06-19-2007 03:56 PM - edited 03-11-2019 03:32 AM
Hi, I would appreciate assistance in troubleshooting the is PIX 501. The PIX 501 sits behind a Netopia DSL modem servicing a branch office. The following is the config. Thanks.
Said
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname OTB
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 102 permit ip 10.6.6.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 100 permit ip 10.6.6.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside xxx.103.120.130 255.255.255.248
ip address inside 10.6.6.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 xxx.103.120.131-xxx.103.120.134
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
<--- More --->
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set toyota esp-des esp-md5-hmac
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 match address 102
crypto map bmw 1 set peer xxx.213.196.10
crypto map bmw 1 set transform-set toyota
crypto map bmw 2 ipsec-isakmp
crypto map bmw 2 set peer xxx.100.116.90
<--- More --->
! Incomplete
crypto map bmw interface outside
crypto map mbmw 1 ipsec-isakmp
crypto map mbmw 1 match address 102
! Incomplete
isakmp enable outside
isakmp key ******** address xxx.213.196.10 netmask 255.255.255.255
isakmp key ******** address xx.100.116.90 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 10.6.6.2-10.6.6.31 inside
dhcpd dns 192.168.1.5 67.100.88.26
dhcpd lease 3600
dhcpd ping_timeout 750
<--- More --->
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
06-19-2007 04:03 PM
What's the problem?
06-19-2007 05:25 PM
The problem is that the LAN users behind the PIX can not access the internet. The 501 gives DHCP address. The PIX can ping the public IP address of the DSL modem.
06-19-2007 04:06 PM
Though its not mentioned what the issue is .. taking a wild guess it seems that you are unable to get on internet through PIX. This could be because there is no "default" route configured on PIX. Your ISP must have given you the "gateway_ip", use it in the following command from config mode-
route outside 0 0 gateway_ip
This should get you rolling if I guessed the issue correctly .. ;-)
Regards,
Vibhor.
06-20-2007 07:44 AM
Vibhor,
Which of the following is the correct syntax?
route outside 0 0 gateway xx.103.120.129 255.255.255.248
route outside 0.0.0.0 0.0.0.0 gateway xx.103.120.129 255.255.255.248
06-20-2007 07:46 AM
route outside 0.0.0.0 0.0.0.0 xx.103.120.129
Assuming your network is xx.103.120.128/29 and .129 is your gateway.
06-20-2007 07:48 AM
both are correct systax,
route outside 0 0 is just a short cut for
route oustde 0.0.0.0 0.0.0.0
06-20-2007 08:01 AM
Yes, but neither use the word "gateway" or subnet mask.
06-20-2007 11:16 AM
Vibhor,
Thanks. Your suggestion worked. Now a tunnel can not be established between this branch office 501 and the central office PIX.
Said
06-26-2007 03:07 PM
Hi
I think you are trying to establish 2 VPNs to xxx.213.196.10 & xx.100.116.90. But you have only acls, cryptomaps, isakmp statements for only 1 tunnel configuration.
Do you exactly have the same parameters on the remote end xxx.213.196.10? The parameters should be the same.
And these are redundant
crypto map mbmw 1 ipsec-isakmp
crypto map mbmw 1 match address 102
Also after you change the configuration, just add this command again. I know it is already in there. But once you change the cryptomap configs, sometimes we need to add the statement below. (When you do this, you will end up in losing the connection to your remote network if you are already connected to that network, but this doesnt apply in your case now as you dont have a connection at all)
crypto map bmw interface outside
then do sh isakmp sa and see the output
thanks
sarat
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: