Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 to Cisco router 3640 VPN

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

Have a PIX 501 and Cisco router 3640. The 3640 is configured for dynamic map for VPN. The PIX 501 is configured for Static map pointing to the Router 3640. I can establish a tunnel from the PIX to the router and telnet into an AIX machine on the inside network of the router. When I try to print back to the inside network of the PIX 501 it fails.

What am I missing?? I have added the configuration for both the PIX and Router.

here is the PIX config:

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxx encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxx

: end

here is the Router config

router#sh runn

Building configuration...

Current configuration : 6500 bytes

!

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime

service timestamps log datetime localtime

no service password-encryption

!

hostname router

!

boot system flash slot1:c3640-ik9o3s-mz.122-16.bin

logging queue-limit 100

enable password xxxxxxxxxxxxxxxxx

!

clock timezone Central -6

clock summer-time CENTRAL recurring

ip subnet-zero

no ip source-route

!

!

no ip domain-lookup

!

no ip bootp server

ip inspect name Internet smtp

ip inspect name Internet ftp

ip inspect name Internet tftp

ip inspect name Internet udp

ip inspect name Internet tcp

ip inspect name DMZ smtp

ip inspect name DMZ ftp

ip inspect name DMZ tftp

ip inspect name DMZ udp

ip inspect name DMZ tcp

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxxx address x.x.180.133

crypto isakmp key xxxxxxxxxxx address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac

crypto ipsec transform-set PIXRMT esp-3des esp-sha-hmac

!

crypto dynamic-map dny-isc 25

set transform-set PIXRMT

match address PIX1-static

!

!

crypto map static-map 10 ipsec-isakmp

set peer x.x.180.133

set transform-set vpn-test

match address hunt-static

!

crypto map ISCMAP 15 ipsec-isakmp dynamic dny-isc

!

call rsvp-sync

!

!

!

controller T1 0/0

framing esf

linecode b8zs

channel-group 0 timeslots 1-12 speed 64

description Controller for frame-relay to remote sites

!

controller T1 0/1

framing esf

linecode b8zs

channel-group 0 timeslots 1-24 speed 64

description Controller for SBIS internet link

!

interface Serial0/0:0

description CKT ID 14.HXGK.785129 Frame Relay to Remote Sites

bandwidth 768

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation frame-relay

frame-relay lmi-type ansi

!

interface Serial0/0:0.17 point-to-point

description Frame Relay to xxxxxxxxxxx Location

ip unnumbered Ethernet1/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no arp frame-relay

frame-relay interface-dlci 17

!

interface Serial0/0:0.18 point-to-point

description Frame Relay to xxxxxxxxxxx Location

ip unnumbered Ethernet1/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no arp frame-relay

frame-relay interface-dlci 18

!

interface Serial0/0:0.19 point-to-point

description Frame Relay to xxxxxxxxxxx Location

ip unnumbered Ethernet1/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no arp frame-relay

frame-relay interface-dlci 19

!

interface Serial0/0:0.20 point-to-point

description Frame Relay to xxxxxxxxxxxxx Location

ip unnumbered Ethernet1/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no arp frame-relay

frame-relay interface-dlci 20

!

interface Serial0/0:0.21 point-to-point

description Frame Relay to xxxxxxxxxxxx

ip unnumbered Ethernet1/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no arp frame-relay

frame-relay interface-dlci 21

!

interface Serial0/0:0.101 point-to-point

description Frame Relay to xxxxxxxxxxx

ip unnumbered Ethernet1/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no arp frame-relay

frame-relay interface-dlci 101

!

interface Serial0/1:0

description CKT ID 14.HCGS.785383 T1 to SBIS

bandwidth 1536

ip address x.x.76.14 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect Internet out

no ip route-cache

crypto map ISCMAP

!

interface Ethernet1/0

ip address 10.1.1.1 255.255.0.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no ip route-cache

no ip mroute-cache

half-duplex

!

interface Ethernet2/0

ip address 10.100.1.1 255.255.0.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no ip route-cache

no ip mroute-cache

half-duplex

!

router rip

network 10.0.0.0

network 192.168.1.0

!

ip nat inside source list 112 interface Serial0/1:0 overload

ip nat inside source static tcp 10.1.3.4 443 209.184.71.138 443 extendable

ip nat inside source static tcp 10.1.3.4 9869 209.184.71.138 9869 extendable

ip nat inside source static 10.1.3.2 209.184.71.140

ip nat inside source static 10.1.3.6 209.184.71.139

ip nat inside source static 10.1.3.8 209.184.71.136

ip nat inside source static tcp 10.1.3.10 80 209.184.71.137 80 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.76.13

ip route 10.2.0.0 255.255.0.0 Serial0/0:0.19

ip route 10.3.0.0 255.255.0.0 Serial0/0:0.18

ip route 10.4.0.0 255.255.0.0 Serial0/0:0.17

ip route 10.5.0.0 255.255.0.0 Serial0/0:0.20

ip route 10.6.0.0 255.255.0.0 Serial0/0:0.21

ip route 10.7.0.0 255.255.0.0 Serial0/0:0.101

no ip http server

!

!

ip access-list extended PIX1-static

permit ip 10.1.0.0 0.0.255.255 192.168.1.0 0.0.0.255

ip access-list extended hunt-static

permit ip 10.1.0.0 0.0.255.255 192.168.1.0 0.0.0.255

ip access-list extended vpn-static

permit ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255

permit ip 192.0.0.0 0.255.255.255 10.1.0.0 0.0.255.255

access-list 1 deny 10.0.0.0 0.255.255.255

access-list 1 permit any

access-list 12 deny 10.1.3.2

access-list 12 permit 10.1.0.0 0.0.255.255

access-list 12 permit 10.2.0.0 0.0.255.255

access-list 12 permit 10.3.0.0 0.0.255.255

access-list 12 permit 10.4.0.0 0.0.255.255

access-list 12 permit 10.5.0.0 0.0.255.255

access-list 12 permit 10.6.0.0 0.0.255.255

access-list 12 permit 10.7.0.0 0.0.255.255

access-list 112 deny ip host 10.1.3.2 any

access-list 112 deny ip 10.1.0.0 0.0.255.255 192.168.1.0 0.0.0.255

access-list 112 permit ip 10.1.0.0 0.0.255.255 any

access-list 112 permit ip 10.2.0.0 0.0.255.255 any

access-list 112 permit ip 10.3.0.0 0.0.255.255 any

access-list 112 permit ip 10.4.0.0 0.0.255.255 any

access-list 112 permit ip 10.5.0.0 0.0.255.255 any

access-list 112 permit ip 10.6.0.0 0.0.255.255 any

access-list 112 permit ip 10.7.0.0 0.0.255.255 any

access-list 120 permit ip host 10.100.1.10 host 10.1.3.7

no cdp run

!

dial-peer cor custom

!

!

!

!

banner login ^CCC

******************************************************************

WARNING - Unauthorized USE strictly FORBIDDEN !!!!

******************************************************************

^C

!

line con 0

line aux 0

password xxxxxxxxxxxx

login local

modem InOut

stopbits 1

flowcontrol hardware

line vty 0 4

exec-timeout 15 0

password xxxxxxxxxxxxxx

login

!

end

router#

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: PIX 501 to Cisco router 3640 VPN

Add the following to the PIX:

> sysopt connection permit-ipsec

This will tell the PIX to bypass all the ACL's for IPsec traffic. At the moment your IPSec traffic is still subject to the standard PIX rules, so inside initiated traffic is allowed to come back in, but outside initiated traffic is not.

4 REPLIES
Cisco Employee

Re: PIX 501 to Cisco router 3640 VPN

Errr, the PIX doesn't have any VPN/crypto configuration in it at all. Are you sure you're connecting via a VPN to this host. Are you connecting to the 10.x.x.x address of the AIX host, or to a 209.184 address? If the former then the PIX config you posted must be wrong, if the latter then you're not using a VPN at all, and rather you're just connecting to the NAT'd address of the AIX host and all your traffic is in the clear.

Please verify what's going on and then get back to us. If there's no VPN on the PIX then the traffic that's originated from the AIX host is not going to get through, hence that's why you can't print back from the AIX machine to your host (presumably).

New Member

Re: PIX 501 to Cisco router 3640 VPN

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

my error I copied the wrong PIX config, here is the current config:

wr term

Building configuration...

: Saved

:

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxx encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_outside permit icmp any any echo-reply

access-list acl_outside permit icmp any any time-exceeded

access-list acl_outside permit icmp any any unreachable

access-list acl_outside permit tcp any any eq pop3

access-list 110 permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 115 permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 112 deny ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 112 permit ip 192.168.1.0 255.255.255.0 any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 115

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_outside in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

crypto ipsec transform-set xxxxxxxxxx esp-3des esp-sha-hmac

crypto map static-map 10 ipsec-isakmp

crypto map static-map 10 match address 110

crypto map static-map 10 set peer 151.164.76.14

crypto map static-map 10 set transform-set xxxxxxxxxxxxx

crypto map static-map interface outside

isakmp enable outside

isakmp key ******** address x.x.76.14 netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxx

: end

[OK]

pixfirewall#

I am access the AIX through the 10.1.x.x address

I can ping machines on inside of the Router using 10.1.x.x address and get reply can not ping form machines on the 10.1.x.x network to the 192.168.1.X network (inside PIX). Need to be able to print from the AIX machine to a Printer setup with IP address.

Thanks

Craig

Cisco Employee

Re: PIX 501 to Cisco router 3640 VPN

Add the following to the PIX:

> sysopt connection permit-ipsec

This will tell the PIX to bypass all the ACL's for IPsec traffic. At the moment your IPSec traffic is still subject to the standard PIX rules, so inside initiated traffic is allowed to come back in, but outside initiated traffic is not.

New Member

Re: PIX 501 to Cisco router 3640 VPN

Thank you that worked.

Craig Rowen

129
Views
0
Helpful
4
Replies
CreatePlease login to create content