cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
679
Views
0
Helpful
1
Replies

IPSec VPN with VPN-DES??

csco11049253
Level 1
Level 1

I have a cisco pix 515e with an image version 7.2, but it dOesn't have a license to support VPN-3DES-AES so I have configured it for VPN-DES but unable establish a remote-access VPN connections.

The configuration is as pasted below, kindly review and suggest any corrections.

Thanks,

CM

vpn-firewall# sh run

vpn-firewall# sh running-config

: Saved

:

PIX Version 7.2(4)

!

hostname atheeb-vpn-firewall

enable password xxx

passwd xxx

names

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address 212.33.x.y 255.255.255.224

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.1.104.10 255.255.255.0

!

ftp mode passive

access-list nonat extended permit ip 10.1.100.0 255.255.255.0 10.1.105.0 255.255.255.0

access-list nonat extended permit ip 10.1.98.0 255.255.255.0 10.1.105.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool test 10.1.105.1-10.1.105.25 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 10.1.104.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 212.33.x.z 1

route inside 10.1.100.0 255.255.255.0 10.1.104.1 1

route inside 10.1.98.0 255.255.255.0 10.1.104.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set atheebset esp-des esp-md5-hmac

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash sha

group 2

lifetime 43200

crypto isakmp policy 65535

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

vpn-sessiondb max-session-limit 450

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

username user password xxxencrypted

tunnel-group test-vpn type ipsec-ra

tunnel-group test-vpn general-attributes

address-pool test

tunnel-group test-vpn ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

vpn-firewall# exit

Logoff

^

vpn-firewall# sh version

Cisco PIX Security Appliance Software Version 7.2(4)

Licensed features for this platform:

Maximum Physical Interfaces : 3

Maximum VLANs : 10

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Disabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : Unlimited

1 Reply 1

andrew.prince
Level 10
Level 10

You can get a 3DES/AES license for free from Cisco, goto:-

https://tools.cisco.com/SWIFT/Licensing/jsp/formGenerator/Pix3DesMsgDisplay.jsp

As far as your config is concerned, you have made alot of mistakes and are missing a load of config. Read the below example, it shows using the ASDM and CLI:-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

HTH>

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: