Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L IPSec with VPN 3000 and PIX 501

Hello,

I have a remote site that has a broadband cable internet connection and is using a PIX 501.  We wanted to connect them with our main office with our VPN 3000 Concentrator using site to site VPN.

I've followed the following documentation:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml#tshoot

However the L2L session does not show up on the Concentrator when I check the active sessions.

Attached is the network diagram, along with the PIX config and screenshots of the VPN config for the IPSec L2L tunnel.

Any assistance or guidance is appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: L2L IPSec with VPN 3000 and PIX 501

I just noticed that on PIX firewall, the phase 1 paramateres are not configured. You need to configure the same pase 1 and phase 2 parameters on both ends of the tunnel.

For example, on CVPN 3000, you have configured Phase 1 parameters as 3DES, preshared key etc..so we need to configure the same on the PIX firewall too,.

Here's an example of sample config

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

Hope this helps!

4 REPLIES
Cisco Employee

Re: L2L IPSec with VPN 3000 and PIX 501

On the CVPN 3000, you have entered 172.16.128.0 with wildcard Mask 0.0.3.255 as the Local Network and 172.16.68.0 with wildcard mask as 0.0.3.255 as the Remote Network, however, on PIX you have defined only one Access-list - 101 and the Local and Remote network is the same 172.16.68.0 255.255.252.0.

Correct the crypto access-list and make them as a mirror image of each other on both the devices.
Also, Configure a separate access-list for Nat 0 on PIX firewall. Don't use the same access-list as that of crypto access-list.

After this, clear the tunnel and then initiate the tunnel again. Hopefully, this should solve your problem.

Regards,

Anshul

New Member

Re: L2L IPSec with VPN 3000 and PIX 501

Thanks so much, I see where those errors are.

One question, I'm unsure how to clear and reinitiate the tunnel on the PIX?

Actually nevermind, I found it.

Anyway, I've made those corrections however the tunnel still does not come up.

Attached is the new config on the PIX.

Cisco Employee

Re: L2L IPSec with VPN 3000 and PIX 501

I just noticed that on PIX firewall, the phase 1 paramateres are not configured. You need to configure the same pase 1 and phase 2 parameters on both ends of the tunnel.

For example, on CVPN 3000, you have configured Phase 1 parameters as 3DES, preshared key etc..so we need to configure the same on the PIX firewall too,.

Here's an example of sample config

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

Hope this helps!

New Member

Re: L2L IPSec with VPN 3000 and PIX 501

Well I tore everything out and then rebuilt it and it's now working.  Strange.

Thanks for the help! +5

1132
Views
5
Helpful
4
Replies
CreatePlease to create content