Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 506 to PIX 506 VPN Please help

I have configure my 2 pix connected in LAN environment. But i'm not able to make it connected (but when i'm using pdm, IKE status was 1). I'm not able to ping other LAN behind other PIX. Can anyone help me. Please view my PIX configuration.

PIX 1 (Main)

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxx

passwd xxxxxxx

hostname pixfirewallHQ

domain-name tampoiciscopix.com

clock timezone MYT 8

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol http 2000

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

no fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 192.168.30.0 KL

name 192.168.20.0 M3PS

name 192.168.50.0 SOMPJ

name 192.168.40.0 Penang

name 192.168.10.147 Email

name 192.168.10.0 Tampoi

access-list 100 permit tcp any host x.x.78.3 eq www

access-list 100 permit tcp any eq www host x.x.78.3 eq 2000

access-list 101 permit ip Tampoi 255.255.255.0 10.1.99.0 255.255.255.0

access-list 101 permit ip SOMPJ 255.255.255.0 10.1.99.0 255.255.255.0

access-list 101 permit ip KL 255.255.255.0 10.1.99.0 255.255.255.0

access-list 101 permit ip Penang 255.255.255.0 10.1.99.0 255.255.255.0

access-list 101 permit ip M3PS 255.255.255.0 10.1.99.0 255.255.255.0

access-list 101 permit ip Tampoi 255.255.255.0 192.168.61.0 255.255.255.0

access-list vpnuser1_splitTunnelAcl permit ip Tampoi 255.255.255.0 any

access-list vpnuser1_splitTunnelAcl permit ip SOMPJ 255.255.255.0 any

access-list vpnuser1_splitTunnelAcl permit ip KL 255.255.255.0 any

access-list vpnuser1_splitTunnelAcl permit ip Penang 255.255.255.0 any

access-list vpnuser1_splitTunnelAcl permit ip M3PS 255.255.255.0 any

access-list vpnuser2_splitTunnelAcl permit ip M3PS 255.255.255.0 any

access-list vpnuser2_splitTunnelAcl permit ip KL 255.255.255.0 any

access-list vpnuser2_splitTunnelAcl permit ip Penang 255.255.255.0 any

access-list vpnuser2_splitTunnelAcl permit ip SOMPJ 255.255.255.0 any

access-list vpnuser2_splitTunnelAcl permit ip Tampoi 255.255.255.0 any

access-list 110 permit ip Tampoi 255.255.255.0 192.168.61.0 255.255.255.0

pager lines 24

icmp permit host Email inside

icmp permit host 192.235.0.17 inside

icmp permit host 192.235.0.18 inside

mtu outside 1500

mtu inside 1500

ip address outside x.x.78.2 255.255.255.224

ip address inside 192.168.10.121 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 10.1.99.1-10.1.99.254

pdm location x.x.78.1 255.255.255.255 inside

pdm location M3PS 255.255.255.0 inside

pdm location KL 255.255.255.0 inside

pdm location Penang 255.255.255.0 inside

pdm location SOMPJ 255.255.255.0 inside

pdm location 192.168.10.17 255.255.255.255 inside

pdm location Email 255.255.255.255 inside

pdm location 10.1.99.0 255.255.255.0 outside

pdm location 192.168.61.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 x.x.78.10-x.x.78.29 netmask 255.255.255.224

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.3 Email netmask 255.255.255.255 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.78.1 1

route outside 192.168.61.0 255.255.255.0 210.187.78.30 1

route inside M3PS 255.255.255.0 192.168.10.120 1

route inside KL 255.255.255.0 192.168.10.120 1

route inside Penang 255.255.255.0 192.168.10.120 1

route inside SOMPJ 255.255.255.0 192.168.10.124 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http Tampoi 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 30 set transform-set myset

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 110

crypto map newmap 10 set peer x.x.78.30

crypto map newmap 10 set transform-set myset

crypto map newmap 20 ipsec-isakmp dynamic dynmap

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address x.x.78.30 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 3600

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnuser1 address-pool ippool

vpngroup vpnuser1 wins-server 192.168.10.151

vpngroup vpnuser1 default-domain idemitsu-ps

vpngroup vpnuser1 split-tunnel vpnuser1_splitTunnelAcl

vpngroup vpnuser1 idle-time 1800

vpngroup vpnuser1 password ********

vpngroup vpnuser2 address-pool ippool

vpngroup vpnuser2 wins-server 192.168.10.151

vpngroup vpnuser2 default-domain idemitsu-ps

vpngroup vpnuser2 split-tunnel vpnuser2_splitTunnelAcl

vpngroup vpnuser2 idle-time 1800

vpngroup vpnuser2 password ********

telnet 192.168.10.17 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

username xxxx password xxxxx

privilege 5

terminal width 80

Cryptochecksum:5xxxxx

PIX No. 2 (Remote)

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx

passwd xxxxxxx

hostname pixSOMPNGfirewall

domain-name sompng.com

clock timezone MYT 8

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 101 permit ip 192.168.61.0 255.255.255.0 192.235.0.0 255.255.255.0

access-list 110 permit ip 192.168.61.0 255.255.255.0 192.235.0.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside x.x.78.30 255.255.255.224

ip address inside 192.168.61.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.10.0 255.255.255.0 outside

pdm location x.x.78.2 255.255.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 x.x.78.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http x.x.78.2 255.255.255.255 outside

http 192.168.61.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 110

crypto map newmap 10 set peer x.x.78.2

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address x.x.78.2 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet x.x.x.2 255.255.255.255 outside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.61.2-192.168.61.254 inside

dhcpd dns 202.188.0.133 202.188.1.5

dhcpd wins 192.235.0.151

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxxx

3 REPLIES
New Member

Re: PIX 506 to PIX 506 VPN Please help

If you are using NAT on each end of your network, you have to add the nonat statement which tells traffic destin for the VPN tunnel not to be natted and sent out the tunnel.

New Member

Re: PIX 506 to PIX 506 VPN Please help

Sorry, can you give more clues (maybe example) I'm still new with this setting (VPN).

New Member

Re: PIX 506 to PIX 506 VPN Please help

If you are using PDM and are not overly familiar with setting up VPNs try the VPN wizard in the PDM. Remember that the "inside" network is the local LAN side and the "outside" is the remote side LAN,

I would suggest writing down all your settings as you go along, it makes troubleshooting easier. The PDM adds its own names for some things that are both long and confusing, writing it down (documenting it) as you go makes debugging about 1000 times easier.

I did something similar to what you are doing about 18 months ago and using the PDM the first time was an excellent learning tool for setting up VPNs.

93
Views
0
Helpful
3
Replies