11-01-2008 06:06 AM - edited 02-21-2020 03:04 AM
Hi,
I really need help with the VPN configuration. I am using 2 pix 501 as demo for VPN connection. below is the the configuration on both site.
SITE A :
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname pixfirewall
domain-name ciscopix.com
names
name 10.1.1.1 inside
name x.x.x.x outside
name 192.168.11.0 remote_site_lan
access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 remote_site_lan 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.1.1.0 255.255.255.0 remote_site_lan 255.255.255.0
access-list in_outside permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside outside 255.255.255.248
ip address inside inside 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location remote_site_lan 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.1.1.0 255.255.255.0 50 25
access-group in_outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-c onfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
SITE B:
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
name 10.1.1.0 remote
access-list inside_outbound_nat0_acl permit ip 192.168.11.0 255.255.255.0 remote 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.11.0 255.255.255.0 remote 255.255.255.0
access-list in_outside permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.252
ip address inside 192.168.11.34 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location remote 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
access-group in_outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
11-02-2008 07:22 PM
Hi,
Configure "Isakmp identity address" on both the pix firewalls and try bringing up the tunnel.
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/gl.html#wp1027312
Regards,
Arul
*Pls rate if it helps*
11-08-2008 06:39 AM
Sad to say that i still have a problem. VPN conection is still down.any other suggestions
11-09-2008 08:00 AM
Post the debugs from "deb cry is", "deb cry ips"
"show cry is sa", show cryp ipsec sa" and along with the source and destination IP Addresses that you are using to bring up the tunnel.
Also, post current copy of your pix configuration.
-Arul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide