Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
619
Views
0
Helpful
5
Replies

VPN Issue

neilwheatcroft
Level 1
Level 1

‎05-10-2006 12:19 AM - edited ‎02-21-2020 12:53 AM

Hi,

I'm very new to cisco equipment and was hoping someone could help me with this issue I have. I am trying to set up a VPN from a cisco 837 router that I have to another company, which I think is using a PIX. After some tweaking I managed to set the same VPN up from another site we have, which uses a 3000 concentator. However after using cisco SDM and using as many commands as I know how I cannot get the VPN tunnel to come up. Essentailly I want <server1> and <server2> (as shown in the attached show run) to be able to access 192.168.0.100 that is off of my 837 router. Any help would be very gratefully received.

Preview file
51 KB
0 Helpful
5 Replies 5

spremkumar
Level 9
Level 9

‎05-10-2006 03:40 AM

Hi

Can you revert whether you are seeing any error logs in your Cisco 837 router related to this VPN establishment ?

regds

0 Helpful

neilwheatcroft
Level 1
Level 1
In response to spremkumar

‎05-10-2006 08:01 AM

I'm not sure what logs I need to turn on - can you help me to turn the correct ones on please?

Thanks

0 Helpful

m-haddad
Level 5
Level 5
In response to spremkumar

‎08-04-2006 03:08 PM

I feel your problem is here

ip access-list extended Mick

permit ip host 192.168.0.100 host

permit ip host 192.168.0.100 host

Try to make sure your peer (The PIX) has the same IPSEC SAs.

Also, you can issue the command debug crypto isakmp and debug crypto ipsec

Try to send us the log or trace it to know where is the problem.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to m-haddad

‎08-13-2006 04:50 PM

Neil

I do not know if you have this sorted out yet or not. But assuming that it is not (since there is no update to the forum about it) I will make a guess at the problem and possible solutions.

I am guessing that the VPN that you set up from the other site had fixed IP addresses on both ends. In what you are trying to set up here the dialer interface has address negotiated. And since you do not specify the source address for IPSec it will default to using the address of the outbound interface which is dialer 0 which gets assigned dynamically. I am guessing that the PIX is not set up for a dynamic address on its peer.

One way to make this work would be to have the PIX configured with a dynamic crypto map which will allow the PIX to establish IPSec with devices whose addresses it does not know ahead of time. If the administrators of the PIX are willing to do this it could be a solution to your problem.

Another possible solution to the problem would be to specify the source address using an interface that the PIX can get to. Since the traffic should be reaching 192.168.0.100 can we assume that interface Ethernet 0 is reachable from the PIX? If so then try adding this to the config:

crypto map SDM_CMAP_1 local-address Ethernet0

This will get IPSec to use the Ethernet 0 as the source address and the PIX would have a fixed address to use as its peer address.

Do you know how they have configured the PIX for this IPSec connection? Knowing this might make it easier to pick the best solution.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card