Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Assistance with PIX config

Hi, I would appreciate assistance in troubleshooting the is PIX 501. The PIX 501 sits behind a Netopia DSL modem servicing a branch office. The following is the config. Thanks.


PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname OTB

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


access-list 102 permit ip

access-list 100 permit ip

pager lines 24

logging on

logging console debugging

logging monitor debugging

mtu outside 1500

mtu inside 1500

ip address outside xxx.103.120.130

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 xxx.103.120.131-xxx.103.120.134

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0 0

conduit permit icmp any any

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

<--- More --->

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set toyota esp-des esp-md5-hmac

crypto map bmw 1 ipsec-isakmp

crypto map bmw 1 match address 102

crypto map bmw 1 set peer xxx.213.196.10

crypto map bmw 1 set transform-set toyota

crypto map bmw 2 ipsec-isakmp

crypto map bmw 2 set peer xxx.100.116.90

<--- More --->

! Incomplete

crypto map bmw interface outside

crypto map mbmw 1 ipsec-isakmp

crypto map mbmw 1 match address 102

! Incomplete

isakmp enable outside

isakmp key ******** address xxx.213.196.10 netmask

isakmp key ******** address xx.100.116.90 netmask

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

telnet inside

telnet timeout 5

ssh outside

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

<--- More --->

dhcpd auto_config outside

dhcpd enable inside

terminal width 80


Re: Assistance with PIX config

What's the problem?

New Member

Re: Assistance with PIX config

The problem is that the LAN users behind the PIX can not access the internet. The 501 gives DHCP address. The PIX can ping the public IP address of the DSL modem.


Re: Assistance with PIX config

Though its not mentioned what the issue is .. taking a wild guess it seems that you are unable to get on internet through PIX. This could be because there is no "default" route configured on PIX. Your ISP must have given you the "gateway_ip", use it in the following command from config mode-

route outside 0 0 gateway_ip

This should get you rolling if I guessed the issue correctly .. ;-)



New Member

Re: Assistance with PIX config


Which of the following is the correct syntax?

route outside 0 0 gateway xx.103.120.129

route outside gateway xx.103.120.129


Re: Assistance with PIX config

route outside xx.103.120.129

Assuming your network is xx.103.120.128/29 and .129 is your gateway.

Re: Assistance with PIX config

both are correct systax,

route outside 0 0 is just a short cut for

route oustde


Re: Assistance with PIX config

Yes, but neither use the word "gateway" or subnet mask.

New Member

Re: Assistance with PIX config


Thanks. Your suggestion worked. Now a tunnel can not be established between this branch office 501 and the central office PIX.


New Member

Re: Assistance with PIX config


I think you are trying to establish 2 VPNs to xxx.213.196.10 & xx.100.116.90. But you have only acls, cryptomaps, isakmp statements for only 1 tunnel configuration.

Do you exactly have the same parameters on the remote end xxx.213.196.10? The parameters should be the same.

And these are redundant

crypto map mbmw 1 ipsec-isakmp

crypto map mbmw 1 match address 102

Also after you change the configuration, just add this command again. I know it is already in there. But once you change the cryptomap configs, sometimes we need to add the statement below. (When you do this, you will end up in losing the connection to your remote network if you are already connected to that network, but this doesnt apply in your case now as you dont have a connection at all)

crypto map bmw interface outside

then do sh isakmp sa and see the output