Table of Contents
| Table of Contents |
|---|
PIX
Most of the configurations come from this great guide:
...
How to configure Site to Site VPN
Define a host name:
Code Block hostname NewYork
Configure an ISAKMP policy:
Code Block isakmp enable outside isakmp policy 9 authentication pre-share isakmp policy 9 encrypt 3des
Configure a pre-shared key and associate with the peer:
Code Block crypto isakmp key cisco1234 address 209.165.200.229
Configure the supported IPSec transforms:
Code Block crypto ipsec transform-set strong esp-3des esp-sha-hmac
Create an access list:
Code Block access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0
This access list defines traffic from network 192.168.12.0 to 10.0.0.0. Both of these networks use unregistered addresses.
Note Steps 5 and 6 are not required if you want to enable NAT for all traffic.Exclude traffic between the intranets from NAT:
Code Block nat 0 access-list 90
This excludes traffic matching access list 90 from NAT. The nat 0 command is always processed before any other nat commands.
Enable NAT for all other traffic:
Code Block nat (inside) 1 0 0
Assign a pool of global addresses for NAT and PAT:
Code Block global (outside) 1 209.165.201.9-209.165.201.30 global (outside) 1 209.165.201.8
The pool of registered addresses are only used for connections to the public Internet.
Define a crypto map:c
Code Block ryptocrypto map toSanJose 20 ipsec-isakmp crypto map toSanJose 20 match address 90 crypto map toSanJose 20 set transform-set strong crypto map toSanJose 20 set peer 209.165.200.229
Apply the crypto map to the outside interface:
Code Block crypto map toSanJose interface outside
Specify that IPSec traffic be implicitly trusted (permitted):
Code Block sysopt connection permit-ipsec
...
Step 2 Connect to the security appliance console port according to the "Accessing the Command-Line Interface" section on page 2-1.
...