Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with IPSEC tunnel on PIX 501


I need help setting up a “Business to Business (B2B)” connection from a vendor to host facility (may also be called a shared IPSEC Tunnel?). I want to add this new tunnel configuration without impacting the current setup on the PIX. Not that it matters, but the vendor has a PIX 501 and the Facility has an ASA5400. Anyhow, I have been provided the following information from the host facility:


Vendor Public IP = 216.x.x.x

Vendor Network Range =

Facility Public IP = 199.x.x.x

Facility Network Range = 170.x.x.x/25


Exchange mode = Main mode

Shared secret = TBD

Phase I: DH Group = 2; Encrypt = 3DES-168; Auth = SHA-1/HMAC-160; Life = 86400

Phase II: Protocol = ESP; Encrypt = 3DES-168; Auth = ESP/SHA-1/HMAC-160; Life = 28800; PFS = Off


Nat Location = Vendor Network

ORIGINAL PACKET - Source Destination = Vendor Private Net

                ORIGINAL PACKET – Destination Source = Facility Private Net

                TRANSLATED PACKET – Source Destination =

                TRANSLATED PACKET – Destination Source = SAME

TRAFFIC FLOW INFORMATION: >>>>>>>>>>>>>>> 170.x.x.x-x

The current Vendor PIX configuration is as follows:

PIX Version 6.3(5)

interface ethernet0 auto shutdown

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxx encrypted

hostname ABCFW

domain-name ABC

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list outside_in permit icmp any any time-exceeded

access-list outside_in permit tcp any interface outside eq 3389

access-list outside_in permit icmp any any echo-reply

access-list outside_in permit icmp any any unreachable

access-list outside_in permit icmp any any source-quench

access-list outside_in permit tcp any interface outside eq 1000

access-list outbound permit tcp any any

access-list outbound permit ip any any

pager lines 24

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 216.x.x.x

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

nat (inside) 1 0 0

static (inside,outside) tcp interface 3389 3389 netmask 0 0

static (inside,outside) tcp interface 1000 3389 netmask 0 0

access-group outside_in in interface outside

access-group outbound in interface inside

route outside 216.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

ntp server source inside

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh inside

ssh timeout 5

console timeout 0

username admin password xxxxxxxxxxxxxxxxx encrypted privilege 2

terminal width 90


: end

Any help would be greatly appreciated!


Re: Help with IPSEC tunnel on PIX 501

Hello Mike,

This link shows you the configuration that you need on the PIX to configure the Site-to-Site IPsec tunnel. (it also shows a VPN client configuration).

Let us know if you have any questions.


Cisco Employee

Re: Help with IPSEC tunnel on PIX 501

Ensure your pix501 has the 3des license. You can check this with show version.

Here is what you needed to add on the vendor firewall


sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
! Complete the ip address below for facility FW
crypto map newmap 10 set peer 199.x.x.x
crypto map newmap 10 set transform-set myset

isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2

access-list 110 permit ip 170.x.x.x

nat (inside) 0 access-list 110

! Complete the ip address below for facility FW
isakmp key TBD address 199.x.x.x
! Where TBD is whatever key matches with the facility FW

! Apply this configuration below last
! if you run into problems
! just reissue the two commands below with "no" in front of them
! to disable the vpn configuration

crypto map newmap interface outside
isakmp enable outside


Then of course the Facility firewall will need to have the mirrored configuration on their end for the vpn to work.


New Member

Re: Help with IPSEC tunnel on PIX 501

Thank you for taking the time to review my config. I will definitely try what you have suggested and report back with score (probably next week). Thanks again!