Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
5
Helpful
2
Replies

PIX-TO-PIX VPN Tunnel using Ipsec. Need Help please.

Go to solution
pression2
Level 1
Level 1

‎06-19-2003 11:57 PM - edited ‎02-21-2020 12:37 PM

Hello everybody,

I've got a connecting two sites using PIX 506E and PIX 501. The one on central site (WATBCINX1 - PIX 506E) sends packet correctly and the one on remote site (CTXPOINX1 - PIX 501) receives them (checked out using debug icmp trace on both PIX). The problem is that PIX 501 on remote site doesn't send back the packets. I have to say that both PIX hace a 3com 812 OfficeConnect ADSL router acting as a Internet gateway. If anybody could help me I would appreciate it so much. THANK YOU!

PIX 506E Configuration (central site):

WATBCINX1# sh conf

: Saved

: Written by enable_15 at 08:36:50.090 CEDT Fri Jun 20 2003

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password qU51Wrx8ggFHLusK encrypted

passwd qU51Wrx8ggFHLusK encrypted

hostname WATBCINX1

domain-name NEOKEM.LAN

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no names

name 80.37.246.195 POLINYA

access-list outside_access_in permit gre any host 10.0.0.10

access-list outside_access_in permit tcp any host 10.0.0.10 eq 1723

access-list outside_access_in permit tcp any host 10.0.0.10 eq smtp

access-list outside_access_in permit tcp any host 10.0.0.10 eq pop3

access-list outside_access_in permit icmp any any

access-list inside_access_in permit ip any any

access-list inside_access_in permit tcp any any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit udp any any

access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.11.0 255.255.255.0

pager lines 24

logging on

interface ethernet0 10full

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.3 255.0.0.0

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.100 255.255.255.255 inside

pdm location 192.168.0.0 255.255.0.0 inside

pdm location 192.168.0.128 255.255.255.255 inside

pdm location 192.168.0.135 255.255.255.255 inside

pdm location 192.168.11.0 255.255.255.0 outside

pdm location 192.168.11.0 255.255.255.0 inside

pdm location 80.37.246.195 255.255.255.255 outside

pdm location 192.168.0.254 255.255.255.255 outside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.0.0.10 192.168.0.100 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

timeout xlate 0:05:00

timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00

sip_media 0:02:00

timeout uauth 0:00:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

ntp authenticate

ntp server 192.43.244.18 source outside

ntp server 128.118.25.3 source outside prefer

http server enable

http 192.168.0.100 255.255.255.255 inside

http 192.168.0.128 255.255.255.255 inside

http 192.168.0.135 255.255.255.255 inside

http 192.168.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set COMUN_BCN esp-des esp-md5-hmac

crypto map polinya 1 ipsec-isakmp

crypto map polinya 1 match address 101

crypto map polinya 1 set peer 80.37.246.195

crypto map polinya 1 set transform-set COMUN_BCN

crypto map polinya interface outside

isakmp enable outside

isakmp key ******** address 80.37.246.195 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet 192.168.0.128 255.255.255.255 inside

telnet 192.168.0.135 255.255.255.255 inside

telnet 192.168.11.0 255.255.255.0 inside

telnet timeout 10

ssh timeout 5

username QSECOFR password ELFfg8t/K5UMO89z encrypted privilege 15

terminal width 80

Cryptochecksum:74cd0cf16ef2c35804dffaeee924efdf

WATBCINX1#

PIX 501 Configuration (remote site):

CTXPOINX1# sh conf

: Saved

: Written by enable_15 at 09:27:14.439 CEDT Fri Jun 20 2003

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password qU51Wrx8ggFHLusK encrypted

passwd qU51Wrx8ggFHLusK encrypted

hostname CTXPOINX1

domain-name NEOKEM.LAN

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no names

name 80.32.132.188 BCN

access-list inside_access_in permit tcp any any

access-list inside_access_in permit udp any any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit ip any any

access-list outside_access_in permit icmp any any

access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

logging on

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.1 255.0.0.0

ip address inside 192.168.11.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.0 255.255.0.0 inside

pdm location 192.168.11.0 255.255.255.255 inside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

timeout xlate 0:05:00

timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00

sip_media 0:02:00

timeout uauth 0:00:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

ntp authenticate

ntp server 192.5.41.209 source outside prefer

http server enable

http 80.32.132.188 255.255.255.255 outside

http 192.168.0.0 255.255.0.0 inside

http 192.168.11.0 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set COMUN esp-des esp-md5-hmac

crypto map bcn 1 ipsec-isakmp

crypto map bcn 1 set peer 80.32.132.188

crypto map bcn 1 set transform-set COMUN

crypto map bcn interface outside

isakmp enable outside

isakmp key ******** address 80.32.132.188 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet 80.32.132.188 255.255.255.255 outside

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 10

ssh timeout 5

username QSECOFR password ELFfg8t/K5UMO89z encrypted privilege 15

terminal width 80

Cryptochecksum:dc8d08655d07886b74d867228e84f70f

CTXPOINX1#

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mike-greene
Level 4
Level 4

‎06-20-2003 12:09 PM

Hi,

You left the match address out of your 501 VPN config.....put this in....

crypto map bcn 1 match address 101

Hope that helps....

View solution in original post

2 Replies 2

Go to solution
mike-greene
Level 4
Level 4

‎06-20-2003 12:09 PM

Hi,

You left the match address out of your 501 VPN config.....put this in....

crypto map bcn 1 match address 101

Hope that helps....

Go to solution
pression2
Level 1
Level 1
In response to mike-greene

‎06-22-2003 10:18 PM

Thank you Mike-greene I forgot to assign the crypto map to match address in access-list 101. Now it works ok! I appreciate it!

0 Helpful
Customers Also Viewed These Support Documents