Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Issue


I'm very new to cisco equipment and was hoping someone could help me with this issue I have. I am trying to set up a VPN from a cisco 837 router that I have to another company, which I think is using a PIX. After some tweaking I managed to set the same VPN up from another site we have, which uses a 3000 concentator. However after using cisco SDM and using as many commands as I know how I cannot get the VPN tunnel to come up. Essentailly I want <server1> and <server2> (as shown in the attached show run) to be able to access that is off of my 837 router. Any help would be very gratefully received.


Re: VPN Issue


Can you revert whether you are seeing any error logs in your Cisco 837 router related to this VPN establishment ?


Community Member

Re: VPN Issue

I'm not sure what logs I need to turn on - can you help me to turn the correct ones on please?


Re: VPN Issue


Re: VPN Issue

I feel your problem is here

ip access-list extended Mick

permit ip host host

permit ip host host

Try to make sure your peer (The PIX) has the same IPSEC SAs.

Also, you can issue the command debug crypto isakmp and debug crypto ipsec

Try to send us the log or trace it to know where is the problem.

Hall of Fame Super Gold

Re: VPN Issue


I do not know if you have this sorted out yet or not. But assuming that it is not (since there is no update to the forum about it) I will make a guess at the problem and possible solutions.

I am guessing that the VPN that you set up from the other site had fixed IP addresses on both ends. In what you are trying to set up here the dialer interface has address negotiated. And since you do not specify the source address for IPSec it will default to using the address of the outbound interface which is dialer 0 which gets assigned dynamically. I am guessing that the PIX is not set up for a dynamic address on its peer.

One way to make this work would be to have the PIX configured with a dynamic crypto map which will allow the PIX to establish IPSec with devices whose addresses it does not know ahead of time. If the administrators of the PIX are willing to do this it could be a solution to your problem.

Another possible solution to the problem would be to specify the source address using an interface that the PIX can get to. Since the traffic should be reaching can we assume that interface Ethernet 0 is reachable from the PIX? If so then try adding this to the config:

crypto map SDM_CMAP_1 local-address Ethernet0

This will get IPSec to use the Ethernet 0 as the source address and the PIX would have a fixed address to use as its peer address.

Do you know how they have configured the PIX for this IPSec connection? Knowing this might make it easier to pick the best solution.



CreatePlease to create content