July 24, 2008 02:18am pdt

1. batry_boy 585,976
2. lrmoore 206,025
3. mkielar 102,700
4. Voltz-dk 96,920
5. MrHusy 90,695
6. Cyclops3590 77,840
7. PeteLong 70,000
8. grblades 40,275
9. JFrederi... 37,100
10. nodisco 34,925
11. from_exp 32,120
12. raptorjb007 31,000
13. rsivanandan 30,980
14. 2PiFL 25,575
15. stuknhawaii 25,425

1. lrmoore 2,153,306
2. batry_boy 954,100
3. grblades 343,160
4. rsivanandan 333,609
5. nodisco 271,512
6. PeteLong 256,841
7. calvinetter 254,590
8. MrHusy 212,396
9. Voltz-dk 204,859
10. Cyclops3590 194,746
11. tim_holman 120,177
12. carribea... 108,132
13. keith_al... 103,919
14. mkielar 102,700
15. JFrederi... 94,100

04.21.2008 at 07:57PM PDT, ID: 23341737

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.4

VPN tunnel between 2 Cisco 501 PIX's

Zone: Cisco PIX Firewall

Hello,

I'm learning the Cisco CLI so please be paaaaaaatient.
I've been asked by a client to configure a vpn tunnel between 2 501 Pix firewalls. The Edmonton office will have 1 with no static ip and the Calgary will have 1 with a static ip. The ISP gave me this information:

CALGARY
ip: 68.145.96.75
Gateway:68.145.96.1
Subnet Mask: 255.255.252.0

All users from both sites must browse the internet freely and be able to download their emails from a pop3 server. No restrictions going out.
I have not tested vpn connectivity because I do not have the means to do so at home. Here are the configs. I would like to go to the client and give them the firewalls, plug them in and they work. I spent all weekend configuring both pixes.
Here are the configs.
Do they look good. Will I have issues when plugging them in?

All good help is appreciated.

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:

           
           
             PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 0RsgY.LyDrnfQxyk encrypted
passwd 0RsgY.LyDrnfQxyk encrypted
hostname PixEdmonton
domain-name swift-eng.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 192.168.1
.0 255.255.255.0
access-list outside_cryptomap_10 permit ip 172.16.1.0 255.255.255.0 192.168.1.0 2
55.255.255.0
access-list outbound permit tcp 172.16.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 172.16.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 172.16.1.0 255.255.255.0 any eq ftp
access-list outbound permit tcp 172.16.1.0 255.255.255.0 any eq domain
access-list outbound permit udp 172.16.1.0 255.255.255.0 any eq domain
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 172.16.1.0 255.255.255.0 inside
pdm location 172.16.1.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 9 0.0.0.1
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set EdmontonTransform esp-des esp-md5-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 68.145.96.75
crypto map outside_map 10 set transform-set EdmontonTransform
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 68.145.96.75 netmask 255.255.255.255 no-xauth no-conf
ig-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 172.16.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:19928a40aa07c30b3544712bdbecdedb
: end
PixEdmonton# ping 4.2.2.2
        4.2.2.2 response received -- 30ms
        4.2.2.2 response received -- 20ms
        4.2.2.2 response received -- 20ms
PixEdmonton# sh route
        outside 0.0.0.0 0.0.0.0 70.75.28.1 1 DHCP static
        outside 70.75.28.0 255.255.252.0 70.75.29.95 1 CONNECT static
        inside 172.16.1.0 255.255.255.0 172.16.1.1 1 CONNECT static
 
 
 
 
 
 
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 0RsgY.LyDrnfQxyk encrypted
passwd 0RsgY.LyDrnfQxyk encrypted
hostname Calgary
domain-name swiftengineering
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service MXLogic tcp
  port-object eq smtp
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq smtp
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq pop3
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq domain
access-list outbound permit udp 192.168.1.0 255.255.255.0 any eq domain
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 68.145.96.75 255.255.252.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 68.145.96.76
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 68.145.96.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set TransformCalgary esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set TransformCalgary
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 255.255.255.255 no-xauth no-config-m
de
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 255.255.255.255 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd dns 64.59.135.133 64.59.135.135
terminal width 80
Cryptochecksum:95f02d5692a10a6a951a9d4f7b4318c0
: end
Calgary#

           
         

Start your free trial to view this solution

Question Stats

Zone: Security

Question Asked By: Tacobell2000

Solution Provided By: batry_boy

Participating Experts: 1

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

04.21.2008 at 10:36PM PDT, ID: 21408304

Rank: Sage

batry_boy:

You need to add the following statements on the Calgary PIX:

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl

You also mentioned that you didn't want any restrictions on outbound traffic initiated from the internal hosts on either side, correct? If so, then you should remove the outbound ACL applied to the Calgary PIX inside interface:

no access-group outbound in interface inside

HTH...

04.22.2008 at 05:51AM PDT, ID: 21410510

Tacobell2000:

ok. I'll make the changes tonight and bring the devices to the client tomorrow. Will let you know if it works on Friday Batry_boy.
By the way you sure seem to know your stuff. Are you a CCIE?

Tacobell2000

04.22.2008 at 12:11PM PDT, ID: 21414392

Rank: Sage

batry_boy:

Nope, but I'm currently studying for the CCIE Security written exam now...good luck with your changes!

05.09.2008 at 04:51PM PDT, ID: 21537218

Tacobell2000:

Finally the customer plugged them in and I performed the pinging tests and was unsucessfull. Both sites are able to access the internet and so on but the vpn tunnel does not come up.

05.09.2008 at 06:28PM PDT, ID: 21537493

Rank: Sage

batry_boy:

Please repost both configurations and I'll have a look.

05.09.2008 at 06:59PM PDT, ID: 21537545

Tacobell2000:

Here you go.

                       
         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:

           
           
             PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 0RsgY.LyDrnfQxyk encrypted
passwd 0RsgY.LyDrnfQxyk encrypted
hostname Calgary
domain-name swiftengineering
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service MXLogic tcp
  port-object eq smtp
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq smtp
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq pop3
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq domain
access-list outbound permit udp 192.168.1.0 255.255.255.0 any eq domain
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 172.16.
1.0 255.255.255.0
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 68.145.96.75 255.255.252.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 68.145.96.76
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 68.145.96.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set TransformCalgary esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set TransformCalgary
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 255.255.255.255 no-xauth no-config-m
ode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 255.255.255.255 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd dns 64.59.135.133 64.59.135.135
terminal width 80
Cryptochecksum:50ae1a4e4d9fa3c1f4788b7f99cd4314
: end
Calgary#
 
 
 
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 0RsgY.LyDrnfQxyk encrypted
passwd 0RsgY.LyDrnfQxyk encrypted
hostname PixEdmonton
domain-name swift-eng.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 192.168.
1.0 255.255.255.0
access-list outside_cryptomap_10 permit ip 172.16.1.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list outbound permit tcp 172.16.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 172.16.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 172.16.1.0 255.255.255.0 any eq ftp
access-list outbound permit tcp 172.16.1.0 255.255.255.0 any eq domain
access-list outbound permit udp 172.16.1.0 255.255.255.0 any eq domain
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 172.16.1.0 255.255.255.0 inside
pdm location 172.16.1.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 9 0.0.0.1
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set EdmontonTransform esp-des esp-md5-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 68.145.96.75
crypto map outside_map 10 set transform-set EdmontonTransform
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 68.145.96.75 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 172.16.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:19928a40aa07c30b3544712bdbecdedb
: end
PixEdmonton#
           
         

Open in New Window

05.09.2008 at 07:18PM PDT, ID: 21537591

Rank: Sage

batry_boy:

On the Calgary PIX, try changing the netmask in the "isakmp key" statement to 0.0.0.0:

no isakmp key ******** address 0.0.0.0 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

Accepted Solution

05.09.2008 at 07:30PM PDT, ID: 21537616

Tacobell2000:

I'll do so on Monday since the devices are at the customers office. I think i forgot the isakmp key password. Will this be a problem when inputting the above change?

05.09.2008 at 07:45PM PDT, ID: 21537644

Rank: Sage

batry_boy:

No, you can use whatever you want when negating the command...it doesn't have to be the current key...

05.13.2008 at 10:02AM PDT, ID: 21557017

Tacobell2000:

I've done that and gave myself access from the outside. Unable to get the vpn tunnel up between both sites. What sort of debug commands I should to find out what is wrong with the configs.

                       
         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:

           
           
             PixEdmonton# sh runn
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 0RsgY.LyDrnfQxyk encrypted
passwd 0RsgY.LyDrnfQxyk encrypted
hostname PixEdmonton
domain-name swift-eng.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 192.168.
1.0 255.255.255.0
access-list outside_cryptomap_10 permit ip 172.16.1.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list outbound permit tcp 172.16.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 172.16.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 172.16.1.0 255.255.255.0 any eq ftp
access-list outbound permit tcp 172.16.1.0 255.255.255.0 any eq domain
access-list outbound permit udp 172.16.1.0 255.255.255.0 any eq domain
access-list outside_access_in permit tcp host 209.89.49.230 interface outside eq
 5900
access-list outside_access_in permit tcp any interface outside eq 5900
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 172.16.1.0 255.255.255.0 inside
pdm location 172.16.1.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 9 0.0.0.1
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface 5900 172.16.1.2 5900 netmask 255.255.255.2
55 0 0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set EdmontonTransform esp-des esp-md5-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 68.145.96.75
crypto map outside_map 10 set transform-set EdmontonTransform
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 68.145.96.75 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 172.16.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:19928a40aa07c30b3544712bdbecdedb
: end
PixEdmonton#
 
 
Calgary# sh runn
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 0RsgY.LyDrnfQxyk encrypted
passwd 0RsgY.LyDrnfQxyk encrypted
hostname Calgary
domain-name swiftengineering
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service MXLogic tcp
  port-object eq smtp
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq smtp
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq pop3
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq domain
access-list outbound permit udp 192.168.1.0 255.255.255.0 any eq domain
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 172.16.
1.0 255.255.255.0
access-list outside_access_in permit tcp host 68.145.96.75 interface outside eq
5900
access-list outside_access_in permit tcp any interface outside eq 5900
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 68.145.96.75 255.255.252.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 68.145.96.76
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface 5900 192.168.1.2 5900 netmask 255.255.255.
255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.145.96.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set TransformCalgary esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set TransformCalgary
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 255.255.255.255 no-xauth no-config-m
ode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 255.255.255.255 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd dns 64.59.135.133 64.59.135.135
terminal width 80
Cryptochecksum:50ae1a4e4d9fa3c1f4788b7f99cd4314
: end
Calgary#exit
           
         

Open in New Window

20080236-EE-VQP-29 / EE_QW_2_20070628