cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
401
Views
0
Helpful
3
Replies

assistance setting a PIX to PIX tunnel

saidfrh
Level 1
Level 1

Hi,

We are replacing a PIX at a branch office. A tunnel was establised with old PIX at branch office. A tunnel cannot beestablished with new PIX and central office PIX. Branch office has connection to the internet with new PIX. A tunnel can not be established between PIX at central officeand branch office. Could you provide assistance. The following is the config at the branch office PIX.

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

domain-name falcon.local

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

<--- More --->

nat (inside) 0

access-list 102 permit ip 10.6.6.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 100 permit ip 10.6.6.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging on

logging console debugging

logging monitor debugging

mtu outside 1500

mtu inside 1500

ip address outside xxx.103.120.130 255.255.255.248

ip address inside 10.6.6.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 xxx.103.120.131-xxx.103.120.134

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 xxx.103.120.129 1

timeout xlate 0:05:00

<--- Mor

timeout uauth 0:05:00 absolutexxx.55.241.12:/i/bin/1.3.200703

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set toyota esp-des esp-md5-hmac

crypto map bmw 1 ipsec-isakmp

crypto map bmw 1 match address 102

crypto map bmw 1 set peer xxx.213.196.10

crypto map bmw 1 set transform-set toyota

crypto map bmw 2 ipsec-isakmp

<--- More

crypto map bmw 2 set transform-set toyota5):/baynote/tags2/b

telnet 0.0.0.0 0.0.0.

! IncompleteBuilt dynami

crypto map bmw interface outside3 to outside

ssh 0.0.0.0 0.0.0.0

crypto map mbmw 1 ipsec-isakmpen=1

isakmp enable outside

isakmp key ******** address xxx.213.196.10 netmask 255.255.255.255

isakmp key ******** address xxx.100.116.90 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd address 10.6.6.2-10.6.6.31 inside

dhcpd dns 192.168.1.5 67.100.88.26

dhcpd lease 3600

<--- Mor

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

1 Accepted Solution

Accepted Solutions

JORGE RODRIGUEZ
Level 10
Level 10

Could you tell us on the replaced pix whether it has proper 3DES/AES License, without this feature enable you will not be able to perform site-to-site vpn.

issue at the command line " show version "

and post the results.

Jorge

Jorge Rodriguez

View solution in original post

3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

Could you tell us on the replaced pix whether it has proper 3DES/AES License, without this feature enable you will not be able to perform site-to-site vpn.

issue at the command line " show version "

and post the results.

Jorge

Jorge Rodriguez

flopez
Level 1
Level 1

When you took the old PIX out, did you clear the ISAKMP and IPSEC policies?

Did you also run:

CA ZEROIZE ISA

When you make sure that the ISAKMP policies are matching, you can regenerate the RSA keys by:

ca generate rsa key 512

ca save all

Good luck

yes we inputed the above. Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: