Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

v6.2(1) and VPN

Are there any problems with using this setup? I have tried two different scenario's one with a vpn client and the other pix to pix but both aren't working. I appreciate I could very easily have got the configs wrong I am just trying to see if there are any know issue's or in fact any changes that would need to be introduced from earlier releases.

cheers

Andy

4 REPLIES
New Member

Re: v6.2(1) and VPN

I have several VPN solution with PIX version 6.2(1) and have not run into any issues.

New Member

Re: v6.2(1) and VPN

Thats good news. thanks.

If anyone has a spare minute could you tell me what I have wrong in my configs? Also would there be anything I would need to configure on the two domains at either side? both are NT4 based. This is pix to pix.

Site 1

Internal network 192.9.200.x

nameif e0 outside sec0

nameif e1 inside sec100

int e0 10baset

int e1 10baset

ip address inside 192.9.200.250 255.255.255.0

ip address outside 62.x.x.x 255.255.255.240

route outside 0 0 62.x.x.x 1

static (inside,outside) 62.x.x.x 192.9.200.1 netmask 255.255.255.255 0 0

access-list emailacl permit tcp any host 62.x.x.x eq smtp

access-group emailacl in interface outside

no fixup protocol smtp

access-list 120 permit ip 192.9.200.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 100 permit ip 192.9.200.0 255.255.255.0 10.1.0.0 255.255.0.0

nat (inside) 0 access-list 100

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map newmap 20 ipsec-isakmp

crypto map newmap 20 match address 120

crypto map newmap 20 set peer 19.y.y.y

crypto map newmap 20 set transform-set myset

isakmp enable outside

isakmp key 1234 address 19.y.y.y netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

Site 2

Internal network 10.1.x.x

nameif e0 outside sec0

nameif e1 inside sec100

int e0 10baset

int e1 10full

ip address inside 10.1.0.5 255.255.0.0

ip address outside 19.y.y.y 255.255.255.252

route outside 0 0 19.z.z.z 1

access-list 110 permit ip 10.1.0.0 255.255.0.0 192.9.200.0 255.255.255.0

access-list 100 permit ip 10.1.0.0 255.255.0.0 192.9.200.0 255.255.255.0

nat (inside) 0 access-list 100

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 110

crypto map newmap 10 set peer 62.x.x.x

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key 1234 address 62.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

thanks for any help.

cheers

Andy

New Member

Re: v6.2(1) and VPN

The crypto map was not applied to the outside interface at site one. I probably would use a different internal ip such as 19.168.xxx.xxx instead on 192.9.

New Member

Re: v6.2(1) and VPN

I missed the crypto map thing - thanks and I understand the address issue (but am not allowed to change it!)

cheers for your time.

131
Views
0
Helpful
4
Replies
CreatePlease login to create content