Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Simple PIX to PIX VPN issues

I'm trying to set up a simple PIX to PIX VPN using the simple PIX-PIX VPN documentation from the config sample page. I've got lots of VPN tunnels established to other devices from other PIX's quite happily so this is fairly embarrasing. Anyway, the config on the source PIX is as follows:-

access-list 101 permit ip 172.18.138.0 255.255.255.0 172.18.133.0 255.255.255.0

access-list 101 permit ip 172.18.133.0 255.255.255.0 172.18.138.0 255.255.255.0

nat (phoenix_private) 0 access-list 101

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map ntlink 1 ipsec-isakmp

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 172.18.126.233

crypto map transam 1 set transform-set chevelle

crypto map transam interface inside

isakmp enable inside

isakmp key ******** address 172.18.126.233 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

and if I generate traffic, the logs show this:-

Aug 9 18:40:15 10.60.6.247 %PIX-3-305005: No translation group found for icmp src phoenix_private:172.18.138.111 dst inside:172.18.133.51 (type 8, code 0)

Aug 9 18:40:17 10.60.6.247 %PIX-3-305005: No translation group found for icmp src phoenix_private:172.18.138.111 dst inside:172.18.133.51 (type 8, code 0)

Aug 9 18:40:18 10.60.6.247 %PIX-3-305005: No translation group found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53

Aug 9 18:40:18 10.60.6.247 %PIX-3-305005: No translation group found for icmp src phoenix_private:172.18.138.111 dst inside:172.18.133.51 (type 8, code 0)

Aug 9 18:40:19 10.60.6.247 %PIX-3-305005: No translation group found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53

no isakmp or ipsec debug messages appear but you'd expect that as the PIX doesn't even seem to link the traffic with the access-list or NAT.

I'm doing something stupid obviously, can someone point out what it is, thanks.

Jon.

1 ACCEPTED SOLUTION

Accepted Solutions
at
New Member

Re: Simple PIX to PIX VPN issues

hello,

1.you should create a second access-list like:

access-list outside_cryptomap permit ip 172.18.138.0 255.255.255.0 172.18.133.0 255.255.255.0

and

2. instead of

crypto map transam 1 match address 101

you should configure

crypto map transam 1 match address outside_cryptomap

the problem is that you configure one acl for nat and crypto - that does not work

regards

alex

6 REPLIES
New Member

Re: Simple PIX to PIX VPN issues

Hi,

It seems that the PIX doesn't know to which address translate inside ip 172.18.133.51, did you set the addresses or interfaces to which inside local addresses will be translated (global () )?

New Member

Re: Simple PIX to PIX VPN issues

I don't think I need a global. I've used the nat 0 to stop natting happening.

Silver

Re: Simple PIX to PIX VPN issues

You access-list is incorrect. It should contain one one line which is from your network to the remote network ONLY. From the other side it should containt from the other network to your network only.

Let me know if this solved the problem,

New Member

Re: Simple PIX to PIX VPN issues

local:

access-list 101 permit ip 172.18.138.0 255.255.255.0 172.18.133.0 255.255.255.0 # from local network to remote network #

nat (phoenix_private) 0 access-list 101

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 172.18.126.233 # remote peer outside interface IP address #

crypto map transam 1 set transform-set chevelle

crypto map transam interface outside # Ipsec initiated from outside interface #

isakmp enable outside # enable on outside interface #

isakmp key ******** address 172.18.126.233 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

remote reverse.

at
New Member

Re: Simple PIX to PIX VPN issues

hello,

1.you should create a second access-list like:

access-list outside_cryptomap permit ip 172.18.138.0 255.255.255.0 172.18.133.0 255.255.255.0

and

2. instead of

crypto map transam 1 match address 101

you should configure

crypto map transam 1 match address outside_cryptomap

the problem is that you configure one acl for nat and crypto - that does not work

regards

alex

New Member

Re: Simple PIX to PIX VPN issues

Thanks all for the advice, I figured it out and then checked back to see my actions confirmed. Stupid me.

thanks.

151
Views
0
Helpful
6
Replies
CreatePlease to create content