PIX 501 with public several IP addresses

Similar Questions

• PIX 501, 1 static IP, IP address dynamic 2. Mesh full possible?

  I have 3 sites. All sites have PIX 501. Central site has a static IP, 2 remote sites a dynamic IP.

  I have no problem with the connection to the central site by using their dynamic IP address in a remote star connection.

  Is it possible for 2 remote sites communicate? There is data that must be transferred between remote sites. I read somewhere in cisco site web which its possible via mesh on request.

  Does anyone have an example of configuration on a VPN Site to Site where the Central site has static IP and remote sites with a dynamic IP? Remote locations teaches a dynamic IP from remote sites to the central server.

  Thank you.

  With IOS as your hub and then the Yes rays, the rays can learn dynamically address other departments using the PNDH. This type of configuration is called Dynamic Multipoint VPN (DMVPN), you can read everything you need to know about this here:

  http://www.Cisco.com/warp/public/105/DMVPN.html

  Even with EzVPN (not DMVPN) the rays will not learn the address of other rays, all communication is always via the hub. Call another talks would work, but as I said, the packages will talk-star.

• PIX 501 with Actiontec Q1000 in Bridge mode

  I have an Actiontec Q1000 Qwest racetrack with 8 static IP addresses.  I want to put the Actiontec in bridge mode and connect the PIX.  I have configured the PIX as follows, but there are some things that are unclear to me:

  IP address outside pppoe setroute

  VPDN group chi request dialout pppoe

  VPDN group chi localname xxxxx

  VPDN group chi ppp authentication pap

  VPDN username password xxxxx xxxxx

  Qwest gave me a block of 8 IP, and they either of them specified as a gateway address.

  This IP will get the external interface?

  Can I use setroute with Qwest, or I need to specify a default route instead?

  Can I assign the gateway address to the external interface of the PIX?

  My ultimate goal is to be able to configure the PIX to allow client software Cisco VPN incoming connections.

  Thank you very much for all your comments.

  P.S. I can't just try, because I am in California and I need to set it up and send it to Utah, where I there will have access via SSH.

  The ip address will be given by provide it during the negotiation of PPPoE.

  You should be able to use the road together, I would expect Qwest provide the default route in PPPoE.

  I should get it by the ISP automatically.

  Please evaluate the useful messages.

  PK

• VPN site-to-site between two PIX 501 with Client VPN access

  Site A and site B are connected with VPN Site to Site between two PIX 501.

  Also, site A is configured for remote access VPN client. If a remote client connects to Site A, it can only get access to the LAN of Site A, it cannot access anything whatsoever behind PIX on Site B.

  How is that possible for a VPN client connected to Site A to Site B?

  Thank you very much.

  Alex

  Bad and worse news:

  Bad: Not running the 7.0 series PIX cannot route traffic on the same interface, the traffic is recived. Version 7.0 solves this ipsec traffic.

  Even worse: PIX 501 can not be upgraded to 7.0...

  A couple of things to think about would be the upgrade to hardware that can run the new IOS or allowing a VPN R.A. on site B.

  HTH Please assess whether this is the case.

  Thank you

• VPN PPTP and PPPOE CLIENT ON PIX 501

  Hello

  Can I create a PPTP VPN and a client connection on a PIX 501 with a client to my ISP PPPOE connection. The PPPOE ip is dynamic and the VPN will be a static IP address. They gave me a username and password for VPN and PPPOE. Him also gave me an ip address for the VPN server.

  Should that happen, it's that the PPPOE should connect to the VPN to work.

  I can only get the PPPOE, but I don't know how to do this with a PPTP VPN set.

  Here is my config:
  
  PIX Version 6.3(3)
  
      interface ethernet0 auto
  
      interface ethernet1 100full
  
      nameif ethernet0 outside security0
  
      nameif ethernet1 inside security100
  
      enable password xxxxxxxx encrypted
  
      passwd xxxxxxx encrypted
  
      hostname neveroff
  
      domain-name neveroff.com
  
      fixup protocol dns maximum-length 512
  
      fixup protocol ftp 21
  
      fixup protocol h323 h225 1720
  
      fixup protocol h323 ras 1718-1719
  
      fixup protocol http 80
  
      fixup protocol rsh 514
  
      fixup protocol rtsp 554
  
      fixup protocol sip 5060
  
      fixup protocol sip udp 5060
  
      fixup protocol skinny 2000
  
      fixup protocol smtp 25
  
      fixup protocol sqlnet 1521
  
      fixup protocol tftp 69
  
      names
  
      access-list incoming permit icmp any any echo-reply
  
      access-list incoming permit icmp any any source-quench
  
      access-list incoming permit icmp any any unreachable
  
      access-list incoming permit icmp any any time-exceeded
  
      pager lines 24
  
      icmp permit any echo outside
  
      icmp permit any unreachable outside
  
      icmp permit any time-exceeded outside
  
      icmp permit any source-quench outside
  
      icmp permit any echo-reply outside
  
      icmp permit any information-reply outside
  
      icmp permit any mask-reply outside
  
      icmp permit any timestamp-reply outside
  
      mtu outside 1500
  
      mtu inside 1500
  
      ip address outside pppoe setroute
  
      ip address inside 192.168.1.1 255.255.255.0
  
      ip audit info action alarm
  
      ip audit attack action alarm
  
      pdm logging informational 100
  
      pdm history enable
  
      arp timeout 14400
  
      global (outside) 1 interface
  
      nat (inside) 1 192.168.1.0 255.255.255.0 0 0
  
      static (inside,outside) tcp interface smtp 192.168.1.201 smtp netmask 255.255.255.255 0 0
  
      access-group incoming in interface outside
  
      timeout xlate 0:05:00
  
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  
      timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  
      timeout uauth 0:05:00 absolute
  
      aaa-server TACACS+ protocol tacacs+
  
      aaa-server RADIUS protocol radius
  
      aaa-server LOCAL protocol local
  
      http server enable
  
      no snmp-server location
  
      no snmp-server contact
  
      snmp-server community public
  
      no snmp-server enable traps
  
      floodguard enable
  
      telnet timeout 5
  
      ssh 0.0.0.0 0.0.0.0 outside
  
      ssh 0.0.0.0 0.0.0.0 inside
  
      ssh timeout 5
  
      console timeout 0
  
      vpdn group pppoex request dialout pppoe
  
      vpdn group pppoex localname xxxxxxxxx
  
      vpdn group pppoex ppp authentication chap
  
      vpdn username xxxxxxxx password xxxxxxxx
  
      dhcpd address 192.168.1.10-192.168.1.41 inside
  
      dhcpd dns 192.168.1.1 168.210.2.2
  
      dhcpd lease 3600
  
      dhcpd ping_timeout 750
  
      dhcpd auto_config outside
  
      dhcpd enable inside
  
      username neveroff password TEnlGTQMwqamBzMn encrypted privilege 2
  
      terminal width 80
  
      Cryptochecksum:c5bfafa70f21ed55cc1b3df377e110bf
  
      : end
  
      

  Thank you

  Etienne

  Happy to help and please kindly mark the message as answered if you have not more than other questions. Thank you.

• PIX 501 PPPoE w / static NAT loss of connectivity

  I have a {should} installation very simple. PIX 501 with PPPoE on the external interface, 3 inside customers using PAT and 1 inside the client I am trying to use an address mapping static on permit communications with this host from the outside using a particular service. I did a lot of these before where there was an ADSL router in front of the PIX, but this is the first where I've used the PIX as the PPPoE client. When I use the static NAT for the single host it loses all connectivity beyond the PIX outside interface. When I get rid of the static mapping, through PAT very well. I spent many hours troubleshooting and control a lot of obvious things, but I am at a loss right now... unless it could be a problem with the IP address that has been assigned by the ISP for use with static NAT. Any thoughts on this would be greatly appreciated.

  Thank you

  Sorry, in your case that static would look like this because of the dynamic IP.

  static (inside, outside) 23 interface 10.1.1.1 23 netmask 255.255.255.255

  Daniel

• PIX 501 Logging

  I would like to open a session of hacking and intrusion of the attacks through a PIX 501 with a connection to broadband in a Home Office Setup. I have the camera upwards and the race and I am currently Setup with the Kiwi Syslog Dameon. What would be my best approach Logging all relevant information with the load to the bottom of the unit? Any suggestions / tips would be appreciated.

  Thank you

  It is a common logging configuration that I use:

  opening of session

  timestamp of the record

  logging trap information

  host of logging inside x.x.x.x

  No registration message 106015

  No message logging 106007

  No message logging 105003

  No registration message 105004

  No message recording 309002

  No message logging 305012

  No registration message 305011

  No message logging 303002

  No message logging 111008

  No message logging 302015

  No message recording 302014

  No message logging 302013

  No registration message 304001

  No message logging 111005

  No message logging 609002

  No message recording 609001

  No message logging 302016

  I usually do not enable the logging buffer (never use connection console it will affect performance) because it's not the messages timestamp (it only timestamps in the syslog). But the PIX loaded down with the load, you and Kiwi you before the PIX don't.

  Also turn on the IDs on the PIX.

  It will be useful.

  Steve

• Configure the PIX 501 for IDS

  I have a PIX 501 with wired high-speed LAN headquarters inside and outside. Which would be a solid policy IDS to enable and what interfaces it must be applied to? There will be other measures necessary to enable IDS?

  IDS on the PIX itself is very limited, it checks only 59 signatures listed here (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid9 under the section of signatures supported IDS). The signatures themselves are pretty basic.

  If you do not want to activate this, then for the signatures of attacks I would fix for drop/alarm/reset action, which is the default anyway.

  You will also need to set the logging to a syslog server and monitoring for any 4000nn messages in syslog, cause it event IDS.

• PIX 501 NAT and PAT with a single IP address

  Using the following configuration, on my first PIX 501, I am unable to provide a server of mail to the outside world and allows inside customers to browse the Internet. :

  6.3 (5) PIX version

  interface ethernet0 car

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  enable password xxxx

  passwd xxx

  hostname fw-sam-01

  SAM domain name

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  No fixup not protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  outside access list permit tcp any host 62.x.x.109 eq smtp

  access the inside to allow tcp a whole list

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside the 62.177.x.x.x.255.248

  IP address inside 192.168.45.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  location of PDM 192.168.45.2 255.255.255.255 inside

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  public static 62.177.x.x.x.45.2 (Interior, exterior) mask subnet 255.255.255.255 0 0

  outside access-group in external interface

  group-access to the Interior in the interface inside

  Route outside 0.0.0.0 0.x.x.x.177.208.105 1

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  http 192.168.45.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Telnet 192.168.45.0 255.255.255.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd lease 3600

  dhcpd ping_timeout 750

  : end

  It is I'am using access list and groups wrong or am I wrong in PAT/NAT configuration.

  Please advise...

  Hello

  I went through the ongoing discussion. The pix configuration should be fine for now according to suggestions. The problems seems to be on the server. If it is a new installation of windows, then there is an option not to accept requests that are not local network.

  If you want to check if pix allows connections and then when you telnet to port 25 of the outside, just run the xlates control.

  SH xlate and it should show you a translation for the inside host. More than a quick test if pix allows traffic is to check 'sho-outdoor access list' and see if the counters are increasing.

  Hopefully this should help you.

  Arun S.

• Port forwarding with PIX 501

  I try to get my PIX 501 to forward traffic on port 1412 with TCP and UDP to use Direct Connect, and the problem I have is I can connect to a DC hub, but cannot establish connections with users.

  I added the following to the default configuration from the factory with a partial success:

  outside access list permit tcp any host 192.168.100.20 eq 1412

  access-list outside permit udp any host 192.168.100.20 eq 1412

  public static tcp (indoor, outdoor) interface 1412 192.168.100.20 1412 netmask 255.255.255.255 0 0

  public static tcp (indoor, outdoor) interface 1412 192.168.100.20 1412 netmask 255.255.255.255 0 0

  In the debug log set to the access list I rule this type of errors:

  Deny tcp src outside other.users.ip.addr/3099 dst within the my.public.ip.addr/1412 by access-group "access_outside_in".

  TCP request discarded outside my.public.ip.addr/45961 other.users.ip.addr/2362

  I'm quite lost as to why it does not work when I think it should. I tried several ways, opening of port ranges and no chance for a transfer of the port sucsessful.

  You can change you, outside the ACL to the following:

  outside access list permit tcp any host eq 1412

  access-list outside permit udp any host eq 1412

  outside access-group in external interface

  Save again with: write mem and also issue: clear xlate

  I would like to know if it works.

  Jay

• VPN between cisco unified customer 3.6.3 and Pix 501 6.2 (1) with the MS CA server

  Hello

  I have Microsoft CA server with the latest support CEP and pix 501 that gets the digital certificate. I also have the client certificate of Cisco, but VPN doesn't work

  In the IPSec Log Viewer, I constantly "CM_IKE_ESTABLISH_FAIL."

  It worked well prior to Win2k server has been completely updated with the latest patches.

  The pix configuration is identical to that of article http://www.cisco.com/warp/public/471/configipsecsmart.html

  I reinstall the stand-alone CA and support CEP server but not had any luck.

  What could be wrong?

  It looks like IKE implementation problem. Make DH group 2 policy ISAKMP.

  Visit this link:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_v53/IPSec/exvpncl.htm

• Help with vpn pix 501

  I'm setting up a cisco pix 501 vpn tunnel but will have questions. The Firewall works although I am able to get out of the internet, but the VPN does not work. On the primary side, I see that the tunnel is up and the traffic is sent but not received.

  Currently I'm sitting at the secondary location but don't know what the problem maybe. Anyone know what I have wrong which could prevent the data to send from this device?

  Here is my config

  Here's my config if it would help

  See the race
  : Saved
  :
  6.3 (5) PIX version
  interface ethernet0 car
  interface ethernet1 100full
  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  activate 2KFQnbNIdI.2KYOU encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  hostname ciscofirewall
  domain hillsanddales.com
  fixup protocol dns-length maximum 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 5
  fixup protocol rtsp 55
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol 2000 skinny
  fixup protocol smtp 25

  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names of
  access-list 101 permit ip 192.168.80.0 255.255.255.0 192.168.50.0 255.255.255.0
  192.168.80.0 IP Access-list sheep 255.255.255.0 allow 192.168.50.0 255.255.255.0
  in_outside list access permit tcp any host 192.168.50.240
  in_outside list access permit tcp any host 64.90.xxx.xx
  pager lines 24
  Outside 1500 MTU
  Within 1500 MTU
  IP address outside 66.84.xxx.xx 255.255.255.252
  IP address inside 192.168.80.1 255.255.255.0
  alarm action IP verification of information
  alarm action attack IP audit
  location of PDM 192.168.50.0 255.255.255.0 outside
  location of PDM 192.168.80.2 255.255.255.255 inside
  location of PDM 192.168.50.0 255.255.255.0 inside
  location of PDM 182.168.80.0 255.255.255.255 inside
  location of PDM 0.0.0.0 255.255.255.0 inside
  location of PDM 0.0.0.0 255.255.255.255 inside
  location of PDM 192.168.80.5 255.255.255.255 inside
  location of PDM 192.168.80.7 255.255.255.255 inside
  PDM logging 100 information
  history of PDM activate

  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
  Route outside 0.0.0.0 0.0.0.0 66.84.xxx.x
  Route inside 192.168.50.0 255.255.255.0 192.168.50.240 1
  Timeout xlate 0:05:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
  Timeout, uauth 0:05:00 absolute
  GANYMEDE + Protocol Ganymede + AAA-server
  AAA-server GANYMEDE + 3 max-failed-attempts
  AAA-server GANYMEDE + deadtime 10
  RADIUS Protocol RADIUS AAA server
  AAA-server RADIUS 3 max-failed-attempts
  AAA-RADIUS deadtime 10 Server
  AAA-server local LOCAL Protocol
  Enable http server
  http 192.168.80.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  SNMP-Server Community public
  No trap to activate snmp Server
  enable floodguard
  <--- more="" ---="">

  Permitted connection ipsec sysopt
  Crypto ipsec transform-set esp-3des esp-md5-hmac aptset
  aptmap 10 ipsec-isakmp crypto map
  correspondence address card crypto aptmap 10 101
  card crypto aptmap 10 peers set 64.90.xxx.xx
  card crypto aptmap 10 transform-set aptset
  aptmap interface card crypto outside
  ISAKMP allows outside
  ISAKMP key * address 64.90.xxx.xx netmask 255.255.255.255
  ISAKMP identity address
  ISAKMP nat-traversal 20
  part of pre authentication ISAKMP policy 10
  ISAKMP policy 10 3des encryption
  ISAKMP policy 10 md5 hash
  10 2 ISAKMP policy group
  ISAKMP life duration strategy 10 86400
  Telnet 192.168.80.2 255.255.255.255 inside
  Telnet 182.168.80.0 255.255.255.255 inside
  Telnet 192.168.80.5 255.255.255.255 inside
  Telnet 192.168.80.0 255.255.255.0 inside
  Telnet 192.168.80.7 255.255.255.255 inside
  Telnet timeout 5
  SSH timeout 5
  management-access inside

  Console timeout 0
  dhcpd address 192.168.80.2 - 192.168.80.33 inside
  dhcpd dns 64.90.xxx.xx 64.90.xxx.xx
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd outside auto_config
  dhcpd allow inside
  Terminal width 80
  Cryptochecksum:01532689fac9491fae8f86e91e2bd4c0
  : end

  Hello

  At least the NAT0 ACL is not in use

  You should have this added to the configuration

  NAT (inside) 0 access-list sheep

  -Jouni

• PIX 501 will ios ver 6.2 come to him, with only 16ram 8flash? Thank you

  Wanted to load pdm 2.1.1 firewall and VPN. Found 501 takes ver 6.2 but not to enother ram.

  Thank you

  Phil

  From http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/relnotes/pixrn622.htm#xtocid4 :

  "The PIX 501 has 16 MB of RAM and will work correctly with Version 6.2, while all other PIX firewall platforms continue to require at least 32 MB of RAM (and are therefore also compatible with Version 6.2 or newer).

  In addition, all units except the PIX 501 and PIX 506/506E require 16 MB of Flash memory to boot. (The 501 PIX and PIX 506/506E have 8 MB of Flash memory, which works correctly with Version 6.2) »

  PIX firewall model... Flash memory required in point 6.2

  PIX 501 .......................... 8 MB

  Steve

• Problems with PIX 501 and Server MS Cert

  Hi all

  I have two problems with my PIX 501:

  1. registration works well. The pix has a certificate and use it with SSL and VPN connections. But after a refill, the pix certificate is lost and it has regenerated again self-signed certificate!

  Yes, I wrote mem and ca records all!

  2. at the request of ca CRL , I get the following debugging:

  Crypto CA thread wakes!

  CRYPTO_PKI: Cannot be named County ava

  CRYPTO_PKI: transaction GetCRL completed

  Crypto CA thread sleeps!

  CI thread wakes!

  And the CRL is empty.

  Does anyone have any idea?

  Bert Koelewijn

  Not sure about 1, but 2 is usually caused by the COP (Point of Distribution of CRL, basically the situation where the PIX can download the Revocation list from) listed in cert CA is in a format the PIX does not, generally an LDAP URL.

  Check the following prayer:

  Open the administration tool of CA (Certification Authority) then

  (1) right click on the name of CA and choose 'properties '.

  2) click on the tab "Policy Module".

  3) click on the button "configure."

  4) click on the tab "X.509 extensions".

  > From there, it can display the list of the "CRL Distribution Points".

  Turn off everything that isn't HTTP.

  You need to reinstall the CERT in the PIX, I think, but then it should be able to download the CRL through HTTP instead of LDAP.

• Problem with PIX 501-&gt; L2L 1721 VPN

  I am setting up a site to site vpn according to the http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008051a69a.shtml.

  I want to connect 192.168.105.0/24 and 192.168.106.0/24.

  PIX01 is 192.168.106.1, with dynamic external IP (B.B.B.B)

  RTR01 is 192.168.105.1, with dynamic external IP address (I'm just using DHCP current address of the ISP as A.A.A.A in the config of PIX01 - this is a temporary application, not critical where I can update the address if necessary)

  It seems that the VPN tunnel is established but traffic does not return the router to the pix.  I temporarily hosted all of the traffic on indoor/outdoor PIX interfaces (and icmp).

  If I enable icmp debug I see ping requests from the client to 192.168.106.100 internal interface of the router (192.168.105.1), but no return icmp:

  On PIX01:

  180:-Interior ICMP echo request: 192.168.105.1 ID = 1 length = 40 seq = 298 192.168.106.100
  181:-Interior ICMP echo request: 192.168.105.1 ID = 1 length = 40 seq = 299 192.168.106.100
  182:-Interior ICMP echo request: 192.168.105.1 ID = 1 length = 40 seq = 300 192.168.106.100
  183:-Interior ICMP echo request: 192.168.105.1 ID = 1 seq = length 301 = 40 192.168.106.100

  On RTR01:
  * 03:40:46.885 22 dec: ICMP: echo responded, 192.168.105.1 src, dst 192.168.106.100
  * 03:40:51.713 22 dec: ICMP: echo responded, 192.168.105.1 src, dst 192.168.106.100
  * 03:40:56.713 22 dec: ICMP: echo responded, 192.168.105.1 src, dst 192.168.106.100
  * 03:41:01.709 22 dec: ICMP: echo responded, 192.168.105.1 src, dst 192.168.106.100

  Output of running sh crypto isakmp his:

  PIX01 (config) # sh crypto isakmp his
  Total: 1
  Embryonic: 0
  Src DST in the meantime created State
  A.A.A.A B.B.B.B 0 1 QM_IDLE

  RTR01 #sh crypto isakmp his
  status of DST CBC State conn-id slot
  A.A.A.A B.B.B.B QM_IDLE 1 0 ACTIVE

  Out of HS crypto ipsec his:

  PIX01 (config) # sh crypto ipsec his

  Interface: outside
  Crypto map tag: IPSEC, local addr. B.B.B.B

  local ident (addr, mask, prot, port): (192.168.106.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.105.0/255.255.255.0/0/0)
  current_peer: A.A.A.A:500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 103, #pkts encrypt: collection of #pkts 103, 103
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0, #pkts decompress failed: 0
  #send 12, #recv errors 0

  local crypto endpt. : B.B.B.B, remote Start crypto. : A.A.A.A
  Path mtu 1500, overload ipsec 56, media, mtu 1500
  current outbound SPI: 7cb75998

  SAS of the esp on arrival:
  SPI: 0xb896f6c6 (3096901318)
  transform: esp - esp-md5-hmac.
  running parameters = {Tunnel}
  slot: 0, conn id: 1, crypto card: IPSEC
  calendar of his: service life remaining (k/s) key: (4608000/3151)
  Size IV: 8 bytes
  support for replay detection: Y

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x7cb75998 (2092390808)
  transform: esp - esp-md5-hmac.
  running parameters = {Tunnel}
  slot: 0, conn id: 2, crypto card: IPSEC
  calendar of his: service life remaining (k/s) key: (4607999/3151)
  Size IV: 8 bytes
  support for replay detection: Y

  outgoing ah sas:

  outgoing CFP sas:

  RTR01 #sh crypto ipsec his

  Interface: Vlan600
  Crypto map tag: IPSEC, local addr A.A.A.A

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (192.168.105.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.106.0/255.255.255.0/0/0)
  current_peer B.B.B.B port 500
  LICENCE, flags is {}
  program #pkts: 10, #pkts encrypt: 10, #pkts digest: 10
  decaps #pkts: 10, #pkts decrypt: 10, #pkts check: 10
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : A.A.A.A, remote Start crypto. : B.B.B.B
  Path mtu 1500, mtu 1500 ip, ip mtu BID Vlan600
  current outbound SPI: 0xB896F6C6 (3096901318)

  SAS of the esp on arrival:
  SPI: 0x7CB75998 (2092390808)
  transform: esp - esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 2002, flow_id: SW:2, crypto card: IPSEC
  calendar of his: service life remaining (k/s) key: (4556997/3076)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB896F6C6 (3096901318)
  transform: esp - esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 2001, flow_id: SW:1, crypto card: IPSEC
  calendar of his: service life remaining (k/s) key: (4556997/3076)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  I can provide more information if necessary.

  Thanks in advance for any help,

  CJ

  ISAKMP uses UDP/500 and it is true he helped through phase 1 being upwards (QM_IDLE).

  IPSec uses ESP or UDP/4500, and this is what must be authorized by the FW.