|

Computer Security

»

»

Firewall Discussions

»

Firewall Wizards

Pix 520 tunnels

View: New views

3 Messages — Rating Filter: Alert me

	Pix 520 tunnels by Halchishak, John-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. We have two pix (actually three, one failover) 520s that I’m trying to setup multiple tunnels. The two office locations have a tunnel up between them with 2 peer address on the main end and a single on the other. We have need to establish other tunnels at various times to clients. I can’t seem to get a second tunnel up without adding it to the existing named tunnel config as a third peer and even then it tends to flap our tunnel between the offices. Is there some way to accomplish this scenario without causing our tunnel problems? John Halchishak 14746 N. 78th Way Scottsdale, AZ 85260 480-624-4927 480-621-2252 wc 623-505-8905 pc _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: Pix 520 tunnels by Farrukh Haroon :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hello John You need to make sure that the dynamic crypto map entry is higher than the static crypto map(s). Please have a look at the below link: http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_Site-to-Site_VPN_client_connection_on_the_same_PIX Regards Farrukh On Tue, Jun 23, 2009 at 7:08 PM, Halchishak, John <jhalchishak@...> wrote: We have two pix (actually three, one failover) 520s that I’m trying to setup multiple tunnels. The two office locations have a tunnel up between them with 2 peer address on the main end and a single on the other. We have need to establish other tunnels at various times to clients. I can’t seem to get a second tunnel up without adding it to the existing named tunnel config as a third peer and even then it tends to flap our tunnel between the offices. Is there some way to accomplish this scenario without causing our tunnel problems? John Halchishak 14746 N. 78th Way Scottsdale, AZ 85260 480-624-4927 480-621-2252 wc 623-505-8905 pc _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: Pix 520 tunnels by Paul Melson-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Tue, Jun 23, 2009 at 12:08 PM, Halchishak, John<jhalchishak@...> wrote: > We have two pix (actually three, one failover) 520s that I’m trying to setup > multiple tunnels. The two office locations have a tunnel up between them > with 2 peer address on the main end and a single on the other. We have need > to establish other tunnels at various times to clients. I can’t seem to get > a second tunnel up without adding it to the existing named tunnel config as > a third peer and even then it tends to flap our tunnel between the offices. > Is there some way to accomplish this scenario without causing our tunnel > problems? Yes. I'm betting that the problem is in the way you have the crypto-map match access-lists configured. Seeing the config would be helpful to diagnosing the issue. You may also have a problem with the actual version of PIX OS you're running. Also, at this point, since the 520's are so old that their replacement model (525) has been end-of-life for 2 years, replacing them is pretty much imminent. And since the ASA's have all new VPN code (based on the VPN3K), mesh and hub & spoke VPN tunnels work a lot better. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards