Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 501 to 3030 for ftp purposes

Im having issues connecting my PIX 501 through another company's 3030 to reach their FTP server. The specifics are:

remote company outside (peer ip adx) 192.x.3.10

local host :

ipsec settings:


group 2



IPSEC SA Forced key exp 28800 secs 28800 secs

ike settings:

pre-shared secret



group 2

Perfect Forward Secrecy

My config at this time:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxx

hostname testpix



access-list inside_outbound_nat0_acl permit ip host

access-list outside_cryptomap_20 permit ip host

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 199.253.x.x.255.252.0

ip address inside 172.29.x.x.255.255.0

pdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 0 0 0

route outside 1

http server enable

http inside

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs group2

crypto map outside_map 20 set peer

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

isakmp enable outside

isakmp enable inside

isakmp key ******** address netmask no-xauth no-con


isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 28800

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

What am I doing wrong? All I want is my host to ping their host

  • Other Security Subjects

Re: PIX 501 to 3030 for ftp purposes

At a quick glance your config looks ok. Traffic from your site on 172.29.30.x is not NATed over the VPN, so the remote end must have filters (rules) to allow it, and must have routes to it via the 3030.

Does the VPN come up? ("show cry is sa", "show cry ips sa") Do you see packets encrypted but not decrypted?

This widget could not be displayed.