Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix Site to Site with dynamic IP

I have central office pix and remote sites that use dhcp from isp. central has static. I am attemping to setup tunnels that allow access between sites. tunnels appear setup, however, i am unable to connect to any thing at the remote sites. I can use remote client but only to central office. Im missing something obvious, im sure. thanks in advance. here are the configs.

central office:

access-list 120 permit ip 192.168.100.0 255.255.x.x.168.88.0 255.255.255.0

access-list outside_access_in permit tcp any any eq www

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any unreachable outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 25.x.x.25 255.x.255.255

ip address inside 192.168.100.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnclient 192.168.1.215-192.168.1.225

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 120

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.100.250 www netmask 255.x.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.x.x.25.25.24 1

floodguard enable

fragment chain 45 inside

fragment timeout 10 inside

sysopt connection permit-ipsec

crypto ipsec transform-set tset esp-des esp-md5-hmac

crypto dynamic-map dynmap 1 set transform-set tset

crypto map dyn-map 10 ipsec-isakmp dynamic dynmap

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp keepalive 10 5

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup FCIvpnclient idle-time 1800

vpngroup cisco address-pool fcivpnclient

vpngroup cisco dns-server 192.168.100.250

vpngroup cisco wins-server 192.168.100.250

vpngroup cisco default-domain domain.local

vpngroup cisco split-tunnel 120

vpngroup cisco idle-time 1800

vpngroup cisco password ********

vpngroup fcivpnclient idle-time 1800

management-access inside

<<<REMOTE>>>

access-list 120 permit ip 192.168.18.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 120 permit ip 192.168.88.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list acl_in deny udp any any eq 1863

access-list acl_in deny tcp any any eq 1863

access-list acl_in permit ip any any

pager lines 24

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.88.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

global (outside) 1 interface

nat (inside) 0 access-list 120

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_in in interface inside

sysopt connection permit-ipsec

crypto ipsec transform-set tset esp-des esp-md5-hmac

crypto map ffmap 10 ipsec-isakmp

crypto map ffmap 10 match address 120

crypto map ffmap 10 set peer 25.25.25.25

crypto map ffmap 10 set transform-set tset

crypto map ffmap interface outside

isakmp enable outside

isakmp key ******** address 25.x.25.25 netmask 255.x.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpdn group pppox request dialout pppoe

vpdn group pppox localname user@isp.net

vpdn group pppox ppp authentication pap

vpdn username user@isp.net password *********

4 REPLIES

Re: Pix Site to Site with dynamic IP

Try to create separate policy for site-to-site vpn. The existing policy (isakmp policy 10) in central is used by the vpn client.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Rgds,

AK

New Member

Re: Pix Site to Site with dynamic IP

Ok. How can I get the remote pix to use one policy and the client to use another. the link provided is ver ver 7.x these pix use 6.3. Thanks for the response.

Re: Pix Site to Site with dynamic IP

BTW, do you use your remote PIX to connect your remote access client@vpn client, and from there, you use the same PIX to connect to Central PIX? Or Central PIX handle both remote access vpn client and remote pix?

Rgds,

AK

Re: Pix Site to Site with dynamic IP

your phase1 config looks ok (provided pre-shared keys match) and is ok for clients & L2L to use the same policy.

on phase 2 your ACLS should be mirrors of each other and are not - remote has 2 lines, central has one. Nevertheless it should still work for that one line in common.

crypto map looks ok.

I believe "isakmp key ******** address 0.0.0.0 netmask 0.0.0.0" would be used only by L2L (not clients, they'd use "vpngroup cisco password ********") and you may need to turn off mode config & uauth off for L2L:

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

otherwise:

show cry isa sa

show cry map

show cry ips sa

292
Views
0
Helpful
4
Replies