Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

IPsec tunnel between PIX and 3745 Router

Hi every one.im trying to run L2L vpn with ipsec tunnel between my pix and 3745 router.my problem is that tunnel goes up only when traffic flows from one direction.let me describe my senario.

LAN1-->PIX<----->R3745<---LAN2

!!!PIX!!!

ethernet 1:connected to host A

Host A:10.10.1.3

ethernet 0(17.17.17.1):connected to R3745

!!!R3745!!!

ethernet 0/0 (17.17.17.2):connected to pix

etherb=net 0/1(10.10.2.1):connected to Host B

Host B:10.10.2.3

!!!PIX!!!!

PIX Version 7.2(3)

!

interface Ethernet0

nameif outside

security-level 0

ip address 17.17.17.1 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.10.1.1 255.255.255.0

!

ftp mode passive

access-list nonat extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0

access-list tr extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0

access-list ping extended permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list nonat

access-group ping in interface outside

route outside 10.10.2.0 255.255.255.0 17.17.17.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ipsec esp-3des esp-sha-hmac

crypto map crymap 1 match address tr

crypto map crymap 1 set peer 17.17.17.2

crypto map crymap 1 set transform-set ipsec

crypto map crymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect icmp

!

service-policy global_policy global

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 10 retry 2

tunnel-group 17.17.17.2 type ipsec-l2l

tunnel-group 17.17.17.2 ipsec-attributes

pre-shared-key *

!!!!R3745!!!!!

version 12.4

!

boot-start-marker

boot-end-marker

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key ***** address 17.17.17.1

crypto isakmp keepalive 10

!

crypto ipsec transform-set sec esp-3des esp-sha-hmac

!

crypto ipsec profile sevan

set transform-set sec

!

crypto map map 10 ipsec-isakmp

set peer 17.17.17.1

set transform-set sec

match address 110

!

interface Tunnel10

ip unnumbered Ethernet0/0

tunnel source Ethernet0/0

tunnel destination 17.17.17.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile sevan

!

interface Ethernet0/0

ip address 17.17.17.2 255.255.255.0

half-duplex

!

interface Ethernet0/1

ip address 10.10.2.1 255.255.255.0

ip policy route-map sevan

half-duplex

!

ip http server

no ip http secure-server

ip route 10.10.1.0 255.255.255.0 17.17.17.1

!

access-list 110 permit ip 10.10.2.0 0.0.0.255 10.10.1.0 0.0.0.255

!

route-map sevan permit 10

match interface Ethernet0/1

set interface Tunnel10

end

***when i ping host B from Host A ping is working and tunnel on Router 3745 goes up but when i do not ping host b from host A after some secondes tunnel goes down and if i first ping host A from host B ping never works and tunnel never comes up.so when traffic is generated from pix Lan every thing is ok but when traffic is generated from Router Lan nothing about vpn works.i dont know why this senario works in this way!!!???

1 REPLY
Cisco Employee

Re: IPsec tunnel between PIX and 3745 Router

Hi,

I dont think this set up is going to work. The reason being, your tunnel destination on the router is an ASA and ASA do not support GRE Tunnel termination. You have to terminate a GRE Tunnel on a router.

Reconfigure the router without using the GRE Tunnel interface and test the tunnel.

Regards

Arul

*Pls rate if it helps*

347
Views
0
Helpful
1
Replies
CreatePlease to create content