Config help 515E to 501 IPSEC

ericstimpson · ‎10-09-2005

Does anyone have a successful configuration for a Pix 515E to a Pix 501. IPsec tunnel. I will be setting up the Pix 515e on a cable modem and the 501 will be remote on DSL. Please help I have been running into connection problems. Can it be done. I'm guessing that one side will have to have a static address.

jackko · ‎10-09-2005

yes, at least one site needs to have a static ip.

in order to discuss how to configure further, please advise whether both site have static ip or not. for the meantime, have a look at the doc:

with one static ip, it's called ezvpn

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a008019e6d7.shtml

with two static ip, it's called lan-lan vpn

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

estimpson · ‎10-09-2005

Ok, this is the dilemma. I am setting this all out in one location right now to test. I have only one connection (my cable modem). I have a wireless router issuing address in the 10.x.x.x range. I can set up the 515e on that and let the 501 be the dynamic side. I have been messing with this thing for hours and have had little success. Could I send you the config of both sides and have you look over them? Any help would be great. I'm having issues looking at any links because I had to change my password on the site and now CCO has me locked out.

jackko · ‎10-09-2005

please post the configs with sensitive info masked, such as public ip.

with the cco lockout, you can send a blank email to "cco-locksmith@cisco.com".

estimpson · ‎10-09-2005

the ip's can be anything internally if I have overlooked something. Everything is hypothetical and will change when put into production. I just want to get things working initially.

jackko · ‎10-10-2005

just wondering what sort of vpn are you testing here, as i can see both lan-lan vpn and remote vpn access config on 515e.

for lan-lan vpn, add this command "isakmp identity address" on both pix.

also no inbound acl is required for crypto traffic as long as the command "sysopt connection permit-ipsec" is enabled (which is enabled by default)

ericstimpson · ‎10-10-2005

I just received the box. It already had a config on it. I don't really need the advanced config on the 515e. I have since erased flash on the 515e. This is my first crack at Cisco Pix. I have some experience with Sonicwall. You don't have a working config that I could paste in and add my ip addresses do you? Or is that wishful thinking. Feeling a little overwelmed at this point.

jackko · ‎10-10-2005

please read below are "cut-down" configs for lan-lan vpn:

----------

pix1

----------

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

ip address inside 192.168.1.10 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address 110

crypto map vpn 10 set peer

crypto map vpn 10 set transform-set superset

crypto map vpn interface outside

isakmp enable outside

isakmp key ******** address netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

----------

pix2

----------

access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 110 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address inside 192.168.2.10 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address 110

crypto map vpn 10 set peer

crypto map vpn 10 set transform-set superset

crypto map vpn interface outside

isakmp enable outside

isakmp key ******** address netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

ericstimpson · ‎10-10-2005

this is what I get when pasting on the 515

modemPix(config)# access-list 101 permit ip 192.168.1.0 255.255.255.0 192$

CablemodemPix(config)#

CablemodemPix(config)# access-list 110 permit ip 192.168.1.0 255.255.255.0 192$

CablemodemPix(config)#

CablemodemPix(config)# ip address inside 192.168.1.10 255.255.255.0

CablemodemPix(config)#

CablemodemPix(config)# global (outside) 1 interface

outside interface address added to PAT pool

CablemodemPix(config)# nat (inside) 0 access-list 101

CablemodemPix(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0

CablemodemPix(config)#

CablemodemPix(config)# sysopt connection permit-ipsec

CablemodemPix(config)#

CablemodemPix(config)# crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

VPN-3DES-AES is not enabled with current activation key.

usage: crypto ipsec transform-set [ ah-md5-hmac|ah-sha-hmac ]

[ esp-des|esp-null ] [ esp-md5-hmac|esp-sha-hmac ]

crypto ipsec transform-set mode transport

Type help or '?' for a list of available commands.

CablemodemPix(config)#

CablemodemPix(config)# crypto map vpn 10 ipsec-isakmp

CablemodemPix(config)# crypto map vpn 10 match address 110

CablemodemPix(config)# crypto map vpn 10 set peer

ERROR: address < is invalid

CablemodemPix(config)# crypto map vpn 10 set transform-set superset

ERROR: transform set with tag "superset" does not exist.

CablemodemPix(config)# crypto map vpn interface outside

WARNING: This crypto map is incomplete.

To remedy the situation add a peer and a valid access-list to this crypt

o map.

CablemodemPix(config)#

CablemodemPix(config)# isakmp enable outside

CablemodemPix(config)# isakmp key ******** address netmask 25$

Invalid IP address.

CablemodemPix(config)# isakmp identity address

CablemodemPix(config)# isakmp nat-traversal 20

CablemodemPix(config)# isakmp policy 10 authentication pre-share

CablemodemPix(config)# isakmp policy 10 encryption 3des

VPN-3DES-AES is not enabled with current activation key.

Usage: isakmp policy authen

isakmp policy encrypt

isakmp policy hash

isakmp policy group <1|2|5>

isakmp policy lifetime

isakmp key address [netmask ] [no-xauth] [no-con

fig-mode]

isakmp enable

isakmp identity

[]

isakmp keepalive []

isakmp nat-traversal []

isakmp client configuration address-pool local []

isakmp peer fqdn|ip [no-xauth] [no-config-mode]

[no] isakmp log <#events>

{show|clear} isakmp log

jackko · ‎10-10-2005

"CablemodemPix(config)# crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

VPN-3DES-AES is not enabled with current activation key.

usage: crypto ipsec transform-set [ ah-md5-hmac|ah-sha-hmac ]

[ esp-des|esp-null ] [ esp-md5-hmac|esp-sha-hmac ]

crypto ipsec transform-set mode transport"

the pix currently doesn't support 3des, only des. you can modify the command from "crypto ipsec transform-set vpnset esp-3des esp-md5-hmac" to "crypto ipsec transform-set vpnset esp-des esp-md5-hmac"

"CablemodemPix(config)# crypto map vpn 10 set peer

ERROR: address < is invalid"

you need to put the ip address of the vpn peer, not the <>, as it indicates where you need to fill in the info.

"CablemodemPix(config)# isakmp policy 10 encryption 3des

VPN-3DES-AES is not enabled with current activation key."

again, you need to modify the command from 3des to des. alternatively, you may register the pix with cisco and request a new activation key for 3des/aes

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet

jackko · ‎10-19-2005

just wondering how you go.