December 4, 2008 09:46pm pst

1. RobWill 462,142
2. lrmoore 338,728
3. batry_boy 259,729
4. arnold 147,233
5. dpk_wal 113,722
6. mwecom... 80,224
7. Qlemo 63,674
8. ebjers 54,825
9. MrHusy 54,220
10. JFrederic... 45,680
11. Voltz-dk 45,170
12. mkielar 42,800
13. tigermatt 42,675
14. keith_ala... 42,496
15. TechSoEasy 41,389
16. PeteLong 39,110
17. Cyclops3... 37,640
18. SysExpert 35,850
19. trinak96 28,315
20. rsivanandan 27,780
21. RPPreacher 27,450
22. from_exp 26,775
23. rowansmith 24,875
24. 2PiFL 24,725
25. _jesper_ 23,650

1. RobWill 1,615,035
2. lrmoore 1,139,471
3. batry_boy 434,439
4. grblades 217,809
5. dpk_wal 166,722
6. rsivanandan 156,746
7. arnold 149,233
8. TechSoEasy 114,468
9. calvinetter 112,805
10. mwecom... 98,024
11. keith_ala... 97,335
12. MrHusy 87,494
13. PeteLong 81,966
14. Qlemo 79,767
15. tim_holman 75,964
16. Voltz-dk 75,270
17. Cyclops3... 73,585
18. ewtaylor 68,324
19. SysExpert 65,925
20. plemieux72 64,143
21. trinak96 63,165
22. ebjers 59,825
23. nodisco 58,930
24. JFrederic... 56,880
25. blin2000 52,944

11.08.2007 at 02:45PM PST, ID: 22948969 | Points: 500

	[x] Attachment Details

Cisco PIX & ISO Firewall site-to-site VPN

Asked by Pro4ia in Virtual Private Networking (VPN), IPSec Security Protocol, Cisco PIX Firewall

Tags: pix, site, cisco, vpn

Experts,

I'm trying to get a Cisco PIX 506E and a device running Cisco IOS Firewall to connect to each other via VPN. I can't seem to get the two talking and was wondering if someone can help me out.

Here is the setup
10.2.1.0/24 [PIX 506E] 216.222.50.50/28------------- INTERNET ---------------216.222.50.54/28 [Cisco IOS Firewall] 192.168.10.0/24

PIX config
------------
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PIX506E
names
name 192.168.10.0 insideofsite2
access-list NONAT permit ip 10.2.1.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list NONAT permit ip 10.2.1.0 255.255.255.0 UC500 255.255.255.0
access-list OUTBOUND deny tcp any any eq 137
access-list OUTBOUND deny tcp any any eq 138
access-list OUTBOUND deny tcp any any eq netbios-ssn
access-list OUTBOUND deny udp any any eq 139
access-list OUTBOUND deny udp any any eq netbios-dgm
access-list OUTBOUND deny udp any any eq netbios-ns
access-list OUTBOUND permit ip any any
access-list INBOUND permit tcp any any eq 50
access-list INBOUND permit udp any any eq isakmp
access-list INBOUND permit udp any any eq 50
access-list INBOUND permit udp any any eq 4500 log
access-list INBOUND permit tcp any any eq 10000 log
access-list INBOUND permit tcp any any eq 51
access-list INBOUND permit udp any any eq 51
access-list INBOUND permit tcp any any eq smtp
access-list INBOUND permit tcp any any eq pop3
access-list INBOUND permit icmp any any echo-reply
access-list outside_cryptomap_20 permit ip 10.2.1.0 255.255.255.0 insideofsite2 255.255.255.0
ip address outside 216.222.50.50 255.255.255.248
ip address inside 10.2.1.1 255.255.255.0
ip verify reverse-path interface outside
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group INBOUND in interface outside
access-group OUTBOUND in interface inside
route outside 0.0.0.0 0.0.0.0 216.222.50.49 1
sysopt connection permit-ipsec
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto dynamic-map dynmap 100 set transform-set VPNSET
crypto map BIGVPN 20 ipsec-isakmp
crypto map BIGVPN 20 match address outside_cryptomap_20
crypto map BIGVPN 20 set peer 216.222.50.54
crypto map BIGVPN 20 set transform-set VPNSET
crypto map BIGVPN 65535 ipsec-isakmp dynamic dynmap
crypto map BIGVPN interface outside
isakmp enable outside
isakmp key SHAREDKEY address 216.222.50.54 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
dhcpd address 10.2.1.100-10.2.1.179 inside
dhcpd dns 10.2.1.10 10.2.1.20
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside

Cisco IOS Firewall config
------------------------------
version 12.4
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key SHAREDKEY address 216.222.50.50
!
crypto isakmp client configuration group EZVPN_GROUP_1
key SHAREDKEY
pool EZVPN_POOL_1
max-users 10
!
!
crypto ipsec transform-set ESP_AES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP_AES_SHA ESP_3DES_SHA
reverse-route
!
!
crypto map BIGVPN 10 ipsec-isakmp
set peer 216.222.50.50
set transform-set VPNSET
match address acl_vpn
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
bridge irb
!
interface Loopback0
description $FW_INSIDE$
ip address 10.1.10.2 255.255.255.252
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 216.222.50.54 255.255.255.240
ip access-group 104 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
crypto map BIGVPN
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
ip access-list extended acl_nat
deny ip 192.168.10.0 0.0.0.255 10.2.1.0 0.0.0.255
ip access-list extended acl_vpn
permit ip 192.168.10.0 0.0.0.255 10.2.1.0 0.0.0.255
!

Thanks in advance!
Start Free Trial

Keywords: Cisco PIX & ISO Firewall site-to-site …

	Title
1	Pix to Pix VPN
2	adding 2nd VPN to PIX
3	Remote access to a Pix from a Pix prot…
4	PIX
5	pix VPN
6	Dyamic to static site to site VPN with PI…

Loading Advertisement...

20081112-EE-VQP-44 / EE_QW_2_20070628