×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

pix 506e to cisco router vpn problem

Unanswered Question
Jun 11th, 2002
User Badges:

Hello again.

I am trying to set up a pix 506e to router vpn. I have included

the configs. I am establishing an ipsec tunnel but cannot ping a

remote server or map any drives. Cisco has written back saying there

is nothing wrong with my config. The remote cisco pix 506e will

initiate the vpn connection to the main office site. All windows

servers are located at the main office. The handfull of users located

behind the pix need access to shared resources and an exchange server

at the main site. Any suggestions would be greatly appreciated. I

have researched all the posts and contacted cisco but to no avail.

Thank you,

Joe

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxx encrypted

passwd xxxxxxx encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.1.0

255.255.255.0


access-list ipsec permit ip 192.168.4.0 255.255.255.0 192.168.1.0

255.255.255.0


pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 216.153.255.76 255.255.255.0

ip address inside 192.168.4.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 216.153.255.77-216.153.255.78

global (outside) 1 216.153.255.79

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 216.153.255.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.4.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set pix esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 8400

crypto map cisco 10 ipsec-isakmp

crypto map cisco 10 match address ipsec

crypto map cisco 10 set peer x.x.112.209

crypto map cisco 10 set transform-set pix

crypto map cisco interface outside

isakmp enable outside

isakmp key ******** address x.x.112.209 netmask 255.255.255.248

isakmp identity address

isakmp policy 3 authentication pre-share

isakmp policy 3 encryption des

isakmp policy 3 hash md5

isakmp policy 3 group 1

isakmp policy 3 lifetime 86400

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxxxxxxxx: end

[OK]

pixfirewall(config)#



Cisco Router

Building configuration...


Current configuration : 7381 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime

service password-encryption

!

hostname Sheboygan

!

logging buffered 4096 debugging

enable password 7 0214075007

!

voice-card 1

!

ip subnet-zero

!

!

no ip domain-lookup

!

ip inspect max-incomplete high 1100

ip inspect one-minute high 1100

ip inspect name FastEthernet_0_0 tcp

ip inspect name FastEthernet_0_0 udp

ip inspect name FastEthernet_0_0 cuseeme

ip inspect name FastEthernet_0_0 ftp

ip inspect name FastEthernet_0_0 h323

ip inspect name FastEthernet_0_0 rcmd

ip inspect name FastEthernet_0_0 realaudio

ip inspect name FastEthernet_0_0 smtp

ip inspect name FastEthernet_0_0 streamworks

ip inspect name FastEthernet_0_0 vdolive

ip inspect name FastEthernet_0_0 sqlnet

ip inspect name FastEthernet_0_0 tftp

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

hash md5

authentication pre-share

crypto isakmp key xxxxxxxx address 0.0.0.0 0.0.0.0

crypto isakmp client configuration address-pool local VPN_POOL

!

!

crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac

!

crypto dynamic-map mymap 11

set transform-set cm-transformset-1

!

!

crypto map cm-cryptomap local-address Serial0/1.1

crypto map cm-cryptomap client configuration address initiate

crypto map cm-cryptomap client configuration address respond

crypto map cm-cryptomap 11 ipsec-isakmp dynamic mymap

!

isdn voice-call-failure 0

!

!

!

!

!

!

!

fax interface-type fax-mail

mta receive maximum-recipients 0

!

controller T1 1/0

framing esf

linecode b8zs

ds0-group 1 timeslots 1-8 type e&m-wink-start

description T1 to Merlin PBX

!

buffers small permanent 75

buffers small max-free 300

buffers small min-free 50

buffers middle permanent 40

buffers middle max-free 200

buffers middle min-free 20

buffers big max-free 175

buffers big min-free 10

buffers verybig max-free 125

buffers verybig min-free 5

buffers large permanent 6

buffers large max-free 20

buffers large min-free 3

!

!

!

interface Loopback0

ip address 192.168.0.1 255.255.255.0

!

interface FastEthernet0/0

description connected to EthernetLAN

ip address 192.168.1.200 255.255.255.0

ip access-group 100 in

ip nat inside

ip inspect FastEthernet_0_0 in

no ip route-cache

no ip mroute-cache

ip policy route-map nonat

duplex auto

speed auto

!

interface Serial0/0

no ip address

encapsulation frame-relay

no ip mroute-cache

frame-relay traffic-shaping

frame-relay lmi-type ansi

!

interface Serial0/0.1 point-to-point

description connected to CorporateNetwork ARK

ip unnumbered FastEthernet0/0

ip nat inside

no ip mroute-cache

no arp frame-relay

frame-relay interface-dlci x

class voice_ARK

frame-relay ip rtp header-compression passive

!

interface Serial0/0.2 point-to-point

description connected to CorporateNetwork NJ

ip unnumbered FastEthernet0/0

ip nat inside

no ip mroute-cache

no arp frame-relay

frame-relay interface-dlci x

class voice_NJ

frame-relay ip rtp header-compression passive

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/1

no ip address

encapsulation frame-relay

no ip route-cache

no ip mroute-cache

frame-relay lmi-type ansi

hold-queue 300 in

hold-queue 2000 out

!

interface Serial0/1.1 point-to-point

description connected to Internet

ip address x.x.112.209 255.255.255.248

ip access-group 101 in

ip nat outside

no ip route-cache

no ip mroute-cache

frame-relay interface-dlci x

crypto map cm-cryptomap

!

router rip

version 2

passive-interface Serial0/1.1

network 192.168.1.0

network 192.168.2.0

network 192.168.3.0

no auto-summary

!

ip local pool VPN_POOL 192.168.10.1 192.168.10.254

ip nat inside source route-map tunnel interface Serial0/1.1 overload

ip nat inside source static tcp 192.168.1.3 25 x.x.112.210 25

extendable

ip nat inside source static tcp 192.168.1.3 110 x.x.112.210 110

extendable

ip nat inside source static tcp 192.168.1.250 1494 x.x.112.210 1494

extendabl

e

ip nat inside source static udp 192.168.1.250 1604 x.x.112.210 1604

extendabl

e

ip nat inside source static tcp 192.168.2.250 1494 x.x.112.211 1494

extendabl

e

ip nat inside source static tcp 192.168.3.250 1494 x.x.112.212 1494

extendabl

e

ip nat inside source static udp 192.168.2.250 1604 x.x.112.211 1604

extendabl

e

ip nat inside source static udp 192.168.3.250 1604 x.x.112.212 1604

extendabl

e

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/1.1

ip route 172.16.0.0 255.255.0.0 Serial0/0.1

ip route 192.168.2.0 255.255.255.0 Serial0/0.1

ip route 192.168.3.0 255.255.255.0 Serial0/0.2

no ip http server

ip pim bidir-enable

!

!

!

map-class frame-relay voice_ARK

no frame-relay adaptive-shaping

frame-relay cir 384000

frame-relay bc 3840

frame-relay be 0

frame-relay mincir 384000

frame-relay fair-queue

frame-relay fragment 480

frame-relay ip rtp priority 16384 16383 90

!

map-class frame-relay voice_NJ

no frame-relay adaptive-shaping

frame-relay cir 128000

frame-relay bc 1280

frame-relay be 0

frame-relay mincir 128000

frame-relay fair-queue

frame-relay fragment 160

frame-relay ip rtp priority 16384 16383 90

!

map-class frame-relay voice

frame-relay adaptive-shaping becn

frame-relay cir 384000

frame-relay bc 1000

frame-relay mincir 96000

frame-relay fair-queue

frame-relay voice bandwidth 90000

frame-relay fragment 480

frame-relay ip rtp priority 16384 1000 90

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 10 permit 192.168.0.0 0.0.255.255

access-list 100 permit ip any any

access-list 101 permit tcp any any established

access-list 101 permit udp any eq domain any

access-list 101 permit udp any eq 1604 any

access-list 101 permit tcp any host x.x.112.210 eq smtp

access-list 101 permit tcp any host x.x.112.210 eq pop3

access-list 101 permit esp any host x.x.112.209

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit udp any host x.x.112.209 eq isakmp

access-list 101 permit tcp host x.x.34.13 any eq telnet

access-list 101 permit tcp any host x.x.112.210 eq 1494

access-list 101 permit tcp host x.x.34.14 any eq telnet

access-list 101 permit tcp host x.x.225.213 any eq telnet

access-list 101 permit tcp host x.x.225.212 any eq telnet

access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 112 deny ip 192.168.0.0 0.0.255.255 192.168.10.0

0.0.0.255

access-list 112 permit ip 192.168.0.0 0.0.255.255 any

!

route-map tunnel permit 12

match ip address 112

!

route-map nonat permit 11

match ip address 111

set ip next-hop 192.168.0.2

set ip df 0

!

snmp-server engineID local 0000000902000002FD61DE80

snmp-server community public RO

call rsvp-sync

!

voice-port 1/0:1

output attenuation 3

timing wink-wait 160

timing wink-duration 250

description Voice Ports to Merlin PBX

!

!

mgcp profile default

!

dial-peer cor custom

!

!

!

dial-peer voice 3 voip

destination-pattern 4...

session target ipv4:192.168.2.200

ip qos dscp cs5 media

no vad

!

dial-peer voice 10 pots

destination-pattern 3...

port 1/0:1

prefix 3

!

dial-peer voice 5 voip

destination-pattern 5...

session target ipv4:192.168.3.200

ip qos dscp cs5 media

no vad

!

!

!

line con 0

exec-timeout 0 0

password 7 105C0A1209

login

line aux 0

line vty 0 4

exec-timeout 0 0

password 7 06140C2A40

login

line vty 5 15

login

!

!

end


Sheboygan#


Thank You very much,

Joe Sallmann


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vijkrish Wed, 06/12/2002 - 03:20
User Badges:
  • Cisco Employee,

As you have a TAC case, I would suggest this issue be worked via the TAC.

Did TAC say they cannot help or don't know what's going on ??


Sincerely,

Vijay

Actions

This Discussion