Assistance with PIX config

Unanswered Question
Jun 19th, 2007
User Badges:

Hi, I would appreciate assistance in troubleshooting the is PIX 501. The PIX 501 sits behind a Netopia DSL modem servicing a branch office. The following is the config. Thanks.


PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname OTB

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


access-list 102 permit ip

access-list 100 permit ip

pager lines 24

logging on

logging console debugging

logging monitor debugging

mtu outside 1500

mtu inside 1500

ip address outside xxx.103.120.130

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 xxx.103.120.131-xxx.103.120.134

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0 0

conduit permit icmp any any

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

<--- More --->

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set toyota esp-des esp-md5-hmac

crypto map bmw 1 ipsec-isakmp

crypto map bmw 1 match address 102

crypto map bmw 1 set peer xxx.213.196.10

crypto map bmw 1 set transform-set toyota

crypto map bmw 2 ipsec-isakmp

crypto map bmw 2 set peer xxx.100.116.90

<--- More --->

! Incomplete

crypto map bmw interface outside

crypto map mbmw 1 ipsec-isakmp

crypto map mbmw 1 match address 102

! Incomplete

isakmp enable outside

isakmp key ******** address xxx.213.196.10 netmask

isakmp key ******** address xx.100.116.90 netmask

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

telnet inside

telnet timeout 5

ssh outside

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

<--- More --->

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
acomiskey Tue, 06/19/2007 - 16:03
User Badges:
  • Green, 3000 points or more

What's the problem?

saidfrh Tue, 06/19/2007 - 17:25
User Badges:

The problem is that the LAN users behind the PIX can not access the internet. The 501 gives DHCP address. The PIX can ping the public IP address of the DSL modem.

vitripat Tue, 06/19/2007 - 16:06
User Badges:
  • Gold, 750 points or more

Though its not mentioned what the issue is .. taking a wild guess it seems that you are unable to get on internet through PIX. This could be because there is no "default" route configured on PIX. Your ISP must have given you the "gateway_ip", use it in the following command from config mode-

route outside 0 0 gateway_ip

This should get you rolling if I guessed the issue correctly .. ;-)



saidfrh Wed, 06/20/2007 - 07:44
User Badges:


Which of the following is the correct syntax?

route outside 0 0 gateway xx.103.120.129

route outside gateway xx.103.120.129

acomiskey Wed, 06/20/2007 - 07:46
User Badges:
  • Green, 3000 points or more

route outside xx.103.120.129

Assuming your network is xx.103.120.128/29 and .129 is your gateway.

JORGE RODRIGUEZ Wed, 06/20/2007 - 07:48
User Badges:
  • Green, 3000 points or more

both are correct systax,

route outside 0 0 is just a short cut for

route oustde

acomiskey Wed, 06/20/2007 - 08:01
User Badges:
  • Green, 3000 points or more

Yes, but neither use the word "gateway" or subnet mask.

saidfrh Wed, 06/20/2007 - 11:16
User Badges:


Thanks. Your suggestion worked. Now a tunnel can not be established between this branch office 501 and the central office PIX.


sarat1317 Tue, 06/26/2007 - 15:07
User Badges:


I think you are trying to establish 2 VPNs to xxx.213.196.10 & xx.100.116.90. But you have only acls, cryptomaps, isakmp statements for only 1 tunnel configuration.

Do you exactly have the same parameters on the remote end xxx.213.196.10? The parameters should be the same.

And these are redundant

crypto map mbmw 1 ipsec-isakmp

crypto map mbmw 1 match address 102

Also after you change the configuration, just add this command again. I know it is already in there. But once you change the cryptomap configs, sometimes we need to add the statement below. (When you do this, you will end up in losing the connection to your remote network if you are already connected to that network, but this doesnt apply in your case now as you dont have a connection at all)

crypto map bmw interface outside

then do sh isakmp sa and see the output




This Discussion