Assistance with PIX config

Unanswered Question
Jun 19th, 2007

Hi, I would appreciate assistance in troubleshooting the is PIX 501. The PIX 501 sits behind a Netopia DSL modem servicing a branch office. The following is the config. Thanks.

Said

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname OTB

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 102 permit ip 10.6.6.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 100 permit ip 10.6.6.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging on

logging console debugging

logging monitor debugging

mtu outside 1500

mtu inside 1500

ip address outside xxx.103.120.130 255.255.255.248

ip address inside 10.6.6.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 xxx.103.120.131-xxx.103.120.134

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

<--- More --->

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set toyota esp-des esp-md5-hmac

crypto map bmw 1 ipsec-isakmp

crypto map bmw 1 match address 102

crypto map bmw 1 set peer xxx.213.196.10

crypto map bmw 1 set transform-set toyota

crypto map bmw 2 ipsec-isakmp

crypto map bmw 2 set peer xxx.100.116.90

<--- More --->

! Incomplete

crypto map bmw interface outside

crypto map mbmw 1 ipsec-isakmp

crypto map mbmw 1 match address 102

! Incomplete

isakmp enable outside

isakmp key ******** address xxx.213.196.10 netmask 255.255.255.255

isakmp key ******** address xx.100.116.90 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd address 10.6.6.2-10.6.6.31 inside

dhcpd dns 192.168.1.5 67.100.88.26

dhcpd lease 3600

dhcpd ping_timeout 750

<--- More --->

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
saidfrh Tue, 06/19/2007 - 17:25

The problem is that the LAN users behind the PIX can not access the internet. The 501 gives DHCP address. The PIX can ping the public IP address of the DSL modem.

vitripat Tue, 06/19/2007 - 16:06

Though its not mentioned what the issue is .. taking a wild guess it seems that you are unable to get on internet through PIX. This could be because there is no "default" route configured on PIX. Your ISP must have given you the "gateway_ip", use it in the following command from config mode-

route outside 0 0 gateway_ip

This should get you rolling if I guessed the issue correctly .. ;-)

Regards,

Vibhor.

saidfrh Wed, 06/20/2007 - 07:44

Vibhor,

Which of the following is the correct syntax?

route outside 0 0 gateway xx.103.120.129 255.255.255.248

route outside 0.0.0.0 0.0.0.0 gateway xx.103.120.129 255.255.255.248

acomiskey Wed, 06/20/2007 - 07:46

route outside 0.0.0.0 0.0.0.0 xx.103.120.129

Assuming your network is xx.103.120.128/29 and .129 is your gateway.

JORGE RODRIGUEZ Wed, 06/20/2007 - 07:48

both are correct systax,

route outside 0 0 is just a short cut for

route oustde 0.0.0.0 0.0.0.0

saidfrh Wed, 06/20/2007 - 11:16

Vibhor,

Thanks. Your suggestion worked. Now a tunnel can not be established between this branch office 501 and the central office PIX.

Said

sarat1317 Tue, 06/26/2007 - 15:07

Hi

I think you are trying to establish 2 VPNs to xxx.213.196.10 & xx.100.116.90. But you have only acls, cryptomaps, isakmp statements for only 1 tunnel configuration.

Do you exactly have the same parameters on the remote end xxx.213.196.10? The parameters should be the same.

And these are redundant

crypto map mbmw 1 ipsec-isakmp

crypto map mbmw 1 match address 102

Also after you change the configuration, just add this command again. I know it is already in there. But once you change the cryptomap configs, sometimes we need to add the statement below. (When you do this, you will end up in losing the connection to your remote network if you are already connected to that network, but this doesnt apply in your case now as you dont have a connection at all)

crypto map bmw interface outside

then do sh isakmp sa and see the output

thanks

sarat

Actions

This Discussion