[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Site to Site VPN Pix 515 and Cisco 837 router

Posted on 2004-10-25
Medium Priority
Last Modified: 2012-05-05
Hi Guys,

I am trying to setup a site to site VPN for one of our remote sites. We currently have a Pix 515 firewall which accepts remote access VPN connections from users with the cisco VPN client installed on there machines.

I have an 837 series ADSL router from Cisco, which i want to setup as the other end of the site to site VPN. What is the easiest way of setting this up without disturbing the current remote access configuration?

I can provide any info that is needed, This question is a bit vague!

Any help much appreciated,

Question by:hairy51
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 12400919
you should be able to add any site to site VPN you want to. You may need to add at least three lines:

access-list 101 permit
access-list outside_cryptomap_20 permit
crypto map mymap

I find the easy way is use PDM. Please check the http://www.chicagotech.net for more information.
LVL 79

Expert Comment

ID: 12401405

Author Comment

ID: 12409215
Would you be able to tell me what the following line from the Pix config does?

aaa-server LOCAL protocol local

LVL 79

Accepted Solution

lrmoore earned 1500 total points
ID: 12415064
That is a default setting. You can refer to LOCAL as an authentication mechanism for HTTP, SSH, or other access methods. This would require you to have a local username/password list right on the box, i.e.
  username user1 password password1
  username user2 password password2

Author Comment

ID: 12434523

I have tried to set up the VPN following Cisco's docs. We have a number of VPNGroups set up on the box, and people use the Cisco VPN client on their PC's to gain access to the network. As soon as i tried to configure the VPN link to the 837, all of the other clients stopped working.
I have attached a config of the Pix BEFORE i added any new commands, The router i am trying to connect to has a static IP address and a private address range of /16. Can you point me in the right direction? I didn't actually configure the pix originally, i am taking over from someone who has left us in the lurch, So struggling a bit!

Any help much appreciated

Hostname# show run
: Saved
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 pix/intf3 security15
nameif ethernet4 pix/intf4 security20
nameif ethernet5 pix/intf5 security25
enable password m5lf2m393rgslhXN encrypted
passwd j/BezwIrzRqSU/u. encrypted
domain-name mydomain.ac.uk
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sqlnet 1526
access-list inside_outbound_nat0_acl permit ip any
access-list inside_outbound_nat0_acl permit ip any
access-list outside_cryptomap_dyn_20 permit ip any

*****************Access-Lists removed*********************

pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap debugging
logging host inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu pix/intf3 1500
mtu pix/intf4 1500
mtu pix/intf5 1500
ip address outside x.x.x.x
ip address inside
ip address dmz
no ip address pix/intf3
no ip address pix/intf4
no ip address pix/intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool support
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address pix/intf3
no failover ip address pix/intf4
no failover ip address pix/intf5

***********pdm location commands removed***************

pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 0 0
nat (inside) 1 0 0

***********Static routes removed**********************

access-group outside_in in interface outside
access-group inside_out in interface inside
access-group dmz_in in interface dmz
route outside x.x.x.x
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
vpngroup support address-pool support
vpngroup support dns-server
vpngroup support wins-server
vpngroup support default-domain mydomain.ac.uk
vpngroup support idle-time 1800
vpngroup support password ********
vpngroup user address-pool support
vpngroup user dns-server
vpngroup user wins-server
vpngroup user default-domain mydomain.ac.uk
vpngroup user idle-time 1800
vpngroup user password ********
vpngroup canonsgrove address-pool support
vpngroup canonsgrove dns-server
vpngroup canonsgrove wins-server
vpngroup canonsgrove default-domain mydomain.ac.uk
vpngroup canonsgrove idle-time 1800
vpngroup canonsgrove password ********
vpngroup address-pool idle-time 1800
telnet inside
telnet dmz
telnet pix/intf3
telnet pix/intf4
telnet pix/intf5
telnet timeout 5
ssh outside
ssh inside
ssh timeout 5
console timeout 0
terminal width 80
: end

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question