cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
314
Views
5
Helpful
3
Replies

vpn problem

melvynbrown
Level 1
Level 1

site to site vpn problem

for practice only

i am trying to create a site to site vpn using 2 pix firewalls

a pix 501 and a pix 515 both the firewalls have a resticted licence

a cross over cable is being used to connect the outside interfaces,

both firewalls have pc's connected to their inside interfaces and

both pc's have connectivity to these interfaces there is also connectivity

between the outside interfaces of the pix firewalls.

the problem is that i cannot establish a connection between the two pc'c

one is a web server and the other one attached to the pix 501 is the web

client.

i have a sneaking suspicion that being the firewalls only have restricted

licences that it might be the fact i am trying to use esp-3des in the

ipsec transform-set but as i'am new to this i'm not sure.

i would appreciate it if somebody could look at the configs below

and give some pointers as to what the problem is

regards

melvyn brown

501

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp identity address

isakmp key cisco123 address 192.168.1.1 netmask 255.255.255.255

access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

nat (inside) 0 access-list 101

crypto ipsec transform-set pix1 esp-3des

crypto map peer2 10 ipsec-isakmp

crypto map peer2 10 match address 101

crypto map peer2 10 set peer 192.168.1.2

crypto map peer2 10 set transform-set pix1

crypto map peer2 interface outside

sysopt connection permit-ipsec

515

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp identity address

isakmp key cisco123 address 192.168.1.2 netmask 255.255.255.255

access-list 101 permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

nat (inside) 0 access-list 101

crypto ipsec transform-set pix2 esp-3des

crypto map peer1 10 ipsec-isakmp

crypto map peer1 10 match address 101

crypto map peer1 10 set peer 192.168.1.1

crypto map peer1 10 set transform-set pix2

crypto map peer1 interface outside

sysopt connection permit-ipsec

3 Replies 3

thanekamp
Level 1
Level 1

What I am seeing look fine. What I dont see is the rest of the ISAKMP configuration on either side. A possiblity is that you are using a firewall with an old software version with different default settings.

Your hunch about the license is incorrect, however, because the PIX would not let you configure a 3des transform set if it did not support it. You can verify this by doing a "show ver" and checking out the encryption 3des/aes license status.

If you want to post the post the output from a "debug crypto isakmp" and a "debug crypto ipsec" as you try to ping from one side to the other that would be helpful.

What I am seeing in this configuration is that you are peering to 2 private addresses. To my knowledge, public addresses need to be used on the outside interfaces (whatever the ISP's have assigned). Nat needs to be configured to apply translations

jmia
Level 7
Level 7

Melvyn,

You might find the following document helpful in your situation:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Also, as I always tell my engineers, make sure that you have L3 connectivity between both peers. A simple ping from one pix to the other should suffice.

Hope this helps and please rate posts!

Thanks / Jay

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: