Re: [fw-wiz] Pix 520 tunnels



On Tue, Jun 23, 2009 at 12:08 PM, Halchishak, John<jhalchishak@xxxxxxxxx> wrote:
We have two pix (actually three, one failover) 520s that I’m trying to setup
multiple tunnels. The two office locations have a tunnel up between them
with 2 peer address on the main end and a single on the other. We have need
to establish other tunnels at various times to clients. I can’t seem to get
a second tunnel up without adding it to the existing named tunnel config as
a third peer and even then it tends to flap our tunnel between the offices.
Is there some way to accomplish this scenario without causing our tunnel
problems?

Yes. I'm betting that the problem is in the way you have the
crypto-map match access-lists configured. Seeing the config would be
helpful to diagnosing the issue.

You may also have a problem with the actual version of PIX OS you're
running. Also, at this point, since the 520's are so old that their
replacement model (525) has been end-of-life for 2 years, replacing
them is pretty much imminent. And since the ASA's have all new VPN
code (based on the VPN3K), mesh and hub & spoke VPN tunnels work a lot
better.

PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Eigrp strange issue
    ... tunnel destination x.x.x.x ... distance eigrp 80 80 ... logging facility local5 ... Stub Peer Advertising Routes ...
    (comp.dcom.sys.cisco)
  • Re: tunnel point to point vs physical point to point
    ... I used arbitrary ptop addressing for the tunnel interfaces. ... ip addr add 1.16.14.1 peer 1.14.16.1 dev net16to14a ... ip tunnel add net16to14b mode gre remote 192.168.14.x local 192.168.3.x ...
    (comp.os.linux.networking)
  • Question, Dynamic VPN
    ... as the peer, but you don't specify the "match address" in the ... map.....On the dynamic side you give it everything, peer ip, nonat and the ... How the heck does it know what traffic to put in to that tunnel? ...
    (comp.dcom.sys.cisco)
  • Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG to ipsec/racoontroubles, help please ...]
    ... The IPSEC peer gateway is also defined for each spdadd so ... peer gateways are actually defined by the private tunnel interface end ... I have attached my config script as an example. ...
    (FreeBSD-Security)
  • Re: PIX 7.x VPN Client and site to site VPNs
    ... Just make sure to include site B's IP space in your config ... site-to-site tunnel so long as hosts at site A can reach hosts at site B. ... we have a PIX to SonicWall tunnel to one of our remote ...
    (comp.dcom.sys.cisco)