Site to Site VPN Pix 515 and Cisco 837 router

Posted on 2004-10-25
Last Modified: 2012-05-05
Hi Guys,

I am trying to setup a site to site VPN for one of our remote sites. We currently have a Pix 515 firewall which accepts remote access VPN connections from users with the cisco VPN client installed on there machines.

I have an 837 series ADSL router from Cisco, which i want to setup as the other end of the site to site VPN. What is the easiest way of setting this up without disturbing the current remote access configuration?

I can provide any info that is needed, This question is a bit vague!

Any help much appreciated,

Question by:hairy51
    LVL 7

    Expert Comment

    you should be able to add any site to site VPN you want to. You may need to add at least three lines:

    access-list 101 permit
    access-list outside_cryptomap_20 permit
    crypto map mymap

    I find the easy way is use PDM. Please check the for more information.
    LVL 79

    Expert Comment


    Author Comment

    Would you be able to tell me what the following line from the Pix config does?

    aaa-server LOCAL protocol local

    LVL 79

    Accepted Solution

    That is a default setting. You can refer to LOCAL as an authentication mechanism for HTTP, SSH, or other access methods. This would require you to have a local username/password list right on the box, i.e.
      username user1 password password1
      username user2 password password2

    Author Comment


    I have tried to set up the VPN following Cisco's docs. We have a number of VPNGroups set up on the box, and people use the Cisco VPN client on their PC's to gain access to the network. As soon as i tried to configure the VPN link to the 837, all of the other clients stopped working.
    I have attached a config of the Pix BEFORE i added any new commands, The router i am trying to connect to has a static IP address and a private address range of /16. Can you point me in the right direction? I didn't actually configure the pix originally, i am taking over from someone who has left us in the lurch, So struggling a bit!

    Any help much appreciated

    Hostname# show run
    : Saved
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    interface ethernet3 auto
    interface ethernet4 auto
    interface ethernet5 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    nameif ethernet3 pix/intf3 security15
    nameif ethernet4 pix/intf4 security20
    nameif ethernet5 pix/intf5 security25
    enable password m5lf2m393rgslhXN encrypted
    passwd j/BezwIrzRqSU/u. encrypted
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sqlnet 1526
    access-list inside_outbound_nat0_acl permit ip any
    access-list inside_outbound_nat0_acl permit ip any
    access-list outside_cryptomap_dyn_20 permit ip any

    *****************Access-Lists removed*********************

    pager lines 24
    logging on
    logging timestamp
    logging buffered debugging
    logging trap debugging
    logging host inside
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    mtu pix/intf3 1500
    mtu pix/intf4 1500
    mtu pix/intf5 1500
    ip address outside x.x.x.x
    ip address inside
    ip address dmz
    no ip address pix/intf3
    no ip address pix/intf4
    no ip address pix/intf5
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool support
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address dmz
    no failover ip address pix/intf3
    no failover ip address pix/intf4
    no failover ip address pix/intf5

    ***********pdm location commands removed***************

    pdm logging alerts 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 2 0 0
    nat (inside) 1 0 0

    ***********Static routes removed**********************

    access-group outside_in in interface outside
    access-group inside_out in interface inside
    access-group dmz_in in interface dmz
    route outside x.x.x.x
    route inside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp nat-traversal 20
    isakmp policy 15 authentication pre-share
    isakmp policy 15 encryption des
    isakmp policy 15 hash md5
    isakmp policy 15 group 2
    isakmp policy 15 lifetime 86400
    vpngroup support address-pool support
    vpngroup support dns-server
    vpngroup support wins-server
    vpngroup support default-domain
    vpngroup support idle-time 1800
    vpngroup support password ********
    vpngroup user address-pool support
    vpngroup user dns-server
    vpngroup user wins-server
    vpngroup user default-domain
    vpngroup user idle-time 1800
    vpngroup user password ********
    vpngroup canonsgrove address-pool support
    vpngroup canonsgrove dns-server
    vpngroup canonsgrove wins-server
    vpngroup canonsgrove default-domain
    vpngroup canonsgrove idle-time 1800
    vpngroup canonsgrove password ********
    vpngroup address-pool idle-time 1800
    telnet inside
    telnet dmz
    telnet pix/intf3
    telnet pix/intf4
    telnet pix/intf5
    telnet timeout 5
    ssh outside
    ssh inside
    ssh timeout 5
    console timeout 0
    terminal width 80
    : end

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.c…
    Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now