Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
2
Helpful
3
Replies

site to site VPN-need help

cempuerto
Level 1
Level 1

‎11-01-2008 06:06 AM - edited ‎02-21-2020 03:04 AM

Hi,

I really need help with the VPN configuration. I am using 2 pix 501 as demo for VPN connection. below is the the configuration on both site.

SITE A :

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name ciscopix.com

names

name 10.1.1.1 inside

name x.x.x.x outside

name 192.168.11.0 remote_site_lan

access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 remote_site_lan 255.255.255.0

access-list outside_cryptomap_20 permit ip 10.1.1.0 255.255.255.0 remote_site_lan 255.255.255.0

access-list in_outside permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside outside 255.255.255.248

ip address inside inside 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location remote_site_lan 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 10.1.1.0 255.255.255.0 50 25

access-group in_outside in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer x.x.x.x

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-c onfig-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

SITE B:

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

domain-name ciscopix.com

name 10.1.1.0 remote

access-list inside_outbound_nat0_acl permit ip 192.168.11.0 255.255.255.0 remote 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.11.0 255.255.255.0 remote 255.255.255.0

access-list in_outside permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.252

ip address inside 192.168.11.34 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location remote 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 192.168.11.0 255.255.255.0 0 0

access-group in_outside in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer x.x.x.x

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

0 Helpful
3 Replies 3

ajagadee
Cisco Employee
Cisco Employee

‎11-02-2008 07:22 PM

Hi,

Configure "Isakmp identity address" on both the pix firewalls and try bringing up the tunnel.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/gl.html#wp1027312

Regards,

Arul

*Pls rate if it helps*

cempuerto
Level 1
Level 1
In response to ajagadee

‎11-08-2008 06:39 AM

Sad to say that i still have a problem. VPN conection is still down.any other suggestions

0 Helpful

ajagadee
Cisco Employee
Cisco Employee
In response to cempuerto

‎11-09-2008 08:00 AM

Post the debugs from "deb cry is", "deb cry ips"

"show cry is sa", show cryp ipsec sa" and along with the source and destination IP Addresses that you are using to bring up the tunnel.

Also, post current copy of your pix configuration.

-Arul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card