Solved

Creating a vpn with a Cisco 837 and a Pix 506

Posted on 2004-10-30
4,726 Views
Last Modified: 2008-02-01
I have a cisco 837 ADSL router and want to create a vpn tunnel to a cisco pix 506 using pre shares keys.  Both have static ip addresses.  I have followed the steps here http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml
but it doesn't connect. Ihave run with debug on but nothing comes up in debug at all.  Can someone please point me in the correct direction or show me how to do it.

Thanks
0
Question by:mor4eus
    8 Comments
     
    LVL 79

    Expert Comment

    by:lrmoore
    Do you have different IP subnets on each end? If you can post your configs, I'll take a look at them for you..

    0
     
    LVL 1

    Author Comment

    by:mor4eus
    837 Config
    --------------------------------------
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname pix
    !
    enable secret 5 **************
    !
    username atmrmel password 7 **************
    no aaa new-model
    ip subnet-zero
    ip dhcp excluded-address 192.168.60.1
    !
    ip dhcp pool CLIENT
       import all
       network 192.168.60.0 255.255.255.0
       default-router 192.168.60.1
       lease 0 2
    !        
    ip audit notify log
    ip audit po max-events 100
    no ftp-server write-enable
    !
    crypto isakmp policy 11
     hash md5
     authentication pre-share
    crypto isakmp key 0 vpnpass address ***.***.133.110
    !
    !
    crypto ipsec transform-set sharks esp-des esp-md5-hmac
    !
    crypto map nolan 11 ipsec-isakmp
     set peer ***.***.133.110
     set transform-set sharks
     match address 120
    !
    interface Ethernet0
     ip address 192.168.60.1 255.255.255.0
     ip nat inside
     ip tcp adjust-mss 1452
     crypto map nolan
     hold-queue 100 out
    !
    interface ATM0
     no ip address
     atm vc-per-vp 64
     no atm ilmi-keepalive
     pvc 8/35
      pppoe-client dial-pool-number 1
     !
     dsl operating-mode auto
    !
    interface FastEthernet1
     no ip address
     duplex auto
     speed auto
    !
    interface FastEthernet2
     no ip address
     duplex auto
     speed auto
    !
    interface FastEthernet3
     no ip address
     duplex auto
     speed auto
    !
    interface FastEthernet4
     no ip address
     duplex auto
     speed auto
    !
    interface Dialer1
     ip address negotiated
     ip mtu 1492
     ip nat outside
     encapsulation ppp
     ip tcp adjust-mss 1452
     dialer pool 1
     dialer remote-name redback
     dialer-group 1
     ppp authentication pap chap callin
     ppp chap hostname **************
     ppp chap password 7 **************
     ppp pap sent-username ************** password 7 **************
     ppp ipcp dns request
     ppp ipcp wins request
    !
    ip nat inside source list 102 interface Dialer1 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    no ip http secure-server
    !
    access-list 102 permit ip 192.168.60.0 0.0.0.255 any
    access-list 120 permit ip 192.168.60.0 0.0.0.255 192.168.55.0 0.0.0.255
    access-list 130 permit ip 192.168.55.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    route-map nonat permit 10
     match ip address 130
    !
    line con 0
     exec-timeout 120 0
     no modem enable
     stopbits 1
    line aux 0
    line vty 0 4
     access-class 23 in
     exec-timeout 120 0
     login local
     length 0
    !
    scheduler max-task-time 5000
    !
    end
    0
     
    LVL 1

    Author Comment

    by:mor4eus
    Pix 506 Config
    -----------------------------------

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ************  encrypted
    passwd ************ encrypted
    hostname pix
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names        
    access-list outside_access_in permit tcp any interface outside eq smtp
    access-list outside_access_in permit tcp any interface outside eq 8174
    access-list outside_access_in permit tcp any interface outside eq www
    access-list outside_access_in permit tcp any interface outside eq pptp
    access-list inside_access_in permit ip 192.168.0.0 255.255.0.0 any
    access-list ipsec permit ip 192.168.55.0 255.255.255.0 192.168.60.0 255.255.255.0
    access-list nonat permit ip 192.168.55.0 255.255.255.0 192.168.60.0 255.255.255.0
    pager lines 24
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside ***.***.133.110 255.255.255.252
    ip address inside 192.168.55.10 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 0.0.0.0 255.255.255.255 outside
    pdm location 192.168.0.0 255.255.0.0 inside
    pdm location 192.168.55.1 255.255.255.255 inside
    pdm location 192.168.55.2 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 192.168.55.0 255.255.255.0 0 0
    static (inside,outside) tcp interface smtp 192.168.55.2 smtp netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface www 192.168.55.1 www netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 8174 192.168.55.2 8174 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface pptp 192.168.55.1 pptp netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 ***.***.133.109 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.55.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set avalanche esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto map forsberg 21 ipsec-isakmp
    crypto map forsberg 21 match address ipsec
    crypto map forsberg 21 set peer 218.214.62.60
    crypto map forsberg 21 set transform-set avalanche
    crypto map forsberg interface outside
    isakmp enable outside
    isakmp key ******** address ***.***.62.60 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 21 authentication pre-share
    isakmp policy 21 encryption des
    isakmp policy 21 hash md5
    isakmp policy 21 group 1
    isakmp policy 21 lifetime 86400
    telnet 192.168.0.0 255.255.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 192.168.0.0 255.255.0.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    terminal width 80
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Remove this from the PIX:
      >access-group inside_access_in in interface inside
     You're blocking ESP traffic by only permitting IP

    Double-check that these two keys are the same:
    Router:
      >crypto isakmp key 0 vpnpass address ***.***.133.110
    Re-input without the "0"
        crypto isakmp key <vpnpass> address ***.***.133.110

    PIX:
      >isakmp key <vpnpass> address ***.***.62.60 netmask 255.255.255.255

    On the router, you need to setup a no nat route-map so that traffic between the sites does not get natted:
       no ip nat inside source list 102 interface Dialer1 overload
    Change to:
          ip nat inside source route-map no_nat interface Dialer1 overload
          access-list 121 permit ip 192.168.60.0 0.0.0.255 192.168.55.0 0.0.0.255
     (yes, I know that it is identical to 120, but 120 is used by the IPSEC process and this will be used by the NAT process)
          route-map no_nat permit 10
            match ip address 121

    That should get you going..
    0
     
    LVL 1

    Author Comment

    by:mor4eus
    Ok , i have done that, but lost my natting from the internal to the internet.  I still want to nat to the internet. But it still doesn't connect.  When I do a show crypto ipsec I have stuff there but nothing when I do a show crypto isakmp.

    Here is the updates 837 config.  (also the 0 before the key is normal for an 837 i have found.)!
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname atmrmel
    !
    enable secret 5 *****
    !
    no aaa new-model
    ip subnet-zero
    ip dhcp excluded-address 192.168.60.1
    !
    ip dhcp pool CLIENT
       import all
       network 192.168.60.0 255.255.255.0
       default-router 192.168.60.1
       lease 0 2
    !        
    !
    ip audit notify log
    ip audit po max-events 100
    no ftp-server write-enable
    !
    !
    !
    !
    crypto isakmp policy 11
     hash md5
     authentication pre-share
    crypto isakmp key 0 vpnpass address ***.***.133.110
    !
    !
    crypto ipsec transform-set sharks esp-des esp-md5-hmac
    !
    crypto map nolan 11 ipsec-isakmp
     set peer ***.***.133.110
     set transform-set sharks
     match address 120
    !
    !
    !        
    !
    interface Ethernet0
     ip address 192.168.60.1 255.255.255.0
     ip nat inside
     ip tcp adjust-mss 1452
     hold-queue 100 out
    !
    interface ATM0
     no ip address
     atm vc-per-vp 64
     no atm ilmi-keepalive
     pvc 8/35
      pppoe-client dial-pool-number 1
     !
     dsl operating-mode auto
    !
    interface FastEthernet1
     no ip address
     duplex auto
     speed auto
    !
    interface FastEthernet2
     no ip address
     duplex auto
     speed auto
    !
    interface FastEthernet3
     no ip address
     duplex auto
     speed auto
    !
    interface FastEthernet4
     no ip address
     duplex auto
     speed auto
    !
    interface Dialer1
     ip address negotiated
     ip mtu 1492
     ip nat outside
     encapsulation ppp
     ip tcp adjust-mss 1452
     dialer pool 1
     dialer remote-name redback
     dialer-group 1
     ppp authentication pap chap callin
     ppp chap hostname *****
     ppp chap password 7 *****
     ppp pap sent-username ***** password 7 *****
     ppp ipcp dns request
     ppp ipcp wins request
     crypto map nolan
    !
    ip nat inside source route-map no_nat interface Dialer1 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    no ip http secure-server
    !
    access-list 102 permit ip 192.168.60.0 0.0.0.255 any
    access-list 120 permit ip 192.168.60.0 0.0.0.255 192.168.55.0 0.0.0.255
    access-list 121 permit ip 192.168.60.0 0.0.0.255 192.168.55.0 0.0.0.255
    access-list 130 permit ip 192.168.55.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    route-map no_nat permit 10
     match ip address 121
    !
    route-map nonat permit 10
     match ip address 130
    !
    !
    line con 0
     exec-timeout 120 0
     no modem enable
     stopbits 1
    line aux 0
    line vty 0 4
     access-class 23 in
     exec-timeout 120 0
     login local
     length 0
    !
    scheduler max-task-time 5000
    !
    end

    0
     
    LVL 79

    Accepted Solution

    by:
    My bad...

    access-list 121 should be:
       access-list 121 deny ip 192.168.60.0 0.0.0.255 192.168.55.0 0.0.0.255
       access-list 121 permit ip 192.168.60.0 0.0.0.255 any

    0
     
    LVL 1

    Author Comment

    by:mor4eus
    THANKS so much for your help, and quick responses. All fixed now.

    Your're a LEGEND.
    James
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Aw  Shucks... just glad to help...

    - Cheers!
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    The Complete Ruby on Rails Developer Course

    Ruby on Rails is one of the most popular web development frameworks, and a useful tool used by both startups and more established companies to build strong graphic user interfaces, and responsive websites and apps.

    Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    846 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now