Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

VPN config 501 PIX to 2621XM Router

Can someone post a config to setup a VPN between a 501 PIX and a 2621XM router? I need the config for both devices. The connection will be made over a cable internet connection. Thanks!

11 REPLIES

Re: VPN config 501 PIX to 2621XM Router

Hello Mike

have a look at this URL: This will be of great help to you.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

hope this helps.. all the best.. rate replies if found useful..

Raj

Bronze

Re: VPN config 501 PIX to 2621XM Router

Thanks for the link. Great document. I followed it to the best of my skills, but it doesn't seem like it's working. Here's what I added or changed to my PIX and my router. I replaced my router and PIX outside IPs with rrr.rrr.rrr.rrr for the router IP and ppp.ppp.ppp.ppp for the PIX WAN IP. Any ideas? Thanks!!

Adds/Changes to PIX

nat (inside) 2 access-list nonat 0 0

nat (inside) 1 172.16.1.0 255.255.255.0 0 0

access-list nonat permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list ipsec permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set avalanche esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map forsberg 21 ipsec-isakmp

crypto map forsberg 21 match address ipsec

crypto map forsberg 21 set peer rrr.rrr.rrr.rrr

crypto map forsberg 21 set transform-set avalanche

crypto map forsberg interface outside

isakmp enable outside

isakmp key westernfinal2000 address rrr.rrr.rrr.rrr netmask 255.255.255.255

isakmp identity address

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption des

isakmp policy 21 hash md5

isakmp policy 21 group 1

Adds/Changes to Router

crypto isakmp policy 11

hash md5

authentication pre-share

crypto isakmp key westernfinal2000 address ppp.ppp.ppp.ppp

crypto ipsec transform-set sharks esp-des esp-md5-hmac

crypto map nolan 11 ipsec-isakmp

set peer ppp.ppp.ppp.ppp

set transform-set sharks

match address 120

interface Fa0/1

no ip directed-broadcast

no ip route-cache

crypto map nolan

ip nat pool branch rrr.rrr.rrr.rrr rrr.rrr.rrr.rrr netmask 255.255.255.240

ip nat inside source route-map nonat pool branch overload

route-map nonat permit 10

match ip address 130

Cisco Employee

Re: VPN config 501 PIX to 2621XM Router

Mike,

In the Pix configuration, your nat (inside) 2 access-list nonat 0 0 should be nat (inside) 0 access-list nonat.

In the router configuration, you need to configure an access-list 120 for match address 120. The Access-list must be an exact mirror image of the access-list that you defined on the Pix.

Example:

access-list 120 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255

After you make the above changes, do a clear xlate on the pix and then try to bring up the tunnel. In case if you run into any issues in establishing the IPSEC Tunnel. Please do post the outputs "deb cry isakmp" and "deb cry ipsec" from router when you try to bring up the tunnel.

Regards,

Arul

** Please rate all helpful posts **

Bronze

Re: VPN config 501 PIX to 2621XM Router

I'm new to this so can you explain the change in the nat statement? Here is a complete list of nat statments on my PIX.

nat (inside) 0 access-list vpn

nat (inside) 2 access-list nonat 0 0

nat (inside) 1 172.16.1.0 255.255.255.0 0 0

I have pptp VPN already setup. That's why I have the access-list vpn.

I added the access-list 120 to the router. Still no luck yet though.

What does this mean when I do the show crypto isakmp sa on the router?

labrouter#show crypto isakmp sa

ISAKMP is turned off

Thanks!!

Bronze

Re: VPN config 501 PIX to 2621XM Router

It looks like I got the config right now that I can bring up the VPN tunnel, but I am not able to reach anything on the router network from the PIX network. I did add a route statement, but I'm not sure if I need it or if it's right. In the configs ppp.ppp.ppp.ppp represents the PIX internet IP and rrr.rrr.rrr.rrr represents the router internet IP.

Both configs are attached. Thanks for your help getting me this far! Let me know what I could try next. Thanks!

Bronze

Re: VPN config 501 PIX to 2621XM Router

Any ideas anyone? Thanks!

Re: VPN config 501 PIX to 2621XM Router

Hello Mike.

i dont see any default route on the PIX..there is only one route which is:

route outside 172.16.0.0 255.255.255.0 rrr.rrr.rrr.rrr 1

You need to have a default route to make this work.. add a route :

route outside 0.0.0.0 0.0.0.0 next_hop

Let us know if this works fine..

Raj

Bronze

Re: VPN config 501 PIX to 2621XM Router

What should I put in for next_hop? My PIX works fine to get on and surf the net.

The route outside statement I have in my pix config is to send anything desting for the 172.16.0.0 network to the router's WAN IP. Is that correct?

Re: VPN config 501 PIX to 2621XM Router

how can the internet work without a default route?? how will it reach the peer IP at the other end, without a route.. is the internet getting bypassed through pix by any chance??

Raj

Silver

Re: VPN config 501 PIX to 2621XM Router

The default route is set by the following line in the PIX config:

ip address outside dhcp setroute

The ip address dhcp command enables the DHCP client feature on the outside PIX Firewall interface. The optional setroute argument tells the PIX Firewall to set the default route using the default gateway parameter the DHCP server returns. If the setroute argument is configured, the show route command displays the default route set by the DHCP server.

Cisco Employee

Re: VPN config 501 PIX to 2621XM Router

Mike,

Can you post the outputs of "deb cry isakmp" and "deb cry ipsec" from both the Pix and Router when you try to bring up the tunnel.

Regards,

Arul

154
Views
0
Helpful
11
Replies