Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

2600 - PIX 515 VPN: need help

Hello. I'm trying to configure a site-to-site VPN using a 2611 and a PIX 515UR. I have the Pix working fine and people using the Cisco VPN client can connect and access the internal network.

However, I cannot get a 2611 to work. I need hte 2611 to do FW/NAT as well as the VPN tunnel. Is this possible? Does anyone have a sample config?

I've looked through all the documentation online and most of it covers 2600-2600 or PIX-PIX VPNs.

2 REPLIES
Cisco Employee

Re: 2600 - PIX 515 VPN: need help

This is possible.

There is no exact example as you are looking for. But you just need to consider the following samples:

router and pix ipsec

http://www.cisco.com/warp/customer/110/39.html

router with Firewall and NAt

http://www.cisco.com/warp/customer/793/ios_fw/cbac4.html .

Make sure that on the access-list for the firewall, you permt udp 500 (isakmp and tcp 50 (esp)

Regards,

Community Member

Re: 2600 - PIX 515 VPN: need help

Hello. Thank you for the link. I have looked over the documentation throughly and I still can't get this thing to work. Below is my config for the 2600 (10.0.0.1) and the PIX (11.0.0.1). I did "sanitize" before posting, so there might be some syntax errors.

Basically, nothing works. I try resetting the ipsec sa (clear crypto sa, etc.) and isakmp sa, but nothing happens. I've also turned on packet debugging on the PIX and I don't see anything come through.

2600 config:

------------------------------------

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname myrouter

!

boot system flash flash:c2600-jk9o3s-mz.122-10b.bin

no logging console

!

memory-size iomem 15

ip subnet-zero

!

!

no ip domain-lookup

ip dhcp excluded-address 192.168.80.1 192.168.80.50

ip dhcp excluded-address 192.168.80.200 192.168.80.254

!

ip dhcp pool mydhcppool

network 192.168.80.0 255.255.255.0

default-router 192.168.80.250

domain-name mydomain.com

dns-server 12.12.12.12 12.12.12.12

lease infinite

!

ip multicast-routing

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

lifetime 1000

crypto isakmp key PASSWORD address 11.0.0.1

!

!

crypto ipsec transform-set TS1 ah-md5-hmac esp-3des esp-md5-hmac

!

crypto map M1 1 ipsec-isakmp

set peer 11.0.0.1

set transform-set TS1

match address 120

!

call rsvp-sync

!

!

!

!

!

!

!

!

interface Ethernet0/0

description Internal Interface

ip address 192.168.80.250 255.255.255.0

ip nat inside

half-duplex

ntp broadcast

no mop enabled

!

interface Serial0/0

no ip address

encapsulation frame-relay

no ip mroute-cache

shutdown

no fair-queue

service-module t1 timeslots 1-4

!

interface Ethernet0/1

description External Interface

ip address 10.0.0.1 255.0.0.0

ip nat outside

no ip route-cache

no ip mroute-cache

half-duplex

no mop enabled

crypto map M1

!

router rip

version 2

passive-interface Ethernet0/1

network 192.168.80.0

no auto-summary

!

ip nat pool natpool 10.0.0.1 10.0.0.1 netmask 255.0.0.0

ip nat inside source route-map nonat pool natpool overload

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.0.254

no ip http server

ip pim bidir-enable

!

access-list 120 permit ip 192.168.80.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 130 deny ip 192.168.80.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 130 permit ip 192.168.80.0 0.0.0.255 any

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

route-map nonat permit 10

match ip address 130

!

!

snmp-server community public RO

snmp-server enable traps tty

!

dial-peer cor custom

!

end

PIX config:

----------------------------------

: Saved

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname myfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_in permit icmp any any

access-list acl_in permit tcp any any eq www

access-list acl_in permit udp any any eq domain

access-list acl_in permit tcp any any eq domain

access-list acl_in permit tcp any any eq ftp-data

access-list acl_in permit tcp any any eq ftp

access-list acl_in permit tcp any any eq 8080

access-list acl_in permit tcp any any eq 3306

access-list acl_in permit tcp any any eq 4040

access-list acl_in permit tcp any any eq 5800

access-list acl_in permit tcp any any eq https

access-list acl_in permit tcp any any eq ssh

access-list acl_in permit tcp any any eq pop3

access-list acl_in permit tcp any any eq imap4

access-list acl_in permit tcp any any eq 8000

access-list acl_in permit tcp any any eq 5900

access-list acl_in permit tcp any any eq telnet

access-list acl_in permit tcp any any eq 85

access-list acl_in permit tcp any any eq 8880

access-list acl_in permit tcp any any eq nntp

access-list acl_in permit tcp any any eq 61505

access-list acl_in permit tcp any any eq 5908

access-list acl_in permit tcp any any eq 2401

access-list acl_in permit udp any any eq 2401

access-list acl_in permit udp any any eq 873

access-list acl_in permit tcp any any eq 873

access-list acl_in permit udp any any eq ntp

access-list acl_in permit tcp any any eq 8013

access-list acl_in permit tcp any any eq 8008

access-list acl_in permit tcp any any eq 8181

access-list acl_in permit tcp any any eq 11371

access-list acl_in permit ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0

access-list acl_in permit ip any host 10.0.0.1

access-list acl_out permit icmp any any

access-list acl_out permit ip 192.168.80.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list acl_vpn permit ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0

access-list ipsec permit ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 11.0.0.1 255.0.0.0

ip address inside 192.168.2.200 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

pdm location 192.168.2.0 255.255.255.0 inside

pdm history enable

arp timeout 14400

global (outside) 1 11.0.0.2-11.0.0.5

global (outside) 1 11.0.0.1

nat (inside) 0 access-list acl_vpn

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 11.0.0.254 1

route inside 192.168.0.0 255.255.0.0 192.168.2.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set TS1 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map M2 20 ipsec-isakmp

crypto map M2 20 match address ipsec

crypto map M2 20 set peer 10.0.0.1

crypto map M2 20 set transform-set TS1

crypto map M2 interface outside

isakmp enable outside

isakmp key PASSWORD address 10.0.0.1 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 15

ssh 192.168.2.0 255.255.255.0 inside

ssh timeout 15

vpdn enable outside

terminal width 80

123
Views
0
Helpful
2
Replies
CreatePlease to create content