Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX to PIX to PIX VPN Tunnel

I have three pix 501 firewalls connected via a vpn tunnel, they were working great until I tried to add cisco vpn client access. I deleted the config for the vpn client and restarted all pix firewalls. I also did the clear crypto ipsec and isakmp sa command to clear the tunnel info. Now the tunnel is up but packets are being dropped at about 25%, I am unable to access the terminal server thru the tunnel, which is causing major problems for the remote sites. Here is the config I am using, any help would be great, thanks

IX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


access-list 120 permit ip

access-list 130 permit ip 192.168.bbb.0

access-list 100 permit ip

access-list 100 permit ip 192.168.bbb.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0 0

route outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map newmap 20 ipsec-isakmp

crypto map newmap 20 match address 120

crypto map newmap 20 set peer

crypto map newmap 20 set transform-set myset

crypto map newmap 30 ipsec-isakmp

crypto map newmap 30 match address 130

crypto map newmap 30 set peer

crypto map newmap 30 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address netmask no-xauth no-config-mode

isakmp key ******** address netmask no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd dns

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80


Re: PIX to PIX to PIX VPN Tunnel

Did you look at the possibility that the packets being dropped are packets that dont match the crypto access-list. That would imply things are working fine. Another possibility is that the traffic load on the PIX has increased recently and is high enough to result in packet being dropped.

New Member

Re: PIX to PIX to PIX VPN Tunnel

Thanks for your response. Turns out the config is good. The DSL company tweeked the settings on the modem which started all my problems.

CreatePlease to create content