it_gsr
asked on
Site to Site VPN
I have two sites running PIX 515. The sites would be referred to as A and B . Site A runs ver 6.1(4) whiles site B runs ver 7.0(1)
Site A-------------------------
Router | 1.2.3.4 |1.2.4.1 Router
|255.255.255.248 |255.255.255.248
| |
| |
PIX A ver | 1.2.3.6 (outside) |PIX B ver 7.0(1)
| | 1.2.4.2 (outside)
6.1(4) | 192.1.1.251 (inside) |172.16.11.254 (inside)
| |
| |
LAN |172.16.0.1 255.255.240.0 |172.16.11.0 255.255.240.0
|excluding IP's at site B
| |
The PIX at site A currently allows VPN via VPN Client software. What should be achieved is a Site to Site VPN between the two PIX. The VPN configuration details below are running at both sites. What is wrong with the config ? Note (The public IP addresses are arbitarty but their subnet masks are real).
Config at Site A (runs PIX ver 6.1 (4)
access-list acl_inbound permit udp host 1.2.3.6 host 1.2.4.2 eq isakmp
access-list acl_inbound permit ah host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit esp host 1.2.3.6 host 1.2.4.2
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 101
crypto map outside_map 20 set peer 1.2.4.2
crypto map outside_map 20 set transform-set BASEPIX
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup BGL_roam idle-time 1800
vpngroup test-vpn address-pool bglpool
vpngroup test-vpn dns-server 172.16.0.1
vpngroup test-vpn wins-server 172.16.0.3
vpngroup test-vpn default-domain password
vpngroup test-vpn idle-time 1800
vpngroup test-vpn password ***
Config at Site B (runs PIX ver 7.0)
access-list acl_inbound extended permit udp host 1.2.4.2 host 1.2.3.6 eq isakmp
access-list acl_inbound extended permit ah host 1.2.4.2 host 1.2.3.6
access-list acl_inbound extended permit esp host 1.2.4.2 host 1.2.3.6
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto map outside_map 20 set peer 1.2.3.6
crypto map outside_map 20 set transform-set BASEPIX
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 1.2.3.6 type ipsec-l2l
tunnel-group 1.2.3.6 ipsec-attributes
pre-shared-key *
Site A-------------------------
Router | 1.2.3.4 |1.2.4.1 Router
|255.255.255.248 |255.255.255.248
| |
| |
PIX A ver | 1.2.3.6 (outside) |PIX B ver 7.0(1)
| | 1.2.4.2 (outside)
6.1(4) | 192.1.1.251 (inside) |172.16.11.254 (inside)
| |
| |
LAN |172.16.0.1 255.255.240.0 |172.16.11.0 255.255.240.0
|excluding IP's at site B
| |
The PIX at site A currently allows VPN via VPN Client software. What should be achieved is a Site to Site VPN between the two PIX. The VPN configuration details below are running at both sites. What is wrong with the config ? Note (The public IP addresses are arbitarty but their subnet masks are real).
Config at Site A (runs PIX ver 6.1 (4)
access-list acl_inbound permit udp host 1.2.3.6 host 1.2.4.2 eq isakmp
access-list acl_inbound permit ah host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit esp host 1.2.3.6 host 1.2.4.2
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 101
crypto map outside_map 20 set peer 1.2.4.2
crypto map outside_map 20 set transform-set BASEPIX
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup BGL_roam idle-time 1800
vpngroup test-vpn address-pool bglpool
vpngroup test-vpn dns-server 172.16.0.1
vpngroup test-vpn wins-server 172.16.0.3
vpngroup test-vpn default-domain password
vpngroup test-vpn idle-time 1800
vpngroup test-vpn password ***
Config at Site B (runs PIX ver 7.0)
access-list acl_inbound extended permit udp host 1.2.4.2 host 1.2.3.6 eq isakmp
access-list acl_inbound extended permit ah host 1.2.4.2 host 1.2.3.6
access-list acl_inbound extended permit esp host 1.2.4.2 host 1.2.3.6
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto map outside_map 20 set peer 1.2.3.6
crypto map outside_map 20 set transform-set BASEPIX
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 1.2.3.6 type ipsec-l2l
tunnel-group 1.2.3.6 ipsec-attributes
pre-shared-key *
ASKER
Hi Lrmoore
The networks overlap and the ip range at site B is 172.16.16.0/20 . The DH group is 2 on both systems. sorry for the typo.
Site B is miles away and I had remote desktop ports opened on machine to allow remote administration during the setup stage. The config are as below. It worked for a while but has refused to work after an ip change in the pix from one machine to the other. I can rdp to the current machine internally but not externally as before. I cannot apply the suggested changes on site B now due this problem so I need to drive to the place tomorrow for this purpose.
Config at Site B
access-list acl_inbound extended permit tcp any host 1.2.4.3 eq 3389
asdm image flash:/asdm
asdm location 1.2.4.3 255.255.255.255 outside
static (inside,outside) 1.2.4.3 172.16.11.1 netmask 255.255.255.255
What should the final config be taking into consideration all the suggestions above.
The networks overlap and the ip range at site B is 172.16.16.0/20 . The DH group is 2 on both systems. sorry for the typo.
Site B is miles away and I had remote desktop ports opened on machine to allow remote administration during the setup stage. The config are as below. It worked for a while but has refused to work after an ip change in the pix from one machine to the other. I can rdp to the current machine internally but not externally as before. I cannot apply the suggested changes on site B now due this problem so I need to drive to the place tomorrow for this purpose.
Config at Site B
access-list acl_inbound extended permit tcp any host 1.2.4.3 eq 3389
asdm image flash:/asdm
asdm location 1.2.4.3 255.255.255.255 outside
static (inside,outside) 1.2.4.3 172.16.11.1 netmask 255.255.255.255
What should the final config be taking into consideration all the suggestions above.
ASKER
Hi Lrmoore,
As stated above, with the exception of the public ip addresses all the other ip's specified are real.
As stated above, with the exception of the public ip addresses all the other ip's specified are real.
> It worked for a while but has refused to work after an ip change in the pix from one machine to the other
I don't understand what changed on the PIX?
I'm confused now:
>static (inside,outside) 1.2.4.3 172.16.11.1 netmask 255.255.255.255
> the ip range at site B is 172.16.16.0/20
But, it appears that you are actually using 172.16.11.0/20 ?
Is 172.16.11.1 the IP address of the RDP system that you are trying to access? What it that system's default gateway pointing to?
Any time you make a change to the access-list you need to re-apply it to the interface.
Any time you make a change to nat or statics, run "clear xlate" both right before and right after the config change.
I don't understand what changed on the PIX?
I'm confused now:
>static (inside,outside) 1.2.4.3 172.16.11.1 netmask 255.255.255.255
> the ip range at site B is 172.16.16.0/20
But, it appears that you are actually using 172.16.11.0/20 ?
Is 172.16.11.1 the IP address of the RDP system that you are trying to access? What it that system's default gateway pointing to?
Any time you make a change to the access-list you need to re-apply it to the interface.
Any time you make a change to nat or statics, run "clear xlate" both right before and right after the config change.
ASKER
> It worked for a while but has refused to work after an ip change in the pix from one machine to the other I don't understand what changed on the PIX?
the only change on the PIX was the ip address. I saved the config and applied clear xlate but it still doesn't want to work
I'm confused now:
>static (inside,outside) 1.2.4.3 172.16.11.1 netmask 255.255.255.255
> the ip range at site B is 172.16.16.0/20
But, it appears that you are actually using 172.16.11.0/20 ?
Is 172.16.11.1 the IP address of the RDP system that you are trying to access? What it that system's default gateway pointing to?
Yes 172.16.11.1 is the ip address that I'm trying to rdp and the gateway is 172.16.11.254 which is the PIx's internal eth IP
the only change on the PIX was the ip address. I saved the config and applied clear xlate but it still doesn't want to work
I'm confused now:
>static (inside,outside) 1.2.4.3 172.16.11.1 netmask 255.255.255.255
> the ip range at site B is 172.16.16.0/20
But, it appears that you are actually using 172.16.11.0/20 ?
Is 172.16.11.1 the IP address of the RDP system that you are trying to access? What it that system's default gateway pointing to?
Yes 172.16.11.1 is the ip address that I'm trying to rdp and the gateway is 172.16.11.254 which is the PIx's internal eth IP
ASKER
Hi Lrmoore,
I would also like to add the functionality of VPN access via VPN client software to the PIX at Site B. What additional commands should be added to the make it work
I would also like to add the functionality of VPN access via VPN client software to the PIX at Site B. What additional commands should be added to the make it work
ASKER
Hi Lrmoore,
I am still awaiting comments on my earlier posting.
I am still awaiting comments on my earlier posting.
ASKER
Hi Experts, MY problem still persists and would really appreciate a response from you all.
If you put the IP address back to what it was when lrmoore gave you the solution, does it work again?
ASKER
I've pasted the current config at both sites for your review. The internal IP at site B is currently 172.17.11.0/20
Site A config
===========
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aYiGONOGTxE2368q encrypted
passwd t7oLYycQGA49Yo2i encrypted
hostname BGLKEEPER
domain-name gsrgh.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_inbound permit icmp any any
access-list acl_inbound permit udp host 1.2.3.6 host 1.2.4.2 eq isakmp
access-list acl_inbound permit ah host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit esp host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit tcp any host 1.2.3.7 eq 3389
access-list 101 permit ip 172.16.0.0 255.255.240.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
access-list 120 permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside 172.16.0.1
no logging message 106015
no logging message 305004
no logging message 305001
no logging message 302003
no logging message 302002
no logging message 304001
no logging message 302001
no logging message 302006
no logging message 302005
no logging message 609002
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.6 255.255.255.240
ip address inside 192.1.1.251 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool bglpool 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 192.1.1.251 255.255.255.255 inside
pdm location 172.16.0.9 255.255.255.255 inside
pdm location 172.16.0.20 255.255.255.255 inside
pdm location 172.16.0.99 255.255.255.255 inside
pdm location 172.16.10.9 255.255.255.255 inside
pdm location 172.16.1.200 255.255.255.255 inside
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.2
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.2.3.5 172.16.0.20 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.7 172.16.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.8 172.16.0.9 netmask 255.255.255.255 0 0
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
route inside 10.170.0.0 255.255.255.0 192.1.1.30 1
route inside 172.16.0.0 255.255.240.0 192.1.1.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
http server enable
no snmp-server location
snmp-server community XXXXXXXXXX
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto ipsec transform-set bgn_mines esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map outside_map 20 ipsec-isakmp
crypto map bgn_map 1 ipsec-isakmp
crypto map bgn_map 1 match address 101
crypto map bgn_map 1 set peer 1.2.4.2
crypto map bgn_map 1 set transform-set bgn_mines
crypto map bgn_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup TT_roam idle-time 1800
vpngroup test-vpn address-pool bglpool
vpngroup test-vpn dns-server 172.16.0.1
vpngroup test-vpn wins-server 172.16.0.3
vpngroup test-vpn default-domain password
vpngroup test-vpn idle-time 1800
vpngroup test-vpn password ********
telnet 192.1.1.220 255.255.255.255 inside
telnet timeout 5
ssh 172.16.2.55 255.255.255.255 inside
ssh timeout 5
vpdn username test password test1
vpdn username test1 password test1
terminal width 80
Cryptochecksum:8c87c9adc9f
Site B
=====
PIX Version 7.0(1)
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 1.2.4.2 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.17.11.254 255.255.240.0
!
enable password aYiGONOGTxE2368q encrypted
passwd aYiGONOGTxE2368q encrypted
hostname tdikeeper
domain-name gsrgh.com
ftp mode passive
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit tcp any host 1.2.4.5 eq 3389
access-list acl_inbound extended permit tcp any host 1.2.4.6 eq 3389
access-list acl_inbound extended permit udp host 1.2.4.2 host 1.2.3.6 eq isakmp
access-list acl_inbound extended permit ah host 1.2.4.2 host 1.2.3.6
access-list acl_inbound extended permit esp host 1.2.4.2 host 1.2.3.6
access-list 101 extended permit ip 172.16.0.0 255.255.240.0 192.168.2.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list L2LVPN extended permit ip 172.200.0.0 255.255.240.0 172.100.0.0 255.255.240.0
access-list L2LVPN extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list inside_outbound_nat0 extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list vpn_nat extended permit ip 172.16.0.0 255.255.240.0 172.100.0.0 255.255.240.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging host inside 172.17.11.1
no logging message 106015
no logging message 302003
no logging message 304001
no logging message 609002
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface inside
ip local pool bglpool 192.168.2.1-192.168.2.254
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm
asdm location 1.2.4.5 255.255.255.255 outside
asdm location 1.2.4.6 255.255.255.255 outside
no asdm history enable
arp timeout 14400
global (outside) 1 1.2.4.3
nat (inside) 0 access-list inside_outbound_nat0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.2.4.5 172.16.11.1 netmask 255.255.255.255
static (inside,outside) 1.2.4.6 172.16.11.2 netmask 255.255.255.255
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.4.7 1
route inside 172.17.11.0 255.255.255.255 172.17.11.254 1
route inside 172.16.11.0 255.255.255.255 172.16.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.11.5 255.255.255.255 inside
http 172.16.11.46 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community XXXX
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set tdi_mines esp-des esp-md5-hmac
crypto map tdi_map 1 match address L2LVPN
crypto map tdi_map 1 set peer 1.2.3.6
crypto map tdi_map 1 set transform-set tdi_mines
crypto map tdi_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 1.2.3.6 255.255.255.255 outside
telnet 172.16.11.5 255.255.255.255 inside
telnet 172.16.1.200 255.255.255.255 inside
telnet 172.16.11.46 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 1.2.3.6 type ipsec-l2l
tunnel-group 1.2.3.6 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
Cryptochecksum:7ff64c2d67e
tdikeeper(config)#
Site A config
===========
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aYiGONOGTxE2368q encrypted
passwd t7oLYycQGA49Yo2i encrypted
hostname BGLKEEPER
domain-name gsrgh.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_inbound permit icmp any any
access-list acl_inbound permit udp host 1.2.3.6 host 1.2.4.2 eq isakmp
access-list acl_inbound permit ah host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit esp host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit tcp any host 1.2.3.7 eq 3389
access-list 101 permit ip 172.16.0.0 255.255.240.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
access-list 120 permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside 172.16.0.1
no logging message 106015
no logging message 305004
no logging message 305001
no logging message 302003
no logging message 302002
no logging message 304001
no logging message 302001
no logging message 302006
no logging message 302005
no logging message 609002
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.6 255.255.255.240
ip address inside 192.1.1.251 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool bglpool 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 192.1.1.251 255.255.255.255 inside
pdm location 172.16.0.9 255.255.255.255 inside
pdm location 172.16.0.20 255.255.255.255 inside
pdm location 172.16.0.99 255.255.255.255 inside
pdm location 172.16.10.9 255.255.255.255 inside
pdm location 172.16.1.200 255.255.255.255 inside
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.2
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.2.3.5 172.16.0.20 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.7 172.16.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.8 172.16.0.9 netmask 255.255.255.255 0 0
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
route inside 10.170.0.0 255.255.255.0 192.1.1.30 1
route inside 172.16.0.0 255.255.240.0 192.1.1.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
http server enable
no snmp-server location
snmp-server community XXXXXXXXXX
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto ipsec transform-set bgn_mines esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map outside_map 20 ipsec-isakmp
crypto map bgn_map 1 ipsec-isakmp
crypto map bgn_map 1 match address 101
crypto map bgn_map 1 set peer 1.2.4.2
crypto map bgn_map 1 set transform-set bgn_mines
crypto map bgn_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup TT_roam idle-time 1800
vpngroup test-vpn address-pool bglpool
vpngroup test-vpn dns-server 172.16.0.1
vpngroup test-vpn wins-server 172.16.0.3
vpngroup test-vpn default-domain password
vpngroup test-vpn idle-time 1800
vpngroup test-vpn password ********
telnet 192.1.1.220 255.255.255.255 inside
telnet timeout 5
ssh 172.16.2.55 255.255.255.255 inside
ssh timeout 5
vpdn username test password test1
vpdn username test1 password test1
terminal width 80
Cryptochecksum:8c87c9adc9f
Site B
=====
PIX Version 7.0(1)
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 1.2.4.2 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.17.11.254 255.255.240.0
!
enable password aYiGONOGTxE2368q encrypted
passwd aYiGONOGTxE2368q encrypted
hostname tdikeeper
domain-name gsrgh.com
ftp mode passive
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit tcp any host 1.2.4.5 eq 3389
access-list acl_inbound extended permit tcp any host 1.2.4.6 eq 3389
access-list acl_inbound extended permit udp host 1.2.4.2 host 1.2.3.6 eq isakmp
access-list acl_inbound extended permit ah host 1.2.4.2 host 1.2.3.6
access-list acl_inbound extended permit esp host 1.2.4.2 host 1.2.3.6
access-list 101 extended permit ip 172.16.0.0 255.255.240.0 192.168.2.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list L2LVPN extended permit ip 172.200.0.0 255.255.240.0 172.100.0.0 255.255.240.0
access-list L2LVPN extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list inside_outbound_nat0 extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list vpn_nat extended permit ip 172.16.0.0 255.255.240.0 172.100.0.0 255.255.240.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging host inside 172.17.11.1
no logging message 106015
no logging message 302003
no logging message 304001
no logging message 609002
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface inside
ip local pool bglpool 192.168.2.1-192.168.2.254
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm
asdm location 1.2.4.5 255.255.255.255 outside
asdm location 1.2.4.6 255.255.255.255 outside
no asdm history enable
arp timeout 14400
global (outside) 1 1.2.4.3
nat (inside) 0 access-list inside_outbound_nat0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.2.4.5 172.16.11.1 netmask 255.255.255.255
static (inside,outside) 1.2.4.6 172.16.11.2 netmask 255.255.255.255
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.4.7 1
route inside 172.17.11.0 255.255.255.255 172.17.11.254 1
route inside 172.16.11.0 255.255.255.255 172.16.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.11.5 255.255.255.255 inside
http 172.16.11.46 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community XXXX
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set tdi_mines esp-des esp-md5-hmac
crypto map tdi_map 1 match address L2LVPN
crypto map tdi_map 1 set peer 1.2.3.6
crypto map tdi_map 1 set transform-set tdi_mines
crypto map tdi_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 1.2.3.6 255.255.255.255 outside
telnet 172.16.11.5 255.255.255.255 inside
telnet 172.16.1.200 255.255.255.255 inside
telnet 172.16.11.46 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 1.2.3.6 type ipsec-l2l
tunnel-group 1.2.3.6 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
Cryptochecksum:7ff64c2d67e
tdikeeper(config)#
Thanks but can you answer the question?
ASKER
I cannot change the config at site B now. It's about 3 hours drive away so I would appreciate a complete review of all the commands, travel over there and make the changes in one go.
ASKER
Hi Lrmooore and keith_alabaster
Below is my current config at the various locations for your review. Can you please help
Site A
=====
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aYiGONOGTxE2368q encrypted
passwd t7oLYycQGA49Yo2i encrypted
hostname BGLKEEPER
domain-name mmmm.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_inbound permit icmp any any
access-list acl_inbound permit udp host 1.2.3.6 host 1.2.4.2 eq
isakmp
access-list acl_inbound permit ah host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit esp host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit tcp any host 1.2.3.7 eq 3389
access-list 101 permit ip 172.16.0.0 255.255.240.0 192.168.1.0
255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.240.0 172.16.11.0
255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside 172.16.0.1
no logging message 106015
no logging message 305004
no logging message 305001
no logging message 302003
no logging message 302002
no logging message 304001
no logging message 302001
no logging message 302006
no logging message 302005
no logging message 609002
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.6 255.255.255.240
ip address inside 192.1.1.251 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool bglpool 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 192.1.1.251 255.255.255.255 inside
pdm location 172.16.0.9 255.255.255.255 inside
pdm location 172.16.0.20 255.255.255.255 inside
pdm location 172.16.0.99 255.255.255.255 inside
pdm location 172.16.10.9 255.255.255.255 inside
pdm location 172.16.1.200 255.255.255.255 inside
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.2
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.2.3.5 172.16.0.20 netmask
255.255.255.255 0 0
static (inside,outside) 1.2.3.7 172.16.1.200 netmask
255.255.255.255 0 0
static (inside,outside) 1.2.3.8 172.16.0.9 netmask
255.255.255.255 0 0
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
route inside 10.170.0.0 255.255.255.0 192.1.1.30 1
route inside 172.16.0.0 255.255.240.0 192.1.1.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
http server enable
no snmp-server location
snmp-server community xxxxxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto ipsec transform-set bgn_mines esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map outside_map 20 ipsec-isakmp
crypto map bgn_map 1 ipsec-isakmp
crypto map bgn_map 1 match address 101
crypto map bgn_map 1 set peer 1.2.4.2
crypto map bgn_map 1 set transform-set bgn_mines
crypto map bgn_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup BGL_roam idle-time 1800
vpngroup gsrgh-vpn address-pool bglpool
vpngroup gsrgh-vpn dns-server 172.16.0.1
vpngroup gsrgh-vpn wins-server 172.16.0.3
vpngroup gsrgh-vpn default-domain password
vpngroup gsrgh-vpn idle-time 1800
vpngroup gsrgh-vpn password ********
telnet 192.1.1.220 255.255.255.255 inside
telnet timeout 5
ssh 172.16.2.55 255.255.255.255 inside
ssh timeout 5
vpdn username xxx password xxx
vpdn username xxx password xxx
terminal width 80
Cryptochecksum:e41785d3653
Site B
=========
PIX Version 7.0(1)
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 1.2.4.2 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.17.11.254 255.255.240.0
!
enable password aYiGONOGTxE2368q encrypted
passwd aYiGONOGTxE2368q encrypted
hostname tdikeeper
domain-name mmmm.com
ftp mode passive
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit tcp any host 1.2.4.5 eq
3389
access-list acl_inbound extended permit tcp any host 1.2.4.6 eq
3389
access-list acl_inbound extended permit udp host 1.2.4.2 host
1.2.3.6 eq isakmp
access-list acl_inbound extended permit ah host 1.2.4.2 host
1.2.3.6
access-list acl_inbound extended permit esp host 1.2.4.2 host
1.2.3.6
access-list 101 extended permit ip 172.16.0.0 255.255.240.0
192.168.2.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0
172.16.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0
172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0
255.255.255.0 172.16.0.0 255.255.255.0
access-list L2LVPN extended permit ip 172.200.0.0 255.255.240.0
172.100.0.0 255.255.240.0
access-list L2LVPN extended permit ip 172.17.0.0 255.255.240.0
172.16.0.0 255.255.240.0
access-list inside_outbound_nat0 extended permit ip 172.17.0.0
255.255.240.0 172.16.0.0 255.255.240.0
access-list vpn_nat extended permit ip 172.16.0.0 255.255.240.0
172.100.0.0 255.255.240.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging host inside 172.16.11.1
no logging message 106015
no logging message 302003
no logging message 304001
no logging message 609002
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface inside
ip local pool bglpool 192.168.2.1-192.168.2.254
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm
asdm location 1.2.4.5 255.255.255.255 outside
asdm location 1.2.4.6 255.255.255.255 outside
no asdm history enable
arp timeout 1440
global (outside) 1 1.2.4.3
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.200.0.0 access-list vpn_nat
static (inside,outside) 1.2.4.5 172.16.17.1 netmask
255.255.255.255
static (inside,outside) 1.2.4.6 172.16.17.2 netmask
255.255.255.255
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.4.7 1
route inside 172.17.11.0 255.255.255.255 172.17.11.254 1
route inside 172.16.11.0 255.255.255.255 172.16.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.11.5 255.255.255.255 inside
http 172.16.11.46 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community XXXXX
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set tdi_mines esp-des esp-md5-hmac
crypto map tdi_map 1 match address L2LVPN
crypto map tdi_map 1 set peer 1.2.3.6
crypto map tdi_map 1 set transform-set tdi_mines
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 1.2.3.6 255.255.255.255 outside
telnet 172.16.11.5 255.255.255.255 inside
telnet 172.16.1.200 255.255.255.255 inside
telnet 172.16.11.46 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 1.2.3.6 type ipsec-l2l
tunnel-group 1.2.3.6 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
Cryptochecksum:80e5f432be5
Below is my current config at the various locations for your review. Can you please help
Site A
=====
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aYiGONOGTxE2368q encrypted
passwd t7oLYycQGA49Yo2i encrypted
hostname BGLKEEPER
domain-name mmmm.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_inbound permit icmp any any
access-list acl_inbound permit udp host 1.2.3.6 host 1.2.4.2 eq
isakmp
access-list acl_inbound permit ah host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit esp host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit tcp any host 1.2.3.7 eq 3389
access-list 101 permit ip 172.16.0.0 255.255.240.0 192.168.1.0
255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.240.0 172.16.11.0
255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside 172.16.0.1
no logging message 106015
no logging message 305004
no logging message 305001
no logging message 302003
no logging message 302002
no logging message 304001
no logging message 302001
no logging message 302006
no logging message 302005
no logging message 609002
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.6 255.255.255.240
ip address inside 192.1.1.251 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool bglpool 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 192.1.1.251 255.255.255.255 inside
pdm location 172.16.0.9 255.255.255.255 inside
pdm location 172.16.0.20 255.255.255.255 inside
pdm location 172.16.0.99 255.255.255.255 inside
pdm location 172.16.10.9 255.255.255.255 inside
pdm location 172.16.1.200 255.255.255.255 inside
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.2
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.2.3.5 172.16.0.20 netmask
255.255.255.255 0 0
static (inside,outside) 1.2.3.7 172.16.1.200 netmask
255.255.255.255 0 0
static (inside,outside) 1.2.3.8 172.16.0.9 netmask
255.255.255.255 0 0
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
route inside 10.170.0.0 255.255.255.0 192.1.1.30 1
route inside 172.16.0.0 255.255.240.0 192.1.1.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
http server enable
no snmp-server location
snmp-server community xxxxxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto ipsec transform-set bgn_mines esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map outside_map 20 ipsec-isakmp
crypto map bgn_map 1 ipsec-isakmp
crypto map bgn_map 1 match address 101
crypto map bgn_map 1 set peer 1.2.4.2
crypto map bgn_map 1 set transform-set bgn_mines
crypto map bgn_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup BGL_roam idle-time 1800
vpngroup gsrgh-vpn address-pool bglpool
vpngroup gsrgh-vpn dns-server 172.16.0.1
vpngroup gsrgh-vpn wins-server 172.16.0.3
vpngroup gsrgh-vpn default-domain password
vpngroup gsrgh-vpn idle-time 1800
vpngroup gsrgh-vpn password ********
telnet 192.1.1.220 255.255.255.255 inside
telnet timeout 5
ssh 172.16.2.55 255.255.255.255 inside
ssh timeout 5
vpdn username xxx password xxx
vpdn username xxx password xxx
terminal width 80
Cryptochecksum:e41785d3653
Site B
=========
PIX Version 7.0(1)
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 1.2.4.2 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.17.11.254 255.255.240.0
!
enable password aYiGONOGTxE2368q encrypted
passwd aYiGONOGTxE2368q encrypted
hostname tdikeeper
domain-name mmmm.com
ftp mode passive
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit tcp any host 1.2.4.5 eq
3389
access-list acl_inbound extended permit tcp any host 1.2.4.6 eq
3389
access-list acl_inbound extended permit udp host 1.2.4.2 host
1.2.3.6 eq isakmp
access-list acl_inbound extended permit ah host 1.2.4.2 host
1.2.3.6
access-list acl_inbound extended permit esp host 1.2.4.2 host
1.2.3.6
access-list 101 extended permit ip 172.16.0.0 255.255.240.0
192.168.2.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0
172.16.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0
172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0
255.255.255.0 172.16.0.0 255.255.255.0
access-list L2LVPN extended permit ip 172.200.0.0 255.255.240.0
172.100.0.0 255.255.240.0
access-list L2LVPN extended permit ip 172.17.0.0 255.255.240.0
172.16.0.0 255.255.240.0
access-list inside_outbound_nat0 extended permit ip 172.17.0.0
255.255.240.0 172.16.0.0 255.255.240.0
access-list vpn_nat extended permit ip 172.16.0.0 255.255.240.0
172.100.0.0 255.255.240.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging host inside 172.16.11.1
no logging message 106015
no logging message 302003
no logging message 304001
no logging message 609002
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface inside
ip local pool bglpool 192.168.2.1-192.168.2.254
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm
asdm location 1.2.4.5 255.255.255.255 outside
asdm location 1.2.4.6 255.255.255.255 outside
no asdm history enable
arp timeout 1440
global (outside) 1 1.2.4.3
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.200.0.0 access-list vpn_nat
static (inside,outside) 1.2.4.5 172.16.17.1 netmask
255.255.255.255
static (inside,outside) 1.2.4.6 172.16.17.2 netmask
255.255.255.255
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.4.7 1
route inside 172.17.11.0 255.255.255.255 172.17.11.254 1
route inside 172.16.11.0 255.255.255.255 172.16.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.11.5 255.255.255.255 inside
http 172.16.11.46 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community XXXXX
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set tdi_mines esp-des esp-md5-hmac
crypto map tdi_map 1 match address L2LVPN
crypto map tdi_map 1 set peer 1.2.3.6
crypto map tdi_map 1 set transform-set tdi_mines
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 1.2.3.6 255.255.255.255 outside
telnet 172.16.11.5 255.255.255.255 inside
telnet 172.16.1.200 255.255.255.255 inside
telnet 172.16.11.46 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 1.2.3.6 type ipsec-l2l
tunnel-group 1.2.3.6 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
Cryptochecksum:80e5f432be5
Site A:
>PIX Version 6.1(4)
Very old, you might want to consider updating to 6.3(5) and the PDM GUI
no access-list 101 permit ip 172.16.0.0 255.255.240.0 172.16.11.0
access-list 102 permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
no crypto map bgn_map 1 match address 101
crypto map bgn_map 1 match address 102
isakmp nat-traversal 20
Site B:
no static (inside,outside) 172.200.0.0 access-list vpn_nat
access-list no_nat permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
nat (inside) 0 access-list no_nat
access-list l2l_vpn permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
Make those changes then post result of "sho cry is sa" "QM_IDLE" is a very good thing to see there
Using the ASDM GUI VPN Wizard is absolutely the best way to set up the Site B side, and the PDM VPN Wizard (after you upgrade the OS and the PDM) on Site A.
>PIX Version 6.1(4)
Very old, you might want to consider updating to 6.3(5) and the PDM GUI
no access-list 101 permit ip 172.16.0.0 255.255.240.0 172.16.11.0
access-list 102 permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
no crypto map bgn_map 1 match address 101
crypto map bgn_map 1 match address 102
isakmp nat-traversal 20
Site B:
no static (inside,outside) 172.200.0.0 access-list vpn_nat
access-list no_nat permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
nat (inside) 0 access-list no_nat
access-list l2l_vpn permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
Make those changes then post result of "sho cry is sa" "QM_IDLE" is a very good thing to see there
Using the ASDM GUI VPN Wizard is absolutely the best way to set up the Site B side, and the PDM VPN Wizard (after you upgrade the OS and the PDM) on Site A.
ASKER
Hi Lrmoore,
Below is the update config at the various site
On running sho cry is sa at site B, the resulting message was '
There are no isakmp sas'
and 'QM_IDLE' did not show up at Site A
I've not been able to upgrade Site to the version 6.3 because I do not have the spare PIX on site yet. Once it's at hand I will replace the current one with the new and then perform the upgrade. Can you please semd me a site were i can download the 6.3 IOS
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aYiGONOGTxE2368q encrypted
passwd t7oLYycQGA49Yo2i encrypted
hostname BGLKEEPER
domain-name mmmm.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_inbound permit icmp any any
access-list acl_inbound permit udp host 1.2.3.6 host 1.2.4.2 eq isakmp
access-list acl_inbound permit ah host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit esp host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit tcp any host 1.2.3.7 eq 3389
access-list 101 permit ip 172.16.0.0 255.255.240.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.240.0 172.16.11.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside 172.16.0.1
no logging message 106015
no logging message 305004
no logging message 305001
no logging message 302003
no logging message 302002
no logging message 304001
no logging message 302001
no logging message 302006
no logging message 302005
no logging message 609002
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.6 255.255.255.240
ip address inside 192.1.1.251 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool bglpool 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 192.1.1.251 255.255.255.255 inside
pdm location 172.16.0.9 255.255.255.255 inside
pdm location 172.16.0.20 255.255.255.255 inside
pdm location 172.16.0.99 255.255.255.255 inside
pdm location 172.16.10.9 255.255.255.255 inside
pdm location 172.16.1.200 255.255.255.255 inside
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.2
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.2.3.5 172.16.0.20 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.7 172.16.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.8 172.16.0.9 netmask 255.255.255.255 0 0
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
route inside 10.170.0.0 255.255.255.0 192.1.1.30 1
route inside 172.16.0.0 255.255.240.0 192.1.1.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
http server enable
no snmp-server location
snmp-server community xxxxxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto ipsec transform-set bgn_mines esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map outside_map 20 ipsec-isakmp
crypto map bgn_map 1 ipsec-isakmp
crypto map bgn_map 1 match address 101
crypto map bgn_map 1 set peer 1.2.4.2
crypto map bgn_map 1 set transform-set bgn_mines
crypto map bgn_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup BGL_roam idle-time 1800
vpngroup gsrgh-vpn address-pool bglpool
vpngroup gsrgh-vpn dns-server 172.16.0.1
vpngroup gsrgh-vpn wins-server 172.16.0.3
vpngroup gsrgh-vpn default-domain password
vpngroup gsrgh-vpn idle-time 1800
vpngroup gsrgh-vpn password ********
telnet 192.1.1.220 255.255.255.255 inside
telnet timeout 5
ssh 172.16.2.55 255.255.255.255 inside
ssh timeout 5
vpdn username xxx password xxx
vpdn username xxx password xxx
terminal width 80
Cryptochecksum:e41785d3653
Site B
=========
PIX Version 7.0(1)
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 1.2.4.2 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.17.11.254 255.255.240.0
!
enable password aYiGONOGTxE2368q encrypted
passwd aYiGONOGTxE2368q encrypted
hostname tdikeeper
domain-name mmmm.com
ftp mode passive
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit tcp any host 1.2.4.5 eq 3389
access-list acl_inbound extended permit tcp any host 1.2.4.6 eq 3389
access-list acl_inbound extended permit udp host 1.2.4.2 host 1.2.3.6 eq isakmp
access-list acl_inbound extended permit ah host 1.2.4.2 host 1.2.3.6
access-list acl_inbound extended permit esp host 1.2.4.2 host 1.2.3.6
access-list 101 extended permit ip 172.16.0.0 255.255.240.0 192.168.2.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list L2LVPN extended permit ip 172.200.0.0 255.255.240.0 172.100.0.0 255.255.240.0
access-list L2LVPN extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list inside_outbound_nat0 extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list vpn_nat extended permit ip 172.16.0.0 255.255.240.0 172.100.0.0 255.255.240.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging host inside 172.16.11.1
no logging message 106015
no logging message 302003
no logging message 304001
no logging message 609002
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface inside
ip local pool bglpool 192.168.2.1-192.168.2.254
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm
asdm location 1.2.4.5 255.255.255.255 outside
asdm location 1.2.4.6 255.255.255.255 outside
no asdm history enable
arp timeout 1440
global (outside) 1 1.2.4.3
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.200.0.0 access-list vpn_nat
static (inside,outside) 1.2.4.5 172.16.17.1 netmask 255.255.255.255
static (inside,outside) 1.2.4.6 172.16.17.2 netmask 255.255.255.255
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.4.7 1
route inside 172.17.11.0 255.255.255.255 172.17.11.254 1
route inside 172.16.11.0 255.255.255.255 172.16.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.11.5 255.255.255.255 inside
http 172.16.11.46 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community XXXXX
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set tdi_mines esp-des esp-md5-hmac
crypto map tdi_map 1 match address L2LVPN
crypto map tdi_map 1 set peer 1.2.3.6
crypto map tdi_map 1 set transform-set tdi_mines
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 1.2.3.6 255.255.255.255 outside
telnet 172.16.11.5 255.255.255.255 inside
telnet 172.16.1.200 255.255.255.255 inside
telnet 172.16.11.46 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 1.2.3.6 type ipsec-l2l
tunnel-group 1.2.3.6 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
Cryptochecksum:80e5f432be5
Below is the update config at the various site
On running sho cry is sa at site B, the resulting message was '
There are no isakmp sas'
and 'QM_IDLE' did not show up at Site A
I've not been able to upgrade Site to the version 6.3 because I do not have the spare PIX on site yet. Once it's at hand I will replace the current one with the new and then perform the upgrade. Can you please semd me a site were i can download the 6.3 IOS
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aYiGONOGTxE2368q encrypted
passwd t7oLYycQGA49Yo2i encrypted
hostname BGLKEEPER
domain-name mmmm.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_inbound permit icmp any any
access-list acl_inbound permit udp host 1.2.3.6 host 1.2.4.2 eq isakmp
access-list acl_inbound permit ah host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit esp host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit tcp any host 1.2.3.7 eq 3389
access-list 101 permit ip 172.16.0.0 255.255.240.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.240.0 172.16.11.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside 172.16.0.1
no logging message 106015
no logging message 305004
no logging message 305001
no logging message 302003
no logging message 302002
no logging message 304001
no logging message 302001
no logging message 302006
no logging message 302005
no logging message 609002
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.6 255.255.255.240
ip address inside 192.1.1.251 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool bglpool 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 192.1.1.251 255.255.255.255 inside
pdm location 172.16.0.9 255.255.255.255 inside
pdm location 172.16.0.20 255.255.255.255 inside
pdm location 172.16.0.99 255.255.255.255 inside
pdm location 172.16.10.9 255.255.255.255 inside
pdm location 172.16.1.200 255.255.255.255 inside
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.2
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.2.3.5 172.16.0.20 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.7 172.16.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.8 172.16.0.9 netmask 255.255.255.255 0 0
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
route inside 10.170.0.0 255.255.255.0 192.1.1.30 1
route inside 172.16.0.0 255.255.240.0 192.1.1.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
http server enable
no snmp-server location
snmp-server community xxxxxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto ipsec transform-set bgn_mines esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map outside_map 20 ipsec-isakmp
crypto map bgn_map 1 ipsec-isakmp
crypto map bgn_map 1 match address 101
crypto map bgn_map 1 set peer 1.2.4.2
crypto map bgn_map 1 set transform-set bgn_mines
crypto map bgn_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup BGL_roam idle-time 1800
vpngroup gsrgh-vpn address-pool bglpool
vpngroup gsrgh-vpn dns-server 172.16.0.1
vpngroup gsrgh-vpn wins-server 172.16.0.3
vpngroup gsrgh-vpn default-domain password
vpngroup gsrgh-vpn idle-time 1800
vpngroup gsrgh-vpn password ********
telnet 192.1.1.220 255.255.255.255 inside
telnet timeout 5
ssh 172.16.2.55 255.255.255.255 inside
ssh timeout 5
vpdn username xxx password xxx
vpdn username xxx password xxx
terminal width 80
Cryptochecksum:e41785d3653
Site B
=========
PIX Version 7.0(1)
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 1.2.4.2 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.17.11.254 255.255.240.0
!
enable password aYiGONOGTxE2368q encrypted
passwd aYiGONOGTxE2368q encrypted
hostname tdikeeper
domain-name mmmm.com
ftp mode passive
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit tcp any host 1.2.4.5 eq 3389
access-list acl_inbound extended permit tcp any host 1.2.4.6 eq 3389
access-list acl_inbound extended permit udp host 1.2.4.2 host 1.2.3.6 eq isakmp
access-list acl_inbound extended permit ah host 1.2.4.2 host 1.2.3.6
access-list acl_inbound extended permit esp host 1.2.4.2 host 1.2.3.6
access-list 101 extended permit ip 172.16.0.0 255.255.240.0 192.168.2.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list L2LVPN extended permit ip 172.200.0.0 255.255.240.0 172.100.0.0 255.255.240.0
access-list L2LVPN extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list inside_outbound_nat0 extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list vpn_nat extended permit ip 172.16.0.0 255.255.240.0 172.100.0.0 255.255.240.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging host inside 172.16.11.1
no logging message 106015
no logging message 302003
no logging message 304001
no logging message 609002
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface inside
ip local pool bglpool 192.168.2.1-192.168.2.254
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm
asdm location 1.2.4.5 255.255.255.255 outside
asdm location 1.2.4.6 255.255.255.255 outside
no asdm history enable
arp timeout 1440
global (outside) 1 1.2.4.3
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.200.0.0 access-list vpn_nat
static (inside,outside) 1.2.4.5 172.16.17.1 netmask 255.255.255.255
static (inside,outside) 1.2.4.6 172.16.17.2 netmask 255.255.255.255
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.4.7 1
route inside 172.17.11.0 255.255.255.255 172.17.11.254 1
route inside 172.16.11.0 255.255.255.255 172.16.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.11.5 255.255.255.255 inside
http 172.16.11.46 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community XXXXX
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set tdi_mines esp-des esp-md5-hmac
crypto map tdi_map 1 match address L2LVPN
crypto map tdi_map 1 set peer 1.2.3.6
crypto map tdi_map 1 set transform-set tdi_mines
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 1.2.3.6 255.255.255.255 outside
telnet 172.16.11.5 255.255.255.255 inside
telnet 172.16.1.200 255.255.255.255 inside
telnet 172.16.11.46 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 1.2.3.6 type ipsec-l2l
tunnel-group 1.2.3.6 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
Cryptochecksum:80e5f432be5
ASKER
Hi Lrmoore,
Any updates on my request
Any updates on my request
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Lrmoore,
The 192.168.1.1-192.168.1.254
IP's were only meant for VPN access using VPN software on site A. Do I still go ahead with the recommended changes
The 192.168.1.1-192.168.1.254
IP's were only meant for VPN access using VPN software on site A. Do I still go ahead with the recommended changes
Yes, please make all the required changes
ASKER
Hi Lrmoore,
Thanks for your response. Are there any tests that you want you would like me to perform after applying the given changes?
Thanks for your response. Are there any tests that you want you would like me to perform after applying the given changes?
yes:
Post output from the PIX:
sho cry ip sa
sho cry is sa
sho access-list
Post output from the PIX:
sho cry ip sa
sho cry is sa
sho access-list
ASKER
Hi Keith_Alabaster
I still do not have a solution to my problem. Please leave it open
I still do not have a solution to my problem. Please leave it open
Ouch. This is very old. It should not affect the configuration, but Highly suggest upgrading to 6.3(5).
>PIX B ver 7.0(1)
Also very short-lived version with lots of bugs. Latest is 7.0(5) or 7.12
That said, here are some recommendations:
Site A (you didn't post the complete config, so these are just examples)
These two networks overlap with each other
Site A Site B
172.16.0.0/20 172.16.11.0/20
172.16.16.0/20 <== OK
If you are using 172.16.11.0/24 on Site B, then some adjustments can be made.
add:
sysopt connection permit-ipsec
isakmp identity address
access-list inside_outbound_nat0 permit ip 192.1.1.0 255.255.255.0 172.16.16.0 255.255.240.0
access-list inside_outbound_nat0 permit ip 172.16.0.0 255.255.240.0 172.16.16.0 255.255.240.0
access-list L2LVPN permit ip 192.1.1.0 255.255.255.0 172.16.11.0 255.255.240.0
access-list L2LVPN permit ip 172.16.0.0 255.255.240.0 172.16.11.0 255.255.240.0
nat (inside) 0 access-list inside_outbound_nat0
crypto map outside_map 20 match address L2LVPN
Policies need to match the transform sets, and each other
Site A:
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1 <==
Site B:
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2 <== both ends need to have the same DH group. Suggest 2 on both ends
Site B changes required:
isakmp identity address
access-list L2LVPN permit ip 172.16.16.0 255.255.240.0 192.1.1.0 255.255.255.0
access-list L2LVPN permit ip 172.16.16.0 255.255.240.0 172.16.0.0 255.255.240.0
crypto map outside_map 20 match address L2LVPN
access-list inside_outbound_nat0 permit ip 172.16.16.0 255.255.240.0 172.16.0.0 255.255.240.0
nat (inside) 0 access-list inside_outbound_nat0