Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
2
Replies

Pix VPN + DSL

dw125wdwcg
Level 1
Level 1

‎01-29-2008 11:42 AM - edited ‎02-21-2020 03:30 PM

I'm having trouble with one of my VPN sites when I attempt to use a vpn tunnel utilizing my dsl connection instead of my frame circuit. I wasn't able to do pppoe off of the remote PIX, so my ISP told me to try using one of my assigned IP addresses on the inside of my dsl router's dhcp pool to assign to the interface of my pix. The outside WAN IP comes up assigned by the DHCP with an internet address (which is completely different than my IP block), but with a laptop having a block IP, I function just fine [I was not able to test an IPSEC client while connected this way]. Natting is turned off on the dsl router (it's a Netopia model 3347-2 firmware version 7.6.1r6) and my connection shows up as the assigned block address, so I believe that the ISP is routing the different IP address properly. When I replace the laptop with the PIX, my vpn tunnel only appears to make it past Phase 1, and I get a phase 2 error. I don't think I have a configuration issue on either PIX, so that leads me to believe the dsl router is doing something strange with the connection or it is the ISP.

Pix models are 515e at version 6.3(5), I tried nat-t, I restarted my isakmp and crypto map. Below is the debugging errors I got while attempting to connect, plus some of the censored configuration. I am attaching debug and configs.

Labels:
Preview file
3 KB
Preview file
3 KB
Preview file
2 KB
0 Helpful
2 Replies 2

ivillegas
Level 6
Level 6

‎02-04-2008 11:51 AM

Make sure the authentication parameters are configured right. Clear the association using clear crypto sa and try to re-establish the tunnel. Refer http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml for more troubleshooting general VPN issues.

0 Helpful

rjorgensen
Level 1
Level 1

‎02-21-2008 05:35 AM

You must put the DSL modem in bridging mode and turn off DHCP on the inside interface of the modem. You need to request a static IP from the ISP, that way you can configure the VPN concentrator at the main office to only allow connection from that IP. Next on your PIX/ASA you need to configure the PPPOE username and password. Do not set up any IP on the outside interface of the PIX/ASA. You should receive the PPPOE static IP once this in configured. You can also set up DHCP on the inside interface of the PIX/ASA for LAN connectivity with any IP addresses, they do not need to be assigned from the ISP. Tunnel all traffic over the VPN connection.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents