Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX-TO-PIX VPN Tunnel using Ipsec. Need Help please.

Hello everybody,

I've got a connecting two sites using PIX 506E and PIX 501. The one on central site (WATBCINX1 - PIX 506E) sends packet correctly and the one on remote site (CTXPOINX1 - PIX 501) receives them (checked out using debug icmp trace on both PIX). The problem is that PIX 501 on remote site doesn't send back the packets. I have to say that both PIX hace a 3com 812 OfficeConnect ADSL router acting as a Internet gateway. If anybody could help me I would appreciate it so much. THANK YOU!

PIX 506E Configuration (central site):

WATBCINX1# sh conf

: Saved

: Written by enable_15 at 08:36:50.090 CEDT Fri Jun 20 2003

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password qU51Wrx8ggFHLusK encrypted

passwd qU51Wrx8ggFHLusK encrypted

hostname WATBCINX1

domain-name NEOKEM.LAN

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no names

name 80.37.246.195 POLINYA

access-list outside_access_in permit gre any host 10.0.0.10

access-list outside_access_in permit tcp any host 10.0.0.10 eq 1723

access-list outside_access_in permit tcp any host 10.0.0.10 eq smtp

access-list outside_access_in permit tcp any host 10.0.0.10 eq pop3

access-list outside_access_in permit icmp any any

access-list inside_access_in permit ip any any

access-list inside_access_in permit tcp any any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit udp any any

access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.11.0 255.255.255.0

pager lines 24

logging on

interface ethernet0 10full

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.3 255.0.0.0

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.100 255.255.255.255 inside

pdm location 192.168.0.0 255.255.0.0 inside

pdm location 192.168.0.128 255.255.255.255 inside

pdm location 192.168.0.135 255.255.255.255 inside

pdm location 192.168.11.0 255.255.255.0 outside

pdm location 192.168.11.0 255.255.255.0 inside

pdm location 80.37.246.195 255.255.255.255 outside

pdm location 192.168.0.254 255.255.255.255 outside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.0.0.10 192.168.0.100 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

timeout xlate 0:05:00

timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00

sip_media 0:02:00

timeout uauth 0:00:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

ntp authenticate

ntp server 192.43.244.18 source outside

ntp server 128.118.25.3 source outside prefer

http server enable

http 192.168.0.100 255.255.255.255 inside

http 192.168.0.128 255.255.255.255 inside

http 192.168.0.135 255.255.255.255 inside

http 192.168.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set COMUN_BCN esp-des esp-md5-hmac

crypto map polinya 1 ipsec-isakmp

crypto map polinya 1 match address 101

crypto map polinya 1 set peer 80.37.246.195

crypto map polinya 1 set transform-set COMUN_BCN

crypto map polinya interface outside

isakmp enable outside

isakmp key ******** address 80.37.246.195 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet 192.168.0.128 255.255.255.255 inside

telnet 192.168.0.135 255.255.255.255 inside

telnet 192.168.11.0 255.255.255.0 inside

telnet timeout 10

ssh timeout 5

username QSECOFR password ELFfg8t/K5UMO89z encrypted privilege 15

terminal width 80

Cryptochecksum:74cd0cf16ef2c35804dffaeee924efdf

WATBCINX1#

PIX 501 Configuration (remote site):

CTXPOINX1# sh conf

: Saved

: Written by enable_15 at 09:27:14.439 CEDT Fri Jun 20 2003

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password qU51Wrx8ggFHLusK encrypted

passwd qU51Wrx8ggFHLusK encrypted

hostname CTXPOINX1

domain-name NEOKEM.LAN

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no names

name 80.32.132.188 BCN

access-list inside_access_in permit tcp any any

access-list inside_access_in permit udp any any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit ip any any

access-list outside_access_in permit icmp any any

access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

logging on

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.1 255.0.0.0

ip address inside 192.168.11.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.0 255.255.0.0 inside

pdm location 192.168.11.0 255.255.255.255 inside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

timeout xlate 0:05:00

timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00

sip_media 0:02:00

timeout uauth 0:00:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

ntp authenticate

ntp server 192.5.41.209 source outside prefer

http server enable

http 80.32.132.188 255.255.255.255 outside

http 192.168.0.0 255.255.0.0 inside

http 192.168.11.0 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set COMUN esp-des esp-md5-hmac

crypto map bcn 1 ipsec-isakmp

crypto map bcn 1 set peer 80.32.132.188

crypto map bcn 1 set transform-set COMUN

crypto map bcn interface outside

isakmp enable outside

isakmp key ******** address 80.32.132.188 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet 80.32.132.188 255.255.255.255 outside

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 10

ssh timeout 5

username QSECOFR password ELFfg8t/K5UMO89z encrypted privilege 15

terminal width 80

Cryptochecksum:dc8d08655d07886b74d867228e84f70f

CTXPOINX1#

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: PIX-TO-PIX VPN Tunnel using Ipsec. Need Help please.

Hi,

You left the match address out of your 501 VPN config.....put this in....

crypto map bcn 1 match address 101

Hope that helps....

2 REPLIES
Bronze

Re: PIX-TO-PIX VPN Tunnel using Ipsec. Need Help please.

Hi,

You left the match address out of your 501 VPN config.....put this in....

crypto map bcn 1 match address 101

Hope that helps....

New Member

Re: PIX-TO-PIX VPN Tunnel using Ipsec. Need Help please.

Thank you Mike-greene I forgot to assign the crypto map to match address in access-list 101. Now it works ok! I appreciate it!

89
Views
5
Helpful
2
Replies
This widget could not be displayed.