Hi experts,
I'm trying to setup a tunnel to a VPN 3000 Conentrator (where I DONT have access to) from a PIX 501, the encryptions cant be changed as its a policy from the other company. I already setup 50 VPN LAN-to-LAN tunnels but whats happening with this VPN Tunnel I ran out of ideas... here is my config:
: Saved
: Written by enable_15 at 13:42:01.038 CEDT Mon Jul 30 2007
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix501e
domain-name mev.local
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inside_outbound_nat0_acl permit ip any lan 255.255.255.128
access-list inside_outbound_nat0_acl permit ip lan 255.255.255.0 ***.***.***.*** 255.255.255.0
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq 26
access-list outside_access_in permit icmp any any
access-list vpnl2l permit ip lan 255.255.255.0 ***.***.***.*** 255.255.255.0
access-list inside_to_outisde permit icmp any any
access-list inside_to_outisde permit ip any any
access-list inside_to_outisde permit gre any any
pager lines 24
logging monitor debugging
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside ***.***.***.*** 255.255.255.252
ip address inside ***.***.***.*** 255.255.255.0
ip audit info action alarm
ip audit attack action alarm drop
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2002 disable
ip audit signature 2003 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 2006 disable
ip audit signature 2007 disable
ip audit signature 2008 disable
ip audit signature 2009 disable
ip audit signature 2010 disable
ip audit signature 2011 disable
ip audit signature 2012 disable
ip audit signature 3040 disable
ip audit signature 3041 disable
ip audit signature 3042 disable
ip audit signature 3153 disable
ip audit signature 3154 disable
ip audit signature 6050 disable
ip audit signature 6053 disable
ip local pool pptppool ***.***.***.***
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface https ***.***.***.*** https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 26 ***.***.***.*** 26 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_to_outisde in interface inside
route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host ***.***.***.*** timeout 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ****1 esp-aes esp-sha-hmac
crypto map cryptomap 1 ipsec-isakmp
crypto map cryptomap 1 match address vpnl2l
crypto map cryptomap 1 set pfs group2
crypto map cryptomap 1 set peer ***.***.***.***
crypto map cryptomap 1 set transform-set ****1
crypto map cryptomap interface outside
isakmp enable outside
isakmp key **** address ***.***.***.*** netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 3600
telnet timeout 20
ssh timeout 20
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local pptppool
vpdn group PPTP-VPDN-GROUP client configuration dns ***.***.***.***
vpdn group PPTP-VPDN-GROUP client configuration wins ***.***.***.***
vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
vpdn group PPTP-VPDN-GROUP client accounting RADIUS
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
: end
The result is this (with debug cryp isakmp 7 / debug cryp ipsec 7 / debug cryp engine 70):
pix501e(config)#
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
Does anyone have a clue how to get this working :s I totally ran out of ideas
Start Free Trial
