VPN site to site pix 501.

Hi all. I'm new to the forum and in the world of pix. I am trying to configure a vpn from point a to point b. I tried through the PDM and had no success at it & I tried examples such as the id of Document 6211. I'm having without success I don't know his minor detail I forgot but any help would be appreciated.

I added the config for the pix 501 located at each end.

TIA

Tom

Tom,

Your missing the NAT 0 for your crypto ACL on the two pix.

Add:

> (inside) nat 0-list of access 101

Hope this helps and please note post if it isn't.

Jay

Tags: Cisco Security

Similar Questions

Help the Site VPN Site PIX 501

Hello

I'm pretty new to PIX firewall, so I hope someone here can help me.

I have two PIX and try to create a private network virtual between the two PIX. I posted the configs below.

The problem is that I can ping PIX on a PIX two, but I can't ping the servers behind TWO PIX. On two PIX, I cannot ping PIX ONE or all the servers behind it.

Any advice would be appreciated.

Thank you

PIX 1

6.2 (2) version PIX

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

hostname TMAXWALES

domain ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

names of

inside_outbound_nat0_acl ip 192.168.254.0 access list allow 255.255.255.0 192.1

68.1.0 255.255.255.0

outside_cryptomap_20 ip 192.168.254.0 access list allow 255.255.255.0 192.168.1

.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

Outside 1500 MTU

Within 1500 MTU

IP address outside of *. *.198.139 255.255.255.248

IP address inside 192.168.254.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

location of PDM 192.168.254.10 255.255.255.255 inside

location of PDM 192.168.1.0 255.255.255.0 outside

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Route outside 0.0.0.0 0.0.0.0 *. * 1.198.137

Timeout xlate 03:00

Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR

p 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 192.168.254.10 255.255.255.255 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

No sysopt route dnat

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

outside_map 20 ipsec-isakmp crypto map

card crypto outside_map 20 match address outside_cryptomap_20

card crypto outside_map 20 peers set *. *.198.138

outside_map crypto 20 card value transform-set ESP-3DES-SHA

outside_map interface card crypto outside

ISAKMP allows outside

ISAKMP key * address *. *.198.138 netmask 255.255.255.255 No.-xauth non - co

Nfig-mode

part of pre authentication ISAKMP policy 20

ISAKMP policy 20 3des encryption

ISAKMP policy 20 chopping sha

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

Telnet timeout 5

SSH timeout 5

Terminal width 80

PIX 2

6.2 (2) version PIX

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

hostname tmaxbangor

domain ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

names of

permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 192.168

. 254.0 255.255.255.0

permit 192.168.1.0 ip access list outside_cryptomap_20 255.255.255.0 192.168.254

.0 255.255.255.0

pager lines 24

opening of session

debug logging in buffered memory

interface ethernet0 10baset

interface ethernet1 10full

Outside 1500 MTU

Within 1500 MTU

IP address outside of *. *.198.138 255.255.255.248

IP address inside 192.168.1.1 255.255.255.0

IP verify reverse path to the outside interface

IP verify reverse path inside interface

the IP audit info action alarm reset drop

reset the IP audit attack alarm drop action

location of PDM 192.168.1.0 255.255.255.0 inside

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Route outside 0.0.0.0 0.0.0.0 *. * 1.198.137

Timeout xlate 03:00

Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR

p 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 192.168.1.0 255.255.255.0 inside

http 192.84.7.111 255.255.255.255 inside

http 192.168.1.10 255.255.255.255 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

No sysopt route dnat

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

outside_map 20 ipsec-isakmp crypto map

card crypto outside_map 20 match address outside_cryptomap_20

card crypto outside_map 20 peers set *. *.198.139

outside_map crypto 20 card value transform-set ESP-3DES-SHA

outside_map interface card crypto outside

ISAKMP allows outside

ISAKMP key * address *. *.198.139 netmask 255.255.255.255 No.-xauth non - co

Nfig-mode

part of pre authentication ISAKMP policy 20

ISAKMP policy 20 3des encryption

ISAKMP policy 20 chopping sha

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

Telnet 192.168.1.0 255.255.255.0 inside

Telnet timeout 50

SSH timeout 5

Terminal width 80

Can't see anything obviously wrong with the configs. You have these connected back to back on the same subnet, it looks that it even if you have xxx out IP addresses? If so it's maybe a routing problem, in what they send everything to the default gateway of xxx.x.198.137 rather than to the other.

Try to add a static route to the remote subnet to each PIX that points directly to the peer, so on PIX1 you should have:

Route outside 192.168.1.0 255.255.255.0 xxx.x.198.138

and on PIX2 do:

Route outside 192.168.254.0 255.255.255.0 xxx.x.198.139

and see if that makes a difference. Note that you wouldn't encounter this problem when these two PIX is on separate networks and uses the default gateway for all routing decisions.

If this still fails, run 'debug cryp isa' and ' debug cry ipsec "on the two PIX are trying to build a tunnel again, and then and send us the output.

Also, make sure your tests that you're rattling to a host behind a PIX to a host behind the other PIX, ping PIX to PIX or host because of PIX that won't test your VPN connection.

Number of VPN clients behind a PIX 501, restriction?

Is there a restriction in the number of VPN clients can be behind a PIX 501. Is is just limited by the number of hosts (10, 50, Unlimited)?

Hello

Behind a PIX VPN clients. Will you use NAT - T (must). It will be limited only to the number of users (normal users) through the PIX. So if you have a license to use 10 or 50 then the VPN connection is counted in this list.

Connection VPN Client through PIX is not IKE tunnel. They are normal UDP500 and UDP4500 peers.

Vikas

Adding a pix 501 VPN 2

Hello.. I am beginner in this kind of things cisco...

I'm trying to set up multiple VPN on a Cisco PIX 501 firewall with routers Linksys BEFVP41...

Since not very familiar with the CLI, I use the PDM utility and it was very easy for the first... Unfortunately, I get this error when I try to add the second VPN using the VPN Wizard:

Outside_map map (ERR) crypto set peer 200.20.10.3

WARNING: This encryption card is incomplete

To remedy the situation even and a list of valid to add this encryption card

Hi garcia

for each vpn/peer, you need to a separate instance of crypto card, the card will have the same name, but different sequence... numbers one map encryption can be attributed to an interface, but you can have several instance of cards inside a main...

for configuration, you can go through the URL below... It has all the details on IPSEC config:

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/config/ipsecint.htm

I hope this helps... all the best... the rate of responses if deemed useful...

REDA

Customer Cisco PIX 501 VPN connects but no connection to the local network

Hi all:

I am able to make a VPN connection to a PIX 501. The remote client is assigned an IP (192.168.2.1) also, but not able to access all the machines in the local network connected to the PIX.

I have attached the PIX configuration.

Advice will be greatly appreciated.

********************

6.3 (5) PIX version

interface ethernet0 car

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

enable password xxxx

passwd xxxxx

pixfirewall hostname

domain ciscopix.com

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

Outside 1500 MTU

Within 1500 MTU

IP address outside dhcp setroute

IP address inside 192.168.1.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

IP local pool ippool 192.168.2.1 - 192.168.2.5

location of PDM 192.168.2.0 255.255.255.0 outside

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) - 0 102 access list

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

Crypto-map dynamic dynmap 10 transform-set RIGHT

map mymap 10-isakmp ipsec crypto dynamic dynmap

mymap outside crypto map interface

ISAKMP allows outside

ISAKMP identity address

part of pre authentication ISAKMP policy 10

encryption of ISAKMP policy 10

ISAKMP policy 10 md5 hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

vpngroup vpn3000 ippool address pool

vpngroup vpn3000 Server dns 68.87.72.130

vpngroup vpn3000-wins 192.168.1.100 Server

vpngroup vpn3000 split tunnel 101

vpngroup vpn3000 downtime 1800

password vpngroup vpn3000 *.

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd address 192.168.1.2 - 192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd outside auto_config

dhcpd allow inside

Terminal width 80

Cryptochecksum:xxxx

****************

The DNS server is the one assigned to me by my ISP.

My internal network connected to the PIX is 192.168.1.1 - 192.168.1.33 and the VPN ip pool is 192.168.2.1 - 192.168.2.5

"isakmp nat-traversal 20" can do the trick.

Cisco 3640 to the PIX 501 site 2 site VPN performance specifications.

I intend on creating a site-2-site VPN in Star configuration with a Cisco 3640 as the hub and PIX 501 at the remote sites. My question is around the plug that I read.

.

The specifications for a PIX-501-BUN-K9 tell PIX 501 3DES Bundle (chassis, SW, 10 users, 3DES).

.

A question is what really "10 users. Which is the limit of the number of concurrent sessions, I have on the VPN at a given time, or that it means something else?

.

I also read the specs say that the Maximum number of VPN tunnels that can support a PIX 501 is 5. Because I'm not going to make a tunnel between the PIX 501 at the remote site and the 3640 on the central site, I think I would be OK. Is that correct or is the max value talk the maximum number of concurrent sessions on the tunnel tunnels?

.

Thank you.

UDP traffic always creates a session in the PIX so that the return traffic will be allowed in. The UDP timeout is 2 minutes but IIRC. If you go around NAT with a statement of "nat 0" should not create an xlate I think.

The real time is hard to say really, probably around 2 minutes for a UDP-only user, you would probably make a few 'local sho' orders on the PIX to really see for sure however.

VPN site-to-site between two PIX 501 with Client VPN access

Site A and site B are connected with VPN Site to Site between two PIX 501.

Also, site A is configured for remote access VPN client. If a remote client connects to Site A, it can only get access to the LAN of Site A, it cannot access anything whatsoever behind PIX on Site B.

How is that possible for a VPN client connected to Site A to Site B?

Thank you very much.

Alex

Bad and worse news:

Bad: Not running the 7.0 series PIX cannot route traffic on the same interface, the traffic is recived. Version 7.0 solves this ipsec traffic.

Even worse: PIX 501 can not be upgraded to 7.0...

A couple of things to think about would be the upgrade to hardware that can run the new IOS or allowing a VPN R.A. on site B.

HTH Please assess whether this is the case.

Thank you

VPN site to site of simple laboratory works no - pix to pix

Hi all I have a lab at home configuring vpn site to site between 2 cisco pix 501 devices, but it does not work. Can anyone help, I have attached the followign run configs. Thank you

PIX Version 6.2 (1)

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the encrypted password of NuLKvvWGg.x9HEKO

2KFQnbNIdI.2KYOU encrypted passwd

hostname CiscoPix2

domain ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

names of

access-list ping_acl allow icmp a whole

access-list 90 allow ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list 100 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

Outside 1500 MTU

Within 1500 MTU

IP 10.0.0.2 255.255.255.0 outside

IP address 192.168.1.100 within 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

history of PDM activate

ARP timeout 14400

NAT (inside) - 0-90 access list

Access-group ping_acl in interface outside

ping_acl access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 0.0.0.0 0.0.0.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

No sysopt route dnat

Crypto ipsec transform-set strong esp-3des esp-sha-hmac

20 topix1 of ipsec-isakmp crypto map

correspondence address 20 card crypto topix1 100

crypto topix1 20 card set peer 10.0.0.1

20 strong crypto topix1 transform-set card game

topix1 interface card crypto outside

ISAKMP allows outside

ISAKMP key * address 10.0.0.1 netmask 255.255.255.255

part of pre authentication ISAKMP policy 8

encryption of ISAKMP strategy 8

ISAKMP strategy 8 sha hash

8 1 ISAKMP policy group

ISAKMP life duration strategy 8 the 86400

Telnet timeout 5

SSH timeout 5

Terminal width 80

Cryptochecksum:81f37c16401555abe7299b5a95e69d3d

: end

//////////////////////////////////////////////////////////////

6.3 (3) version PIX

interface ethernet0 car

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the encrypted password of NuLKvvWGg.x9HEKO

NuLKvvWGg.x9HEKO encrypted passwd

pixfirewall hostname

domain ciscopix.com

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

access-list ping_acl allow icmp a whole

access-list 90 allow ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

Outside 1500 MTU

Within 1500 MTU

IP 10.0.0.1 255.255.255.0 outside

IP address inside 192.168.0.100 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

history of PDM activate

ARP timeout 14400

NAT (inside) - 0-90 access list

Access-group ping_acl in interface outside

ping_acl access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 0.0.0.0 0.0.0.0 outdoors

http 0.0.0.0 0.0.0.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Crypto ipsec transform-set strong esp-3des esp-sha-hmac

20 topix2 of ipsec-isakmp crypto map

correspondence address 20 card crypto topix2 100

crypto topix2 20 card set peer 10.0.0.2

20 strong crypto topix2 transform-set card game

topix2 interface card crypto outside

ISAKMP allows outside

ISAKMP key * address 10.0.0.2 netmask 255.255.255.255

part of pre authentication ISAKMP policy 8

encryption of ISAKMP strategy 8

ISAKMP strategy 8 sha hash

8 1 ISAKMP policy group

ISAKMP life duration strategy 8 the 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

Terminal width 80

Cryptochecksum:4558d14bca52c36021eeab79729ee63b

: end

The first problem I see is that the access list that is used to identify the VPN traffic allows traffic from your home subnet for the external subnet of the peer but not inside the subnet of the peer.

HTH

Rick

VPN clients cannot access remote sites - PIX, routing problem?

I have a problem with routing to remote from our company websites when users connect via their VPN client remotely (i.e. for home workers)

Our headquarters contains a PIX 515E firewall. A number of remote sites to connect (via ADSL) to head office using IPSEC tunnels, ending the PIX.

Behind the PIX is a router 7206 with connections to the seat of LANs and connections to a number of ISDN connected remote sites. The default route on 7206 points to the PIX from traffic firewall which sits to ADSL connected remote sites through the PIX. Internal traffic for LAN and ISDN connected sites is done via the 7206.

Very good and works very well.

When a user connects remotely using their VPN client (connection is interrupted on the PIX) so that they get an IP address from the pool configured on the PIX and they can access resources located on local networks to the office with no problems.

However, the problem arises when a remote user wants access to a server located in one of the remote sites ADSL connected - it is impossible to access all these sites.

On the remote site routers, I configured the access lists to allow access from the pool of IP addresses used by the PIX. But it made no difference. I think that the problem may be the routes configured on the PIX itself, but I don't know what is necessary to solve this problem.

Does anyone have suggestions on what needs to be done to allow access to remote sites for users connected remotely via VPN?

(Note: I suggested a workaround, users can use a server on LAN headquarters as a "jump point" to connect to remote servers from there)

with pix v6, no traffic is allowed to redirect to the same interface.

for example, a remote user initiates an rdp session for one of the barns adsl. PIX decrypts the packet coming from the external interface and looks at the destination. because the destination is one of adsl sites, pix will have to return traffic to the external interface. Unfortunately, pix v6.x has a limitation that would force the pix to drop the packet.

with the v7, this restriction has been removed with the "same-security-traffic control intra-interface permits".

http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

VPN site to Site with NAT (PIX 7.2)

Hi all

I hope for more help with config PIX. TBH I would classify myself as a newb on PIX, only dabbling in it every 6 months or so...

I have to configure a VPN site-to site between our UK and US Office, to replace our frame relay link. I have configured multiple VPN site to site on the before PIX, so am reasonably okay with the appearance of the config of who. What is a new concept for me is the needs of NAT'ing between the IPSEC tunnel.

The U.S. Agency requires us to NAT source addresses (i.e. 192.168.1.0) usable on their side address (i.e. 143.102.89.0). The tunnel must then be set to encrypt traffic between 143.102.89.0/24 and 172.24.0.0/14.

I added the following config and hoping to test it at the U.S. office happens online today.

If I Ping from 192.168.1.0 to 172.24.x.x source and run a SH NAT inside, the NAT translation seems good.

is the intellectual property inside 192.168.1.0 255.255.255.0 outside 172.24.0.0 255.252.0.0
static translation at 143.102.89.0
translate_hits = 4, untranslate_hits = 0

Could someone please go through the following lines of config and comment if there is no error?

Thank you very much

Kevin

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

IP 143.102.89.0 allow Access-list ipsec - dallas extended 255.255.255.0 172.24.0.0 255.252.0.0

policy-nat-dallas-list of allowed extensive access ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0

public static 143.102.89.0 (inside, outside) - list of access policy-nat-dallas

Crypto ipsec transform-set esp-3des esp-md5-hmac 3desmd5set

card crypto map dyn 40 correspondence address ipsec - dallas

set dyn-map 40 crypto map peer 143.101.6.141

card crypto dyn-map 40 transform-set 3desmd5set

dyn-map interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

tunnel-group 143.101.6.141 type ipsec-l2l

IPSec-attributes tunnel-group 143.101.6.141

pre-shared-key *.

You can configure NAT/Global pair for the rest of the users.

For example:

You can use the initially configured ACL:

policy-nat-dallas-list of allowed extensive access ip 192.168.1.0 255.255.255.0 172.24.0.0 255.252.0.0
NAT (inside) 1 access list policy-nat-dallas

Global 1 143.102.89.x (outside)

The static statement that you configured previously will take precedence over the above. So the printer gets statically using a NAT to 143.102.89.10, and the rest can do another ip address 143.102.89.x PATed.

Please note that for PAT, traffic can only be initiated from 192.168.1.0/24 LAN to 172.24.0.0/14, not the other way around.

Hope that helps.

Can VPN site-to-site with just 1 static IP address in PIX?

Hi all

Can I use pix for VPN with just 1 static IP address as follows:

LAN-A---PIX1---INTERNET---PIX2---LAN-B

Just PIX1 has static IP, PIX2 use DHCP from ISP. I have the config this type of VPN with another brand equipment. But the use of PIX, I just VPN config with both ends have a static IP and I can't find any information in the web site. Because when config VPN site-to-site I have to use the command 'same game '.

Can someone tell me how can I do with PIX? Thank you!

Best regards

Teru Lei

You just need to set up a dynamic encryption on PIX 1 card and a card standard encryption with a peer 'set' on 2 PIX. Here is an example configuration:

http://www.Cisco.com/warp/public/110/dynamicpix.html

Note that it also has VPN connection clients in 1 PIX (Lion), so forget all orders of "vpngroup" that you see in his configuration cause, they are not necessary for your scenario.

VPN site to Site - ASA to PIX - same subnet on the inside

Chaps,

I have a unusual scenario, whereby case I need a tunnel vpn site-to-site between a pix of cisco version 7 and version 8 cisco asa, which have the same subnet ip to each endpoint. Is it possible to create such a tunnel from site to site or do I change one of the remote endpoints?

Thank you

Nick

Hi Nicolas,.

To allow the traffic through the tunnel when having the same at both ends addressing scheme, you should NAT VPN traffic.

That is to say.

Site a 10.1.1.0/24 LAN

Site B LAN 10.1.1.0/24

The site config:

NAT permit list to access ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

(in, out) static 192.168.1.0 access-list NAT

license of crypto list to access ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Site B config:

NAT permit list to access ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

(in, out) static 192.168.2.0 access-list NAT

license of crypto list to access ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

The idea is that Site A will to 192.168.1.0 translatefd when you go to Site B, and Site B will result to 192.168.2.0 when you go to the Site A.

Hope that makes sense.

Federico.

VPN site to Site between 6.3 (3) PIX and PIX 7.0 (1)

Hi all

I am configuring a VPN site-to site between my office and a new site. This is my first time doing a real VPN site to site, in the past we have always just used MS PPTP VPN.

My office firewall is a 6.3 (3) 506th PIX running, and unfortunately this can not be upgraded to 7.0.

My new site has a pair of PIX 525 in a failover configuration, running version 7.0 (1).

The only documentation that I could find on this subject is a http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml, which corresponds to an even earlier version of the software firewall (although orders seemed to be valid on the 6.3 software).

I ran through the VPN Wizard in the ASDM on the new firewall of sites, and the output produced in the firewall rules is not really what I expected. Commands like 'ISAKMP key' have been depreciated and replaced by "tunnel-group.

What I'm really after a pointer in the right direction for certain documents which covers this type of scenario, I can't be the only one trying the link between the different versions of PIX.

Hi M8,

In quick words, more of the config is always the same (sets of transform, ISAKMP policy, Crypto Maps and Crypto ACL).

The only thing that changes is the:

ISAKMP key * address x.x.x.x

and it is replaced by the tunnel-group command:

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group ipsec-attributes x.x.x.x

pre-shared-key *.

you put the IP peer under the name of tunnel and as you can see, you will write the key in ipsec-attributes sub-mode.

I see straight forward and I think that you will find it easy once you get used to the question of the tunnel-group.

Hope that helps.

Salem.

Routing of PIX VPN site to Site?

I just configured my PIX to establish VPN site to site with my Linksys (1710 to follow).

Looks like my SA and IPSec are set up, but I get no routing. When I do a tracert, my PIX transmits all traffic to my internet router and not through the tunnel.

Any ideas?

Here's my chiseled config (subnet/ip have been changed)

access-list 101 permit ip 10.11.101.0 255.255.255.0 172.16.0.0 255.255.0.0

NAT (inside) 1 101 access list 0 0

Permitted connection ipsec sysopt

Crypto ipsec transform-set esp - esp-md5-hmac mytransform

MYmap 1 ipsec-isakmp crypto map

correspondence address 1 card crypto mymap 101

card crypto mymap 1 peer set 1.2.3.4

mymap 1 transform-set mytransform crypto card

mymap outside crypto map interface

ISAKMP allows outside

ISAKMP key * address 1.2.3.4 netmask 255.255.255.255

part of pre authentication ISAKMP policy 1

of ISAKMP policy 1 encryption

ISAKMP policy 1 md5 hash

1 1 ISAKMP policy group

ISAKMP policy 1 lifetime 1000

But, for some reason, my pix custody transfer of VPN traffic to the internet rather than through my tunnel. I'm doing something wrong?

Aaron,

I've replied to you offline, try adding the following command on the pix (in configuration mode):

ISAKMP nat-traversal

And now try to ping to your customers of the remote peer, let me know the results.

Jay

Router vpn site to site PIX and vpn client

I have two on one interface on the pix vpn connections that terminate VPN. client vpn and VPN site-to-site have passed phase one and two and decrypt and encrypt the packets. However as in another post I can not ping through the l2l vpn. I checked this isn't a nat problem a nd two NAT 0 on the pix and the NAT on the router access lists work correctly.

ISAKMP crypto RTR #show its
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
66.x.x.x 89.x.x.x QM_IDLE 2001 0 ACTIVE

IPv6 Crypto ISAKMP Security Association

local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
current_peer 66.x.x.x port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 23583, #pkts encrypt: 23583 #pkts digest: 23583
#pkts decaps: 18236, #pkts decrypt: 18236, #pkts check: 18236
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 40, #recv errors 0

local crypto endpt. : 89.x.x.x, remote Start crypto. : 66.x.x.x
Path mtu 1380, ip mtu 1380, ip mtu BID Dialer0
current outbound SPI: 0xC4BAC5E (206285918)

SAS of the esp on arrival:
SPI: 0xD7848FB (225986811)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 3, flow_id: Motorola SEC 1.0:3, card crypto: PIX_MAP
calendar of his: service life remaining (k/s) key: (4573083/78319)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xC4BAC5E (206285918)
transform: aes - esp esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 4, flow_id: Motorola SEC 1.0:4, card crypto: PIX_MAP
calendar of his: service life remaining (k/s) key: (4572001/78319)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

Expand the IP NAT access list
10 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21396 matches)
20 permit ip 192.168.2.0 0.0.0.255 everything (362 matches)
Expand the IP VPN_ACCESS access list
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (39724 matches)

I looked on the internet and that it points to a routing error when packets are being encrypted and decrypted, but you can't do a ping on the binding. However when I test the connection I did not enter any of the static routes that networks are connected directly on each side of the pix and the router. any help would be a preciated as I think there's maybe something is blocking the ping to reach the internal network at the end of pix with a configured access list.

is ping failure of the only thing between the site to site VPN? and assuming that all other traffic works fine since it decrypts and encrypts the packets.

If it's just ping, then activate pls what follows on the PIX:

If it is version 6.3 and below: fixup protocol icmp

If it is version 7.0 and higher: select "inspect icmp" under your political map of the world.

Config complete hand and on the other could help determine if it's a configuration problem or another problem.

VPN site to site pix 501.

Similar Questions

Maybe you are looking for