cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
399
Views
0
Helpful
1
Replies

need help setting up L2L vpn on pix 501

matthewatt
Level 1
Level 1

I have a pix 501 firewall that I need to setup a site to site ipsec tunnel with a remote peer. The inside subnet on my pix is 192.168.100.0/24. For this discussion purpose, let's say my pix's outside ip is 10.10.10.10  and the remote peer ip is 11.11.11.11.

The tunnel needs are as follows: Local IP of 192.168.100.10 needs to communicate with remote ip of 11.11.12.12

I have to NAT my local ip of 192.168.100.10 to the ip address of 10.10.10.11 before it traverses the tunnel to the remote end.

I have setup the following, but I don't see any indication of phase 2. I see phase 1 completing, but nothing for encaps/decaps when I do a "show cry ipsec sa"

Here is the related config, minus the encryption parameters. please review and see if there are any issues with it, I'm particularly concerned about whether or not I'm NAT'ng correctly.

access-list 101 remark ***Crypto ACL for traffic to remote peer***
access-list 101 permit ip host 10.10.10.11 host 11.11.12.12


access-list VPN_NAT remark ***Policy NAT for VPN traffic***
access-list VPN_NAT permit ip host 192.168.100.10 host 11.11.12.12


static (inside,outside) 10.10.10.11 access-list VPN_NAT 0 0

ip address outside 10.10.10.10 255.255.255.248
ip address inside 192.168.100.1 255.255.255.0

crypto map VPN 10 ipsec-isakmp
crypto map VPN 10 match address 101
crypto map VPN 10 set peer 11.11.11.11
crypto map VPN 10 set transform-set VPN
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address 11.11.11.11 netmask 255.255.255.255

1 Reply 1

Pravin Phadte
Level 5
Level 5

You need to check the remote firewall configs do.

1. crypto map VPN 10 set transform-set VPN

What have you set. Is it sameon both ends ?

2. isakmp key ******** address 11.11.11.11 netmask 255.255.255.255

Are us sure about the key which u have added in this.

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: