Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Creating a vpn with a Cisco 837 and a Pix 506

Posted on 2004-10-30
8
Medium Priority
?
4,790 Views
Last Modified: 2008-02-01
I have a cisco 837 ADSL router and want to create a vpn tunnel to a cisco pix 506 using pre shares keys.  Both have static ip addresses.  I have followed the steps here http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml
but it doesn't connect. Ihave run with debug on but nothing comes up in debug at all.  Can someone please point me in the correct direction or show me how to do it.

Thanks
0
Comment
Question by:mor4eus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12454534
Do you have different IP subnets on each end? If you can post your configs, I'll take a look at them for you..

0
 
LVL 1

Author Comment

by:mor4eus
ID: 12454572
837 Config
--------------------------------------
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname pix
!
enable secret 5 **************
!
username atmrmel password 7 **************
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 192.168.60.1
!
ip dhcp pool CLIENT
   import all
   network 192.168.60.0 255.255.255.0
   default-router 192.168.60.1
   lease 0 2
!        
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
crypto isakmp policy 11
 hash md5
 authentication pre-share
crypto isakmp key 0 vpnpass address ***.***.133.110
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
 set peer ***.***.133.110
 set transform-set sharks
 match address 120
!
interface Ethernet0
 ip address 192.168.60.1 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 crypto map nolan
 hold-queue 100 out
!
interface ATM0
 no ip address
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
 dsl operating-mode auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer remote-name redback
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap hostname **************
 ppp chap password 7 **************
 ppp pap sent-username ************** password 7 **************
 ppp ipcp dns request
 ppp ipcp wins request
!
ip nat inside source list 102 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 102 permit ip 192.168.60.0 0.0.0.255 any
access-list 120 permit ip 192.168.60.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 130 permit ip 192.168.55.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
 match ip address 130
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login local
 length 0
!
scheduler max-task-time 5000
!
end
0
 
LVL 1

Author Comment

by:mor4eus
ID: 12454579
Pix 506 Config
-----------------------------------

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************  encrypted
passwd ************ encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside eq 8174
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq pptp
access-list inside_access_in permit ip 192.168.0.0 255.255.0.0 any
access-list ipsec permit ip 192.168.55.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list nonat permit ip 192.168.55.0 255.255.255.0 192.168.60.0 255.255.255.0
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside ***.***.133.110 255.255.255.252
ip address inside 192.168.55.10 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.55.1 255.255.255.255 inside
pdm location 192.168.55.2 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.55.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp 192.168.55.2 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.55.1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8174 192.168.55.2 8174 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.55.1 pptp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 ***.***.133.109 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.55.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map forsberg 21 ipsec-isakmp
crypto map forsberg 21 match address ipsec
crypto map forsberg 21 set peer 218.214.62.60
crypto map forsberg 21 set transform-set avalanche
crypto map forsberg interface outside
isakmp enable outside
isakmp key ******** address ***.***.62.60 netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:lrmoore
ID: 12454646
Remove this from the PIX:
  >access-group inside_access_in in interface inside
 You're blocking ESP traffic by only permitting IP

Double-check that these two keys are the same:
Router:
  >crypto isakmp key 0 vpnpass address ***.***.133.110
Re-input without the "0"
    crypto isakmp key <vpnpass> address ***.***.133.110

PIX:
  >isakmp key <vpnpass> address ***.***.62.60 netmask 255.255.255.255

On the router, you need to setup a no nat route-map so that traffic between the sites does not get natted:
   no ip nat inside source list 102 interface Dialer1 overload
Change to:
      ip nat inside source route-map no_nat interface Dialer1 overload
      access-list 121 permit ip 192.168.60.0 0.0.0.255 192.168.55.0 0.0.0.255
 (yes, I know that it is identical to 120, but 120 is used by the IPSEC process and this will be used by the NAT process)
      route-map no_nat permit 10
        match ip address 121

That should get you going..
0
 
LVL 1

Author Comment

by:mor4eus
ID: 12454764
Ok , i have done that, but lost my natting from the internal to the internet.  I still want to nat to the internet. But it still doesn't connect.  When I do a show crypto ipsec I have stuff there but nothing when I do a show crypto isakmp.

Here is the updates 837 config.  (also the 0 before the key is normal for an 837 i have found.)!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname atmrmel
!
enable secret 5 *****
!
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 192.168.60.1
!
ip dhcp pool CLIENT
   import all
   network 192.168.60.0 255.255.255.0
   default-router 192.168.60.1
   lease 0 2
!        
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 11
 hash md5
 authentication pre-share
crypto isakmp key 0 vpnpass address ***.***.133.110
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
 set peer ***.***.133.110
 set transform-set sharks
 match address 120
!
!
!        
!
interface Ethernet0
 ip address 192.168.60.1 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 hold-queue 100 out
!
interface ATM0
 no ip address
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
 dsl operating-mode auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer remote-name redback
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap hostname *****
 ppp chap password 7 *****
 ppp pap sent-username ***** password 7 *****
 ppp ipcp dns request
 ppp ipcp wins request
 crypto map nolan
!
ip nat inside source route-map no_nat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 102 permit ip 192.168.60.0 0.0.0.255 any
access-list 120 permit ip 192.168.60.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 121 permit ip 192.168.60.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 130 permit ip 192.168.55.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map no_nat permit 10
 match ip address 121
!
route-map nonat permit 10
 match ip address 130
!
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login local
 length 0
!
scheduler max-task-time 5000
!
end

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1600 total points
ID: 12454823
My bad...

access-list 121 should be:
   access-list 121 deny ip 192.168.60.0 0.0.0.255 192.168.55.0 0.0.0.255
   access-list 121 permit ip 192.168.60.0 0.0.0.255 any

0
 
LVL 1

Author Comment

by:mor4eus
ID: 12455307
THANKS so much for your help, and quick responses. All fixed now.

Your're a LEGEND.
James
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12455319
Aw  Shucks... just glad to help...

- Cheers!
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question