Solved

Pix to Pix firewall

Posted on 2004-09-29
8
275 Views
Last Modified: 2010-03-17
I have to a 501 (6.3) and a pix 506 (6.2) firewall and i cant get a tunnel between them working

I use the following config's

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8gG8QAQhVtG/MdZd encrypted
passwd nFmKXuEehMqOqVdz encrypted
hostname Pix-2
domain-name ciscopix.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.86.0 lokalnetz
name 192.168.99.0 newpool
access-list inside_acl permit ip lokalnetz 255.255.255.0 10.10.1.0 255.255.255.0
access-list inside_acl permit udp lokalnetz 255.255.255.0 gt 1024 any eq domain
access-list inside_acl permit tcp lokalnetz 255.255.255.0 gt 1024 any eq www
access-list inside_acl permit tcp lokalnetz 255.255.255.0 gt 1024 any eq https
access-list inside_acl permit tcp lokalnetz 255.255.255.0 gt 1024 any eq ftp
access-list inside_acl permit tcp lokalnetz 255.255.255.0 gt 1024 any eq telnet
access-list inside_acl permit tcp lokalnetz 255.255.255.0 gt 1024 any eq pop3
access-list inside_acl permit icmp lokalnetz 255.255.255.0 any echo
access-list outside_acl permit ip 10.10.1.0 255.255.255.0 lokalnetz 255.255.255.0
access-list inside_outbound_nonat_acl permit ip lokalnetz 255.255.255.0 10.10.1.0 255.255.255.240
access-list inside_outbound_nonat_acl permit ip any newpool 255.255.255.0
access-list outside_dyn_cryptomap permit ip any 10.10.1.0 255.255.255.240
access-list outside_dyn_cryptomap permit ip any newpool 255.255.255.0
access-list 110 permit ip lokalnetz 255.255.255.0 10.181.67.0 255.255.255.0
access-list 110 permit ip lokalnetz 255.255.255.0 10.181.66.0 255.255.255.0
access-list 110 permit ip lokalnetz 255.255.255.0 10.81.66.0 255.255.255.0
access-list 110 permit ip lokalnetz 255.255.255.0 10.81.67.0 255.255.255.0
access-list 110 permit ip lokalnetz 255.255.255.0 192.168.87.0 255.255.255.0
access-list 110 permit ip lokalnetz 255.255.255.0 192.168.20.0 255.255.255.0
access-list 110 permit ip lokalnetz 255.255.255.0 192.168.10.0 255.255.255.0
access-list 110 permit ip lokalnetz 255.255.255.0 192.168.30.0 255.255.255.0
access-list 110 permit ip lokalnetz 255.255.255.0 newpool 255.255.255.0
access-list 100 permit ip lokalnetz 255.255.255.0 10.181.67.0 255.255.255.0
access-list 100 permit ip lokalnetz 255.255.255.0 10.181.66.0 255.255.255.0
access-list 100 permit ip lokalnetz 255.255.255.0 10.81.66.0 255.255.255.0
access-list 100 permit ip lokalnetz 255.255.255.0 10.81.67.0 255.255.255.0
access-list 100 permit ip lokalnetz 255.255.255.0 192.168.87.0 255.255.255.0
access-list 100 permit ip lokalnetz 255.255.255.0 192.168.20.0 255.255.255.0
access-list 100 permit ip lokalnetz 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 permit ip lokalnetz 255.255.255.0 192.168.30.0 255.255.255.0
access-list 100 permit ip lokalnetz 255.255.255.0 10.10.1.0 255.255.255.240
access-list outside_access_in permit icmp any any
access-list inside-acl permit tcp lokalnetz 255.255.255.0 gt 1024 any eq 6129
pager lines 24
logging on
logging monitor debugging
interface ethernet0 10baset
interface ethernet1 10baset
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.248
ip address inside 192.168.86.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.10.1.1-10.10.1.10
ip local pool newpool 192.168.99.50-192.168.99.100
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 lokalnetz 255.255.255.0 0 0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
snmp-server host outside y.y.y.y
snmp-server location Esha-Nettentaal
no snmp-server contact
snmp-server community YTodSvqm
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dyn_vpnclient 20 match address outside_dyn_cryptomap
crypto dynamic-map dyn_vpnclient 20 set transform-set myset
crypto dynamic-map dyn_vpnclient 21 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map vpn 20 ipsec-isakmp dynamic dyn_vpnclient
crypto map vpn client configuration address initiate
crypto map vpn client configuration address respond
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer y.y.y.y
crypto map newmap 10 set transform-set myset
crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address y.y.y.y netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 43200
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup admin address-pool vpnpool
vpngroup admin idle-time 1800
vpngroup admin password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet lokalnetz 255.255.255.0 inside
telnet x.x.x.x 255.255.255.252 inside
telnet newpool 255.255.255.0 inside
telnet timeout 5
username admin password WUvztic5jxG8IhGK encrypted privilege 5
terminal width 80


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nFmKXuEehMqOqVdz encrypted
passwd nFmKXuEehMqOqVdz encrypted
hostname Pix 1
domain-name cds.nu
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list outside_access_in permit icmp host y.y.y.y host y.y.y.y
access-list 110 permit ip 10.181.67.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list 110 permit ip 10.181.66.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list 110 permit ip 10.81.66.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list 110 permit ip 10.81.67.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list 110 permit ip 192.168.87.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list 110 permit ip 192.168.20.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list 110 permit ip 192.168.10.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list 110 permit ip 192.168.30.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list 100 permit ip 10.181.67.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list 100 permit ip 10.181.66.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list 100 permit ip 10.81.66.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list 100 permit ip 10.81.67.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list 100 permit ip 192.168.87.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list 100 permit ip 192.168.20.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list 100 permit ip 192.168.30.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit tcp 10.181.67.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit tcp 10.181.66.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit tcp 10.81.66.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit tcp 10.81.67.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit tcp 192.168.87.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit tcp 192.168.20.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit tcp 192.168.10.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit tcp 192.168.30.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit udp 10.181.67.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit udp 10.181.66.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit udp 10.81.66.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit udp 10.81.67.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit udp 192.168.87.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit udp 192.168.20.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit udp 192.168.10.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit udp 192.168.30.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit icmp 10.181.67.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit icmp 10.181.66.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit icmp 10.81.66.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit icmp 10.81.67.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit icmp 192.168.87.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit icmp 192.168.20.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit icmp 192.168.10.0 255.255.255.0 192.168.86.0 255.255.255.0
access-list inside_acces_in permit icmp 192.168.30.0 255.255.255.0 192.168.86.0 255.255.255.0
pager lines 24
logging monitor debugging
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside y.y.y.y 255.255.255.248
ip address inside 10.181.67.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
nat (inside) 0 access-list 100
route outside 0.0.0.0 0.0.0.0 y.y.y.y 1
route inside 10.81.66.0 255.255.255.0 10.181.67.1 1
route inside 10.81.67.0 255.255.255.0 10.181.67.1 1
route inside 192.168.10.0 255.255.255.0 10.181.67.1 1
route inside 192.168.20.0 255.255.255.0 10.181.67.1 1
route inside 192.168.30.0 255.255.255.0 10.181.67.1 1
route inside 192.168.87.0 255.255.255.0 10.181.67.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
snmp-server host inside 10.181.67.100
snmp-server location telecity
snmp-server contact gert_eizinga
snmp-server community connect
no snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
sysopt noproxyarp inside
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer y.y.y.y
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******* address y.y.y.y netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 43200
telnet 192.168.86.254 255.255.255.255 inside
telnet timeout 5
console timeout 0
username radjesh password 6a8yWqINRP42iv60 encrypted privilege 15
terminal width 80
Cryptochecksum:b0766f6f86507d4e4a51b4599a9f26e5
: end
0
Comment
Question by:gerteizinga
  • 4
  • 3
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You need to add this to the 501:
   sysopt connection permit-ipsec

Then, can you post result of "show cry is sa"
Look for QM_IDLE or MM_XXXX


0
 

Author Comment

by:gerteizinga
Comment Utility
If i do a sh is sa i get the following result

Total     : 1
Embryonic : 0
        dst               src        state     pending     created
  x.x.x.x                y.y.y.y    QM_IDLE         0           3

I can see that there is a tunnel, but i don't seem to get traffic over it
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
The tunnel is definately established.
Did you add the sysopt connection line to the 501? It is required.
0
 

Author Comment

by:gerteizinga
Comment Utility
Yep the sysopt is added, i begin to think it's not a vpn issue but a routing issue of the server or client
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Agree. Once the tunnel is established, 99% of the time it is a routing issue that prevents data traffic over the VPN.
0
 
LVL 1

Expert Comment

by:dagger3d
Comment Utility
Try going to the https://yourPIXipaddress.
Then use the EasyVPN Wizard under "Wizards" at the top of the page.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
Any progress?
0
 

Author Comment

by:gerteizinga
Comment Utility
Hello

thanx for your advice, there was an access list in the router before one of the pix's now everything seems to work fine.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now