Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix to 837 VPN configuration issues

Any advice would be greatly appreciated.

What debug may diagnose the issue etc.

Thanks

Mark

Pix IOS version 6.3.2

Cisco 837 router version 12.2.3XA

Problem explanation

VPN is set up between Pix and 837 ADSL router. Both can get out to the Internet. The Pix has other functioning VPN's connected to it. The VPN config given between these two devices does work in so far as the VPN is shown as up and you can connect one way from the private network behind the Pix to the private network behind the 837 using apps like Terminal Services. However connections initiated from the 837 router network do not work. Connections from the Pix end work though. Why is this a one way VPN??

************************************************

PIX CFG

PIX Version 6.3(2)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 Internet security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

........

access-list nonat permit ip 10.0.0.0 255.255.240.0 10.1.96.0 255.255.240.0

access-list vpn1 permit ip 10.0.0.0 255.255.240.0 10.1.96.0 255.255.240.0

........

ip address Internet External_Pix 255.255.255.240

ip address inside 10.0.1.1 255.255.240.0

ip address DMZ 192.168.0.1 255.255.255.0

........

global (Internet) 1 NAT_ALL

nat (inside) 0 access-list nonat

nat (inside) 1 10.0.0.0 255.255.240.0 0 0

..........

route Internet 0.0.0.0 0.0.0.0 DEFAULT_Gateway 1

route inside 10.0.48.0 255.255.240.0 10.0.1.2 1

route inside 10.0.112.0 255.255.240.0 10.0.1.2 1

route inside 10.0.240.0 255.255.240.0 10.0.1.2 1

..........

crypto ipsec transform-set vpn1 esp-des esp-md5-hmac

crypto map newmap 21 match address murphy1

crypto map newmap 21 set peer [837 router address]

crypto map newmap 21 set transform-set murphy1

crypto map newmap interface Internet

isakmp enable Internet

isakmp key ******** address x.x.x.60 netmask 255.255.255.255

isakmp identity address

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

ROUTER CFG

Using 2177 out of 131072 bytes

!

version 12.3

!

no aaa new-model

ip subnet-zero

!

ip audit notify log

ip audit po max-events 100

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

ip mtu adjust

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key 0 ************ address ***************

!

!

crypto ipsec transform-set headoffice esp-des esp-md5-hmac

!

crypto map headoffice 10 ipsec-isakmp

set peer [pix ip address]

set transform-set headoffice

match address 101

!

interface Ethernet0

ip address 10.1.96.2 255.255.240.0

ip nat inside

no ip mroute-cache

hold-queue 100 out

!

interface ATM0

no ip address

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

pppoe-client dial-pool-number 1

!

dsl operating-mode auto

hold-queue 224 in

!

interface Dialer1

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname [ispusername@isp]

ppp chap password 0 [password]

crypto map headoffice

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source route-map nonat interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 ATM0

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

no ip http server

no ip http secure-server

access-list 101 permit ip 10.1.96.0 0.0.15.255 10.0.0.0 0.0.15.255

access-list 102 deny ip 10.1.96.0 0.0.15.255 10.0.0.0 0.0.15.255

access-list 102 permit ip 10.1.96.0 0.0.15.255 any

dialer-list 1 protocol ip permit

route-map nonat permit 10

match ip address 102

1 REPLY
New Member

Re: Pix to 837 VPN configuration issues

I don't where/how you applying access-list vpn1?

89
Views
0
Helpful
1
Replies
CreatePlease login to create content