cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1683
Views
5
Helpful
4
Replies

L2L IPSec with VPN 3000 and PIX 501

rcoote5902_2
Level 2
Level 2

Hello,

I have a remote site that has a broadband cable internet connection and is using a PIX 501.  We wanted to connect them with our main office with our VPN 3000 Concentrator using site to site VPN.

I've followed the following documentation:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml#tshoot

However the L2L session does not show up on the Concentrator when I check the active sessions.

Attached is the network diagram, along with the PIX config and screenshots of the VPN config for the IPSec L2L tunnel.

Any assistance or guidance is appreciated.

1 Accepted Solution

Accepted Solutions

I just noticed that on PIX firewall, the phase 1 paramateres are not configured. You need to configure the same pase 1 and phase 2 parameters on both ends of the tunnel.

For example, on CVPN 3000, you have configured Phase 1 parameters as 3DES, preshared key etc..so we need to configure the same on the PIX firewall too,.

Here's an example of sample config

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

Hope this helps!

View solution in original post

4 Replies 4

ankaushi
Cisco Employee
Cisco Employee

On the CVPN 3000, you have entered 172.16.128.0 with wildcard Mask 0.0.3.255 as the Local Network and 172.16.68.0 with wildcard mask as 0.0.3.255 as the Remote Network, however, on PIX you have defined only one Access-list - 101 and the Local and Remote network is the same 172.16.68.0 255.255.252.0.

Correct the crypto access-list and make them as a mirror image of each other on both the devices.
Also, Configure a separate access-list for Nat 0 on PIX firewall. Don't use the same access-list as that of crypto access-list.

After this, clear the tunnel and then initiate the tunnel again. Hopefully, this should solve your problem.

Regards,

Anshul

Thanks so much, I see where those errors are.

One question, I'm unsure how to clear and reinitiate the tunnel on the PIX?

Actually nevermind, I found it.

Anyway, I've made those corrections however the tunnel still does not come up.

Attached is the new config on the PIX.

I just noticed that on PIX firewall, the phase 1 paramateres are not configured. You need to configure the same pase 1 and phase 2 parameters on both ends of the tunnel.

For example, on CVPN 3000, you have configured Phase 1 parameters as 3DES, preshared key etc..so we need to configure the same on the PIX firewall too,.

Here's an example of sample config

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

Hope this helps!

Well I tore everything out and then rebuilt it and it's now working.  Strange.

Thanks for the help! +5

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: