cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
239
Views
0
Helpful
1
Replies

PIX 501 to 3030 for ftp purposes

sanchezej
Level 1
Level 1

Im having issues connecting my PIX 501 through another company's 3030 to reach their FTP server. The specifics are:

remote company outside (peer ip adx) 192.x.3.10

local host : 164.72.181.24

ipsec settings:

3des

group 2

esp

sha1-hmac

IPSEC SA Forced key exp 28800 secs 28800 secs

ike settings:

pre-shared secret

3des

sha1-hmac

group 2

Perfect Forward Secrecy

My config at this time:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxx

hostname testpix

domain-name mydomain.com

names

access-list inside_outbound_nat0_acl permit ip 172.29.30.0 255.255.255.0 host 164.72.181.24

access-list outside_cryptomap_20 permit ip 172.29.30.0 255.255.255.0 host 164.72.181.24

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 199.253.x.x.255.252.0

ip address inside 172.29.x.x.255.255.0

pdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 199.253.202.1 1

http server enable

http 172.29.30.251 255.255.255.255 inside

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs group2

crypto map outside_map 20 set peer 192.254.3.10

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

isakmp enable outside

isakmp enable inside

isakmp key ******** address 192.254.3.10 netmask 255.255.255.255 no-xauth no-con

fig-mode

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 28800

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

What am I doing wrong? All I want is my host 172.29.30.251 to ping their host 164.72.181.24

1 Reply 1

grant.maynard
Level 4
Level 4

At a quick glance your config looks ok. Traffic from your site on 172.29.30.x is not NATed over the VPN, so the remote end must have filters (rules) to allow it, and must have routes to it via the 3030.

Does the VPN come up? ("show cry is sa", "show cry ips sa") Do you see packets encrypted but not decrypted?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: