10-09-2005 02:08 PM - edited 02-21-2020 02:01 PM
Does anyone have a successful configuration for a Pix 515E to a Pix 501. IPsec tunnel. I will be setting up the Pix 515e on a cable modem and the 501 will be remote on DSL. Please help I have been running into connection problems. Can it be done. I'm guessing that one side will have to have a static address.
10-09-2005 03:00 PM
yes, at least one site needs to have a static ip.
in order to discuss how to configure further, please advise whether both site have static ip or not. for the meantime, have a look at the doc:
with one static ip, it's called ezvpn
with two static ip, it's called lan-lan vpn
10-09-2005 03:29 PM
Ok, this is the dilemma. I am setting this all out in one location right now to test. I have only one connection (my cable modem). I have a wireless router issuing address in the 10.x.x.x range. I can set up the 515e on that and let the 501 be the dynamic side. I have been messing with this thing for hours and have had little success. Could I send you the config of both sides and have you look over them? Any help would be great. I'm having issues looking at any links because I had to change my password on the site and now CCO has me locked out.
10-09-2005 03:57 PM
please post the configs with sensitive info masked, such as public ip.
with the cco lockout, you can send a blank email to "cco-locksmith@cisco.com".
10-09-2005 04:23 PM
10-10-2005 04:31 AM
just wondering what sort of vpn are you testing here, as i can see both lan-lan vpn and remote vpn access config on 515e.
for lan-lan vpn, add this command "isakmp identity address" on both pix.
also no inbound acl is required for crypto traffic as long as the command "sysopt connection permit-ipsec" is enabled (which is enabled by default)
10-10-2005 05:01 AM
I just received the box. It already had a config on it. I don't really need the advanced config on the 515e. I have since erased flash on the 515e. This is my first crack at Cisco Pix. I have some experience with Sonicwall. You don't have a working config that I could paste in and add my ip addresses do you? Or is that wishful thinking. Feeling a little overwelmed at this point.
10-10-2005 06:05 AM
please read below are "cut-down" configs for lan-lan vpn:
----------
pix1
----------
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ip address inside 192.168.1.10 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address 110
crypto map vpn 10 set peer
crypto map vpn 10 set transform-set superset
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
----------
pix2
----------
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 110 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address inside 192.168.2.10 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address 110
crypto map vpn 10 set peer
crypto map vpn 10 set transform-set superset
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
10-10-2005 06:58 AM
this is what I get when pasting on the 515
modemPix(config)# access-list 101 permit ip 192.168.1.0 255.255.255.0 192$
CablemodemPix(config)#
CablemodemPix(config)# access-list 110 permit ip 192.168.1.0 255.255.255.0 192$
CablemodemPix(config)#
CablemodemPix(config)# ip address inside 192.168.1.10 255.255.255.0
CablemodemPix(config)#
CablemodemPix(config)# global (outside) 1 interface
outside interface address added to PAT pool
CablemodemPix(config)# nat (inside) 0 access-list 101
CablemodemPix(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
CablemodemPix(config)#
CablemodemPix(config)# sysopt connection permit-ipsec
CablemodemPix(config)#
CablemodemPix(config)# crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
VPN-3DES-AES is not enabled with current activation key.
usage: crypto ipsec transform-set
[ esp-des|esp-null ] [ esp-md5-hmac|esp-sha-hmac ]
crypto ipsec transform-set
Type help or '?' for a list of available commands.
CablemodemPix(config)#
CablemodemPix(config)# crypto map vpn 10 ipsec-isakmp
CablemodemPix(config)# crypto map vpn 10 match address 110
CablemodemPix(config)# crypto map vpn 10 set peer
ERROR: address <
CablemodemPix(config)# crypto map vpn 10 set transform-set superset
ERROR: transform set with tag "superset" does not exist.
CablemodemPix(config)# crypto map vpn interface outside
WARNING: This crypto map is incomplete.
To remedy the situation add a peer and a valid access-list to this crypt
o map.
CablemodemPix(config)#
CablemodemPix(config)# isakmp enable outside
CablemodemPix(config)# isakmp key ******** address
Invalid IP address.
CablemodemPix(config)# isakmp identity address
CablemodemPix(config)# isakmp nat-traversal 20
CablemodemPix(config)# isakmp policy 10 authentication pre-share
CablemodemPix(config)# isakmp policy 10 encryption 3des
VPN-3DES-AES is not enabled with current activation key.
Usage: isakmp policy
isakmp policy
isakmp policy
isakmp policy
isakmp policy
isakmp key
fig-mode]
isakmp enable
isakmp identity
[ isakmp keepalive
isakmp nat-traversal [
isakmp client configuration address-pool local
isakmp peer fqdn|ip
[no] isakmp log <#events>
{show|clear} isakmp log
10-10-2005 04:45 PM
"CablemodemPix(config)# crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
VPN-3DES-AES is not enabled with current activation key.
usage: crypto ipsec transform-set
[ esp-des|esp-null ] [ esp-md5-hmac|esp-sha-hmac ]
crypto ipsec transform-set
the pix currently doesn't support 3des, only des. you can modify the command from "crypto ipsec transform-set vpnset esp-3des esp-md5-hmac" to "crypto ipsec transform-set vpnset esp-des esp-md5-hmac"
"CablemodemPix(config)# crypto map vpn 10 set peer
ERROR: address <
you need to put the ip address of the vpn peer, not the <>, as it indicates where you need to fill in the info.
"CablemodemPix(config)# isakmp policy 10 encryption 3des
VPN-3DES-AES is not enabled with current activation key."
again, you need to modify the command from 3des to des. alternatively, you may register the pix with cisco and request a new activation key for 3des/aes
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet
10-19-2005 10:48 PM
just wondering how you go.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide