active IPSec SAs
• debug crypto isakmp                                   display IKE communication between PIX and its IPSec peers
• debug crypt ipsec                                         display IPSec communication betwen the PIX and its IPSec peers

Additional Reference

PIX/ASA 7.x: Simple PIX-to-PIX VPN Tunnel Configuration Example

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial