Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN tunnels between 1PIX and 2routers 2610

I´ve got a problem with a configuration in a firewall PIX 515 for implementing two VPN tunnels with two routers Cisco 2610;

The problem is i configure the firewall and one router and the tunnel is right; before, i configure the second tunnel an only works the first tunnel; but, if i change the order of the secuency in the crypto map entries, the first tunnel (before the second) works right and the second doesn´t star to work well.

What is happening?

I send you my configurations:



PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

hostname pixfirewall

domain-name xxx.local

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list pingok permit icmp any any

access-list nonat permit ip

access-list nonat permit ip

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside publicIP

ip address inside

ip address dmz

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside

failover ip address inside

failover ip address dmz

pdm history enable

arp timeout 14400

global (outside) 1 publicIPforPAT netmask

global (dmz) 1 netmask

nat (dmz) 0 access-list nonat

nat (dmz) 1 0 0

access-group pingok in interface outside

access-group pingok in interface inside

access-group pingok in interface dmz

route outside publicIPgateway

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set grupoidea esp-3des esp-md5-hmac

crypto map cripto 1 ipsec-isakmp

crypto map cripto 1 match address nonat

crypto map cripto 1 set peer

crypto map cripto 1 set transform-set grupoidea

crypto map cripto 2 ipsec-isakmp

crypto map cripto 2 match address nonat

crypto map cripto 2 set peer

crypto map cripto 2 set transform-set grupoidea

crypto map cripto interface outside

isakmp enable outside

isakmp key ******** address publicIPremoteA netmask

isakmp key ******** address publicIPremoteB netmask

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

telnet inside

telnet inside

telnet timeout 5

ssh timeout 5

terminal width 80



version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname resulta

logging rate-limit console 10 except errors

ip subnet-zero

no ip finger

ip audit notify log

ip audit po max-events 100

no ip dhcp-client network-discovery

no mgcp timer receive-rtcp

crypto isakmp policy 11

encr 3des

hash md5

authentication pre-share

lifetime 1000

crypto isakmp key xxxxxxxxx address publicIP_PIX

crypto ipsec transform-set grupoidea esp-3des esp-md5-hmac

crypto map vpnidea 11 ipsec-isakmp

set peer publicIP_PIX

set transform-set grupoidea

match address 120

call rsvp-sync

!interface Ethernet0/0

ip address

ip nat inside


interface Ethernet1/0

ip address publicIPremoteAorB

ip nat outside


crypto map vpnidea

ip nat pool rangopat publicIPforPAT publicIPforPAT netmask

ip nat inside source route-map nonat pool rangopat overload

ip classless

ip route publicIPgateway

ip http server

access-list 120 permit ip

access-list 120 permit ip

access-list 130 deny ip

access-list 130 permit ip any

route-map nonat permit 10

match ip address 130

dial-peer cor custom

line con 0

transport input none

line aux 0

line vty 0 4



New Member

Re: VPN tunnels between 1PIX and 2routers 2610

It looks to me that you're having a porblem with your access-list on your pix. You should use one access-list for each crypto map peer. Right now you have both peers trying to use the same crypto map.

Create 2 different access-lists and apply one each to the crypto map peers and see what happens.

In your case I would have one access-list for "remoteA" and one for "remoteB". Then one called "nonat" that is basically the addition of both "remoteA" and "remoteB" to be applied to the "nat 0" command.

New Member

Re: VPN tunnels between 1PIX and 2routers 2610

OK, thank you.

You are right!

Yesterday i tried this solution beacuse i viewed a similar configuration and i viewed this difference.

Thank you very much.