Configuring Site-Site VPN Pix 515 Cisco 837 ADSL Router- Desperate for Help!

Posted on 2004-11-18
Last Modified: 2007-12-19
Hi All,

I posted this question a while back, But the problem is still ongoing.
I am desperately trying to set up a Site to Site VPN between our main HQ Pix 515 and a remote site with ADSL and a Cisco 837 router. We currently accept remote access VPN connections through the PIX, and i want to set this connection up without disrupting this service. Unfortunately, I did not configure the PIX initially, and do not have much Cisco firewall experience.

The deatils are :

Main site is on 10.3.x.x/16 network.
Remote site is on 10.8.x.x/16 Network.

Remote site has 2 pc's that require access to our network for E-Mail, Documents etc. I would still like them to go straight out for internet access though.

Both have static IP's for the outside.

The PIX only has a license for des encryption. (?)

I am quite happy to attach the configs for both boxes so you can see where i am going wrong, I am really in need of some help here, Otherwise my Boss is gonna start getting quite annoyed!

If any one feels that they could help, Please please post back! and i will upload the configs etc.

Thanks in advance...

Question by:hairy51
    LVL 36

    Expert Comment

    Please post your configs and I will have a look.

    Author Comment

    Here is the Pix Config as it stands, I have removed a few bits to make it a bit shorter, But let me know if you need any more info,

    A16-PIX-FW1# sho run
    : Saved
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    interface ethernet3 auto
    interface ethernet4 auto
    interface ethernet5 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    nameif ethernet3 pix/intf3 security15
    nameif ethernet4 pix/intf4 security20
    nameif ethernet5 pix/intf5 security25
    enable password m5lf2m393rgslhXN encrypted
    passwd j/BezwIrzRqSU/u. encrypted
    hostname A16-PIX-FW1
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sqlnet 1526
    access-list inside_outbound_nat0_acl permit ip any
    access-list inside_outbound_nat0_acl permit ip any
    access-list inside_outbound_nat0_acl permit ip any
    access-list outside_cryptomap_dyn_20 permit ip any
    access-list canonsgrove permit ip any
    **** All Inside_out and Outside_in Access lists removed****
    pager lines 24
    logging on
    logging timestamp
    logging buffered debugging
    logging trap debugging
    logging host inside
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    mtu pix/intf3 1500
    mtu pix/intf4 1500
    mtu pix/intf5 1500
    ip address outside x.x.x.x
    ip address inside
    ip address dmz
    no ip address pix/intf3
    no ip address pix/intf4
    no ip address pix/intf5
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool support
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address dmz
    no failover ip address pix/intf3
    no failover ip address pix/intf4
    no failover ip address pix/intf5

    **** PDM Location Commands removed****

    pdm logging alerts 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 2 0 0
    nat (inside) 1 0 0

    ****Static Route’s Removed****

    access-group outside_in in interface outside
    access-group inside_out in interface inside
    access-group dmz_in in interface dmz
    route outside x.x.x.x 1
    route inside 1
    route inside x.x.x.x  1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map 65534 ipsec-isakmp
    crypto map outside_map 65534 match address canonsgrove
    crypto map outside_map 65534 set peer x.x.x.x
    crypto map outside_map 65534 set transform-set ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address x.x.x.x netmask
    isakmp nat-traversal 20
    isakmp policy 15 authentication pre-share
    isakmp policy 15 encryption des
    isakmp policy 15 hash md5
    isakmp policy 15 group 2
    isakmp policy 15 lifetime 86400
    vpngroup support address-pool support
    vpngroup support dns-server
    vpngroup support wins-server
    vpngroup support default-domain
    vpngroup support idle-time 1800
    vpngroup support password ********
    vpngroup user address-pool support
    vpngroup user dns-server
    vpngroup user wins-server
    vpngroup user default-domain
    vpngroup user idle-time 1800
    vpngroup user password ********
    vpngroup canonsgrove address-pool support
    vpngroup canonsgrove dns-server
    vpngroup canonsgrove wins-server
    vpngroup canonsgrove default-domain
    vpngroup canonsgrove idle-time 1800
    vpngroup canonsgrove password ********
    vpngroup address-pool idle-time 1800
    telnet inside
    telnet dmz
    telnet pix/intf3
    telnet pix/intf4
    telnet pix/intf5
    telnet timeout 5
    ssh outside
    ssh inside
    ssh timeout 5
    console timeout 0
    terminal width 80

    Here is the 837, Currently it is in its defualt state, I have tried configuring it for the VPN, But ended up resetting the factory defaults,

    Current configuration : 1998 bytes
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    hostname Router
    no logging buffered
    username CRWS_Santhosh privilege 15 password 7 125D5453255A0A256E247527001032125
    no aaa new-model
    ip subnet-zero
    ip name-server
    ip name-server
    ip dhcp excluded-address
    ip dhcp pool CLIENT
       import all
       lease 0 2
    ip audit notify log
    ip audit po max-events 100
    no ftp-server write-enable
    interface Ethernet0
     ip address
     ip nat inside
     ip tcp adjust-mss 1452
     hold-queue 100 out
    interface ATM0
     no ip address
     atm vc-per-vp 64
     no atm ilmi-keepalive
     pvc 0/38
      pppoe-client dial-pool-number 1
     dsl operating-mode auto
    interface FastEthernet1
     no ip address
     duplex auto
     speed auto
    interface FastEthernet2
     no ip address
     duplex auto
     speed auto
    interface FastEthernet3
     no ip address
     duplex auto
     speed auto
    interface FastEthernet4
     no ip address
     duplex auto
     speed auto
    interface Dialer1
     ip address negotiated
     ip mtu 1492
     ip nat outside
     encapsulation ppp
     ip tcp adjust-mss 1452
     dialer pool 1
     dialer remote-name redback
     dialer-group 1
     ppp authentication pap chap callin
     ppp chap hostname
     ppp chap password 7 111A1608120018091079
     ppp pap sent-username password 7 083243430C0B16120658
     ppp ipcp dns request
     ppp ipcp wins request
    ip nat inside source list 102 interface Dialer1 overload
    ip classless
    ip route Dialer1
    ip http server
    ip http secure server
    access-list 23 permit
    access-list 102 permit ip any
    dialer-list 1 protocol ip permit
    line con 0
     exec-timeout 120 0
     no modem enable
     stopbits 1
    line aux 0
    line vty 0 4
     access-class 23 in
     exec-timeout 120 0
     login local
     length 0
    scheduler max-task-time 5000

    Jope it makes more sense to you than it does to me!



    LVL 23

    Expert Comment

    by:Tim Holman
    Your 837 is devoid of any VPN configuration (as you quite rightly point out !)...

    Cisco's guides are here:

    Give it a go, if you get stuck, turn on PIX debugging ?

    debug cry isa
    debug cry ipsec
    term mon

    Then try and initiate the tunnel (ie ping the remote network), and turn off debugging afterwards:

    term no mon
    no debug all

    Also change all of your passwords !  The encrypted hashes you've posted up are reversible... !

    Author Comment

    Have managed to ge tthe VPNB wWorking now, Ended up buying Cisco support pack, Only problem is, I can ping from inside interface of PIX to the remote network, And from the remote network back to the inside interface of the PIX, but cannot ping into the networks at each end!

    LVL 23

    Expert Comment

    by:Tim Holman
    If you can't reach the networks at either end, this suggests routing issues whereby internal routers don't realise they need to go via your PIX to reach the remote network.

    Author Comment

    I thought it would be something to do with that, We use OSPF routing inside the LAN, and there is a static route on the router that the PIX is joined to as follows:

    ip route is the IP address of the inside interface of the pix, So, any traffic not destined for the internal network gets thrown at the Pix, But it doesn't appear to work for the VPN traffic.

    Is this the right way of doing it? As far as i can tell, the pix should then look at the packet destined for the remote network and forward through the VPN tunnel.

    The remote site only has the ADSL router, There are only 2 clients and they both connect straight into it, So as far as routing at that end goes, There is not much to setup. Any traffic for 10.3.x.x gets encrypted and sent through the tunnel, Anything else goes out to the internet.
    LVL 23

    Accepted Solution

    Yes - this is the correct way of doing things, however, something's not quite right, so I would suggest running a traceroute from an internal machine destined for the remote VPN network to make sure traffic is hitting the PIX.
    If so, we would then need to do some debugs on the PIX to work out what's going on:

    To turn on:

    term mon
    debug cry isakmp
    debug cry ipsec

    To turn off:

    term no mon
    no debug all
    LVL 23

    Expert Comment

    by:Tim Holman
    Is this fixed now ?

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
    Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now