Cisco VPN configuration clean-up (2 remote offices -> central HUB)

Web Server Talk > WebserverTalk Community > VPN > Cisco VPN configuration clean-up (2 remote offices -> central HUB)

Last Thread Next Thread Next

Cisco VPN configuration clean-up (2 remote offices -> central HUB)

Richard J. Collins Ohio

09-16-04 01:47 AM

Hello,

I need to clean-up this configuration but I feel into troubles.

Can I wipe the "access-list hugecity"?

Are my crypto-map's ok? I know the first is going well but the second?

Is it possible to split the big access-list into two parts? By doing
it, do I have to modify the nat (inside) 0 command? By what?

Many thanks for your help.

Richard J. Collins


PS: before getting into the VPN, the remote LAN are nated.

Here you have the central HUB config.

Cheers


# sh conf

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxx encrypted

hostname pixfw
domain-name mynet.net

[fixup]

names
access-list ACL_FOR_VPN permit ip host 10.7.44.99 host 10.89.240.211
access-list ACL_FOR_VPN permit ip host 10.7.44.99 host 10.89.240.223
access-list hugecity permit ip host 10.7.44.99 host 10.89.240.211
access-list hugecity permit ip host 10.7.44.99 host 10.89.240.223
no pager

[logging]

[icmp]

[mtu]

ip address outside 91.39.98.77 255.255.255.248
ip address inside 10.10.191.2 255.255.255.128
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list hugecity
route outside 0.0.0.0 0.0.0.0 57.66.64.9 1
route inside 10.7.44.99 255.255.255.255 10.10.191.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community yx4hxjfz
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong-aes-md5 esp-aes esp-md5-hmac
crypto map crypto-map-std 10 ipsec-isakmp
crypto map crypto-map-std 10 match address hugecity
crypto map crypto-map-std 10 set peer 195.65.11.36
crypto map crypto-map-std 10 set transform-set strong-aes-md5
crypto map crypto-map-std 20 ipsec-isakmp
crypto map crypto-map-std 20 match address hugecity
crypto map crypto-map-std 20 set peer 88.217.6.111
crypto map crypto-map-std 20 set transform-set strong-aes-md5
crypto map crypto-map-std interface outside
isakmp enable outside
isakmp key ******** address 195.65.11.36 netmask 255.255.255.252
isakmp key ******** address 88.217.6.111 netmask 255.255.255.252
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5

[ssh]

ssh timeout 60
console timeout 0
terminal width 80

 Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxx

[ Post a follow-up to this message ]