06-01-2006 01:33 PM - edited 02-21-2020 02:27 PM
site to site vpn problem
for practice only
i am trying to create a site to site vpn using 2 pix firewalls
a pix 501 and a pix 515 both the firewalls have a resticted licence
a cross over cable is being used to connect the outside interfaces,
both firewalls have pc's connected to their inside interfaces and
both pc's have connectivity to these interfaces there is also connectivity
between the outside interfaces of the pix firewalls.
the problem is that i cannot establish a connection between the two pc'c
one is a web server and the other one attached to the pix 501 is the web
client.
i have a sneaking suspicion that being the firewalls only have restricted
licences that it might be the fact i am trying to use esp-3des in the
ipsec transform-set but as i'am new to this i'm not sure.
i would appreciate it if somebody could look at the configs below
and give some pointers as to what the problem is
regards
melvyn brown
501
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp identity address
isakmp key cisco123 address 192.168.1.1 netmask 255.255.255.255
access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
nat (inside) 0 access-list 101
crypto ipsec transform-set pix1 esp-3des
crypto map peer2 10 ipsec-isakmp
crypto map peer2 10 match address 101
crypto map peer2 10 set peer 192.168.1.2
crypto map peer2 10 set transform-set pix1
crypto map peer2 interface outside
sysopt connection permit-ipsec
515
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp identity address
isakmp key cisco123 address 192.168.1.2 netmask 255.255.255.255
access-list 101 permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
nat (inside) 0 access-list 101
crypto ipsec transform-set pix2 esp-3des
crypto map peer1 10 ipsec-isakmp
crypto map peer1 10 match address 101
crypto map peer1 10 set peer 192.168.1.1
crypto map peer1 10 set transform-set pix2
crypto map peer1 interface outside
sysopt connection permit-ipsec
06-01-2006 05:59 PM
What I am seeing look fine. What I dont see is the rest of the ISAKMP configuration on either side. A possiblity is that you are using a firewall with an old software version with different default settings.
Your hunch about the license is incorrect, however, because the PIX would not let you configure a 3des transform set if it did not support it. You can verify this by doing a "show ver" and checking out the encryption 3des/aes license status.
If you want to post the post the output from a "debug crypto isakmp" and a "debug crypto ipsec" as you try to ping from one side to the other that would be helpful.
06-04-2006 11:59 AM
What I am seeing in this configuration is that you are peering to 2 private addresses. To my knowledge, public addresses need to be used on the outside interfaces (whatever the ISP's have assigned). Nat needs to be configured to apply translations
06-04-2006 11:12 PM
Melvyn,
You might find the following document helpful in your situation:
Also, as I always tell my engineers, make sure that you have L3 connectivity between both peers. A simple ping from one pix to the other should suffice.
Hope this helps and please rate posts!
Thanks / Jay
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: