cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
754
Views
0
Helpful
11
Replies

How to setup VPN between PIX501 to 1841 router

bsallison
Level 1
Level 1

Need some help, please.

PIX 501 firewall getting dynamic WAN IP behind an ADSL modem.

1841 router with static WAN IP. I have attached config for both devices. What do I need to do to make the VPN tunnel come up & stay up?

Trying to create a VPN from PIX site to HQ router site, I have followed Cisco doc #66173, but I can not get the VPN tunnel to come up. I feel that I am missing something small but I have stared at to long to be objective any more.

11 Replies 11

singhsaju
Level 4
Level 4

You are missing NAT bypass acl on PIX .

access-list 120 permit ip 10.5.5.0 255.255.255.0 10.2.1.0 255.255.255.0

nat (inside) 0 access-list 120

Also since this dynamic-static IPsec ,only PIX side can initiate the tunnel.

HTH

Saju

Pls rate if it helps

I added the line you specified, then I started to see the following activity from debug I turned on:

IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 192.168.0.3, remote= 216.203.117.82,

local_proxy= 10.5.5.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4)

That's more than I had before, but still no connection when I ping a device on other side.

Maybe something else missing?

Yes, I understand the PIX must be initiating end of tunnel. Once I get it to work, then I would like to setup something, script or otherwise that will open the tunnel at a specified time in the AM and keep tunnel alive untile specified time in PM. But that;s for later.

So close......

what is the ip address the PIX gets on the outside interface ?

what is the ip address the PIX gets on the outside interface ?

as per the debug , you are getting private ip address as outside interface ip .

(identity) local= 192.168.0.3, remote= 216.203.117.82

So your ISP is doing dynamic NAT/PAT in between and because of this Pure IPSEC will not work.

You can try enabling nat traversal on the PIX and then see if it connects IPSec on udp 4500

enable on PIX: isakmp nat-t

The PIX is getting a private IP, 192.168.0.3, because the only public IP is on the outside interface of the DSL modem.

How does my config change on PIX & router if I get a block of static IPs from DSL ISP?

THANKS!

Here is debug output after adding isakmp nat-tra:

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

ISAKMP (0): beginning Main Mode exchange

ISAKMP (0): retransmitting phase 1 (0)...

ISAKMP (0): retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (2)...

ISAKMP (0): retransmitting phase 1 (3)...

ISAKMP (0): retransmitting phase 1 (4)...

ISAKMP (0): deleting SA: src 192.168.0.3, dst 216.203.117.82IPSEC(key_engine): r

equest timer fired: count = 1,

(identity) local= 192.168.0.3, remote= 216.203.117.82,

local_proxy= 10.5.5.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4)

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

ISAKMP (0): beginning Main Mode exchange

ISADB: reaper checking SA 0xb642ec, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 216.203.117.82/500 not found - peers:0

ISADB: reaper checking SA 0xb64ef4, conn_id = 0

ISAKMP (0): retransmitting phase 1 (0)...

ISAKMP (0): retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (2)...

can you remove access-list under the dynamic map on the router 1841 and then check.

crypto dynamic-map SSP 10

no match address 111

Still no work. Same feedback as previous debug posting. I am thinking this private IP behind the DSL modem is huge and I need to get a static IP to make it work?

I also suspect that private IP could be the cause.Your config looks ok .

HTH

Saju

Pls rate if it helps

Ordered a static IP for the PIX side of connection. Should be able to configure tomorrow when I get back to remote office. How will config on router change for the static IP (A.B.C.D) at remote location?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: