[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 329
  • Last Modified:

Need to have a non PIX device connect to a PIX501 via a site to site

to the question above:

do i set this up the same way I  would set up a site to site vpn with 2 PIXes?

the layout is as follows:

IP Phone
remote Voip phone switch
DSL Modem
DSL Modem
PIX 501
local voip box

the remote voip switch needsd to establish the site to site vpn with the PIX so the IP phones can communicate to the local voip box.
we are trying this now. i set up the PIX already to receive the connection.

  • 14
  • 11
  • 3
  • +1
1 Solution
What do you have between the DSL modem and the remote VOIP phone switch that can make the VPN tunnel to the PIX?
The site to site VPN setup on the PIX is basically the same assuming an ipsec-compliant remote site firewall/VPN device.  Configuration details would be specific to the model of device you are connecting.
cepollyAuthor Commented:
the remote voip phone switch is supposed to make the connection.

the remote device is called a BCM 50.

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Do you have any documentation on the BCM 50? I can't find a single reference to VPN/IPSEC tunnel on that website..
cepollyAuthor Commented:
no we don't have anything either. this is a beta product. i have never worked with it myself and that portion of it is being handled by someone else. my end is just to get the PIX to receive and accept the site to site connection. it sounds strange, but this is how the company does things.

they want to try this to get past the issues we are having running voip through a vpn client session.

Without a device to establish the VPN tunnel you're not going to get very far... but my original post applies - a site-to-site VPN to the PIX would use basically the same config if the "remote" site is IPSEC-compliant.  Witout a firewall or otherwise you'll be hard-pressed to establish a site-to-site VPN ftom the remote device....
We're going to need more information on that device and if it supports IPSEC.
Does it support any of these? You can setup your PIX to use most any combination in your transform set and policies.
DES? 3DES? SHA? MD5? DH group 1? Group2? AES? Group 5? PFS?
Does it have its own Public IP, or does the DSL modem/router do NAT in front of it?
cepollyAuthor Commented:
i imagine it supports IPSEC. I am asking for its specification now.

the bcm will have a private ip and be behind a dsl modem that will do the NAT for it.
>the bcm will have a private ip and be behind a dsl modem that will do the NAT for it.
That makes it difficult to setup an IPSEC tunnel with a NAT device in front of it. Is the modem capable of port-forwarding specific ports to the private IP of the BCM?
Feels like we're just digging a hole here
cepollyAuthor Commented:
lol. i agree.

it does have port forwarding. but what ports need to be forwarded, i'm not sure.
cepollyAuthor Commented:
I am pushing to get a PUB IP for the BCM outside interface.

here is what i just received.

Connection Type- set as Branch Office.

IP SEC Setup- set as active. Other option's are. "Keep Alive" and"NAT Traversal"

IP SECKey Mode- IKE- no other choices.

Negotiation Mode- Main- option "aggressive"

Addressing Info- IP- options "DNS" and"E-mail"

My IP address(translates to WAN address) will be TX WAN

Secure Gateway Address- TRON WAN

Security Protocol:
VPN Protocol-ESP- option AH

Pre-Shared Key- xxxxxx1

Encryption Algorithm- set as DES

Authentication Algorithm- set as MD5- option "SHA1"

cepollyAuthor Commented:

the BCM will have a pub IP on it's outside interface and a on its inside interface.
>Authentication Algorithm- set as MD5- option "SHA1"
MD5 and SHA are mutually exclusive. It's one or the other...
I'll try to put together a sample config for the pix that matches this requirement a little later this evening...
cepollyAuthor Commented:
is there a need to configure anything more than the isakmp policy lifetime settings?
cepollyAuthor Commented:
here is the setting for the BCM 50 and then i'll post the pix config below that:

Connection Type; Branch Office(option Contivity Client. Contivity is Nortel Data Gear running on BCM50)

IPSec Setup; Both Active and NAT Traversal options selected

IPSec Key Mode; IKE

Negotiation Mode; Main

Encapsulation Mode; Tunnel

--- On the BCM, there is next an option for an "IP Policy", which if created appears to allow Branch Tunnel Address Mapping rule, Local and Remote Address Type, start -----and end address and local and remote port. We had not previously configured from this area..

---Back to the main page options...

 Local ID Type; IP

Content; Blank

My IP Address; x.x.91.102

Peer ID Type;  IP

Content; Blank

Secure Gateway Address; x.x.54.5 (this is the remote peer address)

Security Info-

VPN Protocol; ESP (there is an option to use AH)

Pre Shared Key; xxxxron1

Encryption Algorithm; DES (there are options for 3DES,AES, NULL)

Authentication Algorithm; MD5 (there is an option touse SHA1)

Enable Replay Detection; YES

SA Life Time; 28800

Key Group; DH1 (there is an option to use DH2)

Perfect Forward Secrecy(PFS); DH1 (there is an option to use DH2 or None)

---here is the PIX config:

interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ********* encrypted
hostname tron-501
domain-name tron-501
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
object-group service pcANY tcp
  description pcANYwhere
  port-object range 65301 65301
  port-object eq pcanywhere-data
  port-object range pcanywhere-data 5632
object-group service TermServ tcp
  description RDP
  port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in remark outbound
access-list inside_access_in remark outbound
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list letmein remark inbound traffic
access-list letmein permit tcp any any
access-list letmein permit tcp any host x.x.54.5 eq ssh
access-list letmein permit icmp any any
access-list 90 permit ip
access-list no-nat permit ip
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 0 0
access-group letmein in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 90
crypto map transam 1 set peer x.x.91.97
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.91.97 netmask
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh outside
ssh inside
ssh timeout 60
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname ****inc@bellsouth.net
vpdn group pppoex ppp authentication pap
vpdn username ****inc@bellsouth.net password *********
terminal width 80
: end      

not sure on this one.
i'm trying to change some setting around on the px to see if that works.
>Perfect Forward Secrecy(PFS); DH1 (there is an option to use DH2 or None)
Try setting this to None since you don't have it enabled on the PIX
cepollyAuthor Commented:
i made the above changes and still no go.

here is my show cry:

sh cry isa sa

Total     : 0
Embryonic : 0
        dst               src        state     pending     created

ron-501(config)# sh cry ip sa

interface: outside
    Crypto map tag: transam, local addr. x.x.54.5

   local  ident (addr/mask/prot/port): (
   remote ident (addr/mask/prot/port): (
   current_peer: x.x.91.102:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.54.5, remote crypto endpt.: x.x.91.102
     path mtu 1492, ipsec overhead 0, media mtu 1492
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
looks like a possible routing issue on the remote end.
Your end looks good as far as i can tell.
cepollyAuthor Commented:
i agree. i was able to remotely connect to the device in texas and take a look at it.

there were no access list settings to allow the and nets to talk once the vpn was up.

i added them, but as i am unfamilair with the bcm50, i'm not sure how to diagnose the issue or if what i did was correct.

i'll keep you posted.
cepollyAuthor Commented:
here's an update.

they decided to remove the pix from the mix all together and see if that makes a difference.

it's been 2 days since the pix has been removed and they are still unable to get the bcm to talk to the remote bcm via a vpn connection with the devices.

at this point i'm just waiting to see what happens.

i'll keep you posted.
I wsh you luck.  If the VPN tunnel is up then both BCMs should be able to "talk" using their private IP addresses, assuming the VPN is "open" between sites.  Removing the PIX, however, makes me think there is not a VPN tunnel.  Still curious what the BCMs capabilities are.  Is this maybe a NAT traversal issue?  
cepollyAuthor Commented:
at least one of the BCMs have vpn capability. and i'm curious as well to see what they can do and what the plan is.
Any luck with this yet? I'm curious if you ever got it to work...

cepollyAuthor Commented:
nope never did. they removed the PIX completely.

without the PIX, they had some problems over several days as well, but finally got the bcm to bcm solution to work.

now they are calling in another consultant to try on the pix issue, but it has become low priority.

Thanks for the update!
Can you close this question?


Thanks for attending to this!

cepollyAuthor Commented:
ok no problem.

does anyone have any issue with me just having this question deleted as there was no resolution here?

No objection
Closed, 500 points refunded.
Community Support Moderator (Graveyard shift)

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 14
  • 11
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now