Configuring Site-Site VPN Pix 515 Cisco 837 ADSL Router- Desperate for Help!

Hi All,

I posted this question a while back, But the problem is still ongoing.
I am desperately trying to set up a Site to Site VPN between our main HQ Pix 515 and a remote site with ADSL and a Cisco 837 router. We currently accept remote access VPN connections through the PIX, and i want to set this connection up without disrupting this service. Unfortunately, I did not configure the PIX initially, and do not have much Cisco firewall experience.

The deatils are :

Main site is on 10.3.x.x/16 network.
Remote site is on 10.8.x.x/16 Network.

Remote site has 2 pc's that require access to our network for E-Mail, Documents etc. I would still like them to go straight out for internet access though.

Both have static IP's for the outside.

The PIX only has a license for des encryption. (?)

I am quite happy to attach the configs for both boxes so you can see where i am going wrong, I am really in need of some help here, Otherwise my Boss is gonna start getting quite annoyed!

If any one feels that they could help, Please please post back! and i will upload the configs etc.

Thanks in advance...

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Please post your configs and I will have a look.
hairy51Author Commented:
Here is the Pix Config as it stands, I have removed a few bits to make it a bit shorter, But let me know if you need any more info,

A16-PIX-FW1# sho run
: Saved
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 pix/intf3 security15
nameif ethernet4 pix/intf4 security20
nameif ethernet5 pix/intf5 security25
enable password m5lf2m393rgslhXN encrypted
passwd j/BezwIrzRqSU/u. encrypted
hostname A16-PIX-FW1
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sqlnet 1526
access-list inside_outbound_nat0_acl permit ip any
access-list inside_outbound_nat0_acl permit ip any
access-list inside_outbound_nat0_acl permit ip any
access-list outside_cryptomap_dyn_20 permit ip any
access-list canonsgrove permit ip any
**** All Inside_out and Outside_in Access lists removed****
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap debugging
logging host inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu pix/intf3 1500
mtu pix/intf4 1500
mtu pix/intf5 1500
ip address outside x.x.x.x
ip address inside
ip address dmz
no ip address pix/intf3
no ip address pix/intf4
no ip address pix/intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool support
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address pix/intf3
no failover ip address pix/intf4
no failover ip address pix/intf5

**** PDM Location Commands removed****

pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 0 0
nat (inside) 1 0 0

****Static Route’s Removed****

access-group outside_in in interface outside
access-group inside_out in interface inside
access-group dmz_in in interface dmz
route outside x.x.x.x 1
route inside 1
route inside x.x.x.x  1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65534 ipsec-isakmp
crypto map outside_map 65534 match address canonsgrove
crypto map outside_map 65534 set peer x.x.x.x
crypto map outside_map 65534 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask
isakmp nat-traversal 20
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
vpngroup support address-pool support
vpngroup support dns-server
vpngroup support wins-server
vpngroup support default-domain
vpngroup support idle-time 1800
vpngroup support password ********
vpngroup user address-pool support
vpngroup user dns-server
vpngroup user wins-server
vpngroup user default-domain
vpngroup user idle-time 1800
vpngroup user password ********
vpngroup canonsgrove address-pool support
vpngroup canonsgrove dns-server
vpngroup canonsgrove wins-server
vpngroup canonsgrove default-domain
vpngroup canonsgrove idle-time 1800
vpngroup canonsgrove password ********
vpngroup address-pool idle-time 1800
telnet inside
telnet dmz
telnet pix/intf3
telnet pix/intf4
telnet pix/intf5
telnet timeout 5
ssh outside
ssh inside
ssh timeout 5
console timeout 0
terminal width 80

Here is the 837, Currently it is in its defualt state, I have tried configuring it for the VPN, But ended up resetting the factory defaults,

Current configuration : 1998 bytes
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname Router
no logging buffered
username CRWS_Santhosh privilege 15 password 7 125D5453255A0A256E247527001032125
no aaa new-model
ip subnet-zero
ip name-server
ip name-server
ip dhcp excluded-address
ip dhcp pool CLIENT
   import all
   lease 0 2
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
interface Ethernet0
 ip address
 ip nat inside
 ip tcp adjust-mss 1452
 hold-queue 100 out
interface ATM0
 no ip address
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  pppoe-client dial-pool-number 1
 dsl operating-mode auto
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer remote-name redback
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap hostname
 ppp chap password 7 111A1608120018091079
 ppp pap sent-username password 7 083243430C0B16120658
 ppp ipcp dns request
 ppp ipcp wins request
ip nat inside source list 102 interface Dialer1 overload
ip classless
ip route Dialer1
ip http server
ip http secure server
access-list 23 permit
access-list 102 permit ip any
dialer-list 1 protocol ip permit
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login local
 length 0
scheduler max-task-time 5000

Jope it makes more sense to you than it does to me!



Tim HolmanCommented:
Your 837 is devoid of any VPN configuration (as you quite rightly point out !)...

Cisco's guides are here:

Give it a go, if you get stuck, turn on PIX debugging ?

debug cry isa
debug cry ipsec
term mon

Then try and initiate the tunnel (ie ping the remote network), and turn off debugging afterwards:

term no mon
no debug all

Also change all of your passwords !  The encrypted hashes you've posted up are reversible... !
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

hairy51Author Commented:
Have managed to ge tthe VPNB wWorking now, Ended up buying Cisco support pack, Only problem is, I can ping from inside interface of PIX to the remote network, And from the remote network back to the inside interface of the PIX, but cannot ping into the networks at each end!

Tim HolmanCommented:
If you can't reach the networks at either end, this suggests routing issues whereby internal routers don't realise they need to go via your PIX to reach the remote network.
hairy51Author Commented:
I thought it would be something to do with that, We use OSPF routing inside the LAN, and there is a static route on the router that the PIX is joined to as follows:

ip route is the IP address of the inside interface of the pix, So, any traffic not destined for the internal network gets thrown at the Pix, But it doesn't appear to work for the VPN traffic.

Is this the right way of doing it? As far as i can tell, the pix should then look at the packet destined for the remote network and forward through the VPN tunnel.

The remote site only has the ADSL router, There are only 2 clients and they both connect straight into it, So as far as routing at that end goes, There is not much to setup. Any traffic for 10.3.x.x gets encrypted and sent through the tunnel, Anything else goes out to the internet.
Tim HolmanCommented:
Yes - this is the correct way of doing things, however, something's not quite right, so I would suggest running a traceroute from an internal machine destined for the remote VPN network to make sure traffic is hitting the PIX.
If so, we would then need to do some debugs on the PIX to work out what's going on:

To turn on:

term mon
debug cry isakmp
debug cry ipsec

To turn off:

term no mon
no debug all

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tim HolmanCommented:
Is this fixed now ?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.