?
Solved

Need to have a non PIX device connect to a PIX501 via a site to site

Posted on 2005-03-04
30
Medium Priority
?
263 Views
Last Modified: 2013-11-16
to the question above:

do i set this up the same way I  would set up a site to site vpn with 2 PIXes?

the layout is as follows:

IP Phone
      |
      |
remote Voip phone switch
      |
      |
DSL Modem
      |
      |
Internet
      |
      |
DSL Modem
      |
      |
PIX 501
      |
      |
local voip box

the remote voip switch needsd to establish the site to site vpn with the PIX so the IP phones can communicate to the local voip box.
we are trying this now. i set up the PIX already to receive the connection.

thanks,
cepolly
0
Comment
Question by:cepolly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 11
  • 3
  • +1
30 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13467215
What do you have between the DSL modem and the remote VOIP phone switch that can make the VPN tunnel to the PIX?
0
 
LVL 6

Expert Comment

by:vtsinc
ID: 13470535
The site to site VPN setup on the PIX is basically the same assuming an ipsec-compliant remote site firewall/VPN device.  Configuration details would be specific to the model of device you are connecting.
0
 
LVL 1

Author Comment

by:cepolly
ID: 13471235
the remote voip phone switch is supposed to make the connection.

the remote device is called a BCM 50.

http://www.tel-phone.com
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:lrmoore
ID: 13471328
Do you have any documentation on the BCM 50? I can't find a single reference to VPN/IPSEC tunnel on that website..
0
 
LVL 1

Author Comment

by:cepolly
ID: 13472173
no we don't have anything either. this is a beta product. i have never worked with it myself and that portion of it is being handled by someone else. my end is just to get the PIX to receive and accept the site to site connection. it sounds strange, but this is how the company does things.

they want to try this to get past the issues we are having running voip through a vpn client session.

http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21192240.html
0
 
LVL 6

Expert Comment

by:vtsinc
ID: 13472773
Without a device to establish the VPN tunnel you're not going to get very far... but my original post applies - a site-to-site VPN to the PIX would use basically the same config if the "remote" site is IPSEC-compliant.  Witout a firewall or otherwise you'll be hard-pressed to establish a site-to-site VPN ftom the remote device....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13475771
We're going to need more information on that device and if it supports IPSEC.
Does it support any of these? You can setup your PIX to use most any combination in your transform set and policies.
DES? 3DES? SHA? MD5? DH group 1? Group2? AES? Group 5? PFS?
Does it have its own Public IP, or does the DSL modem/router do NAT in front of it?
0
 
LVL 1

Author Comment

by:cepolly
ID: 13477092
i imagine it supports IPSEC. I am asking for its specification now.

the bcm will have a private ip and be behind a dsl modem that will do the NAT for it.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13477125
>the bcm will have a private ip and be behind a dsl modem that will do the NAT for it.
That makes it difficult to setup an IPSEC tunnel with a NAT device in front of it. Is the modem capable of port-forwarding specific ports to the private IP of the BCM?
Feels like we're just digging a hole here
0
 
LVL 1

Author Comment

by:cepolly
ID: 13477407
lol. i agree.

it does have port forwarding. but what ports need to be forwarded, i'm not sure.
0
 
LVL 1

Author Comment

by:cepolly
ID: 13479519
I am pushing to get a PUB IP for the BCM outside interface.

here is what i just received.

Connection Type- set as Branch Office.

IP SEC Setup- set as active. Other option's are. "Keep Alive" and"NAT Traversal"

IP SECKey Mode- IKE- no other choices.

Negotiation Mode- Main- option "aggressive"

Addressing Info- IP- options "DNS" and"E-mail"

My IP address(translates to WAN address) will be TX WAN

Secure Gateway Address- TRON WAN

Security Protocol:
VPN Protocol-ESP- option AH

Pre-Shared Key- xxxxxx1

Encryption Algorithm- set as DES

Authentication Algorithm- set as MD5- option "SHA1"

0
 
LVL 1

Author Comment

by:cepolly
ID: 13479709
UPDATE.

the BCM will have a pub IP on it's outside interface and a 10.0.2.1 on its inside interface.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13481400
>Authentication Algorithm- set as MD5- option "SHA1"
MD5 and SHA are mutually exclusive. It's one or the other...
I'll try to put together a sample config for the pix that matches this requirement a little later this evening...
0
 
LVL 1

Author Comment

by:cepolly
ID: 13481944
is there a need to configure anything more than the isakmp policy lifetime settings?
0
 
LVL 1

Author Comment

by:cepolly
ID: 13502031
here is the setting for the BCM 50 and then i'll post the pix config below that:

Connection Type; Branch Office(option Contivity Client. Contivity is Nortel Data Gear running on BCM50)

IPSec Setup; Both Active and NAT Traversal options selected

IPSec Key Mode; IKE

Negotiation Mode; Main

Encapsulation Mode; Tunnel

--- On the BCM, there is next an option for an "IP Policy", which if created appears to allow Branch Tunnel Address Mapping rule, Local and Remote Address Type, start -----and end address and local and remote port. We had not previously configured from this area..

---Back to the main page options...

 Local ID Type; IP

Content; Blank

My IP Address; x.x.91.102

Peer ID Type;  IP

Content; Blank

Secure Gateway Address; x.x.54.5 (this is the remote peer address)


Security Info-

VPN Protocol; ESP (there is an option to use AH)

Pre Shared Key; xxxxron1

Encryption Algorithm; DES (there are options for 3DES,AES, NULL)

Authentication Algorithm; MD5 (there is an option touse SHA1)

Enable Replay Detection; YES

SA Life Time; 28800

Key Group; DH1 (there is an option to use DH2)

Perfect Forward Secrecy(PFS); DH1 (there is an option to use DH2 or None)

---here is the PIX config:


interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ********* encrypted
hostname tron-501
domain-name tron-501
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service pcANY tcp
  description pcANYwhere
  port-object range 65301 65301
  port-object eq pcanywhere-data
  port-object range pcanywhere-data 5632
object-group service TermServ tcp
  description RDP
  port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in remark outbound
access-list inside_access_in remark outbound
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list letmein remark inbound traffic
access-list letmein permit tcp any any
access-list letmein permit tcp any host x.x.54.5 eq ssh
access-list letmein permit icmp any any
access-list 90 permit ip 10.0.3.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list no-nat permit ip 10.0.3.0 255.255.255.0 10.0.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 10.0.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 10.0.3.0 255.255.255.0 0 0
access-group letmein in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.3.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 90
crypto map transam 1 set peer x.x.91.97
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.91.97 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname ****inc@bellsouth.net
vpdn group pppoex ppp authentication pap
vpdn username ****inc@bellsouth.net password *********
terminal width 80
Cryptochecksum:*****************
: end      

not sure on this one.
i'm trying to change some setting around on the px to see if that works.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13503239
>Perfect Forward Secrecy(PFS); DH1 (there is an option to use DH2 or None)
Try setting this to None since you don't have it enabled on the PIX
0
 
LVL 1

Author Comment

by:cepolly
ID: 13509601
i made the above changes and still no go.

here is my show cry:

sh cry isa sa

Total     : 0
Embryonic : 0
        dst               src        state     pending     created


ron-501(config)# sh cry ip sa

interface: outside
    Crypto map tag: transam, local addr. x.x.54.5

   local  ident (addr/mask/prot/port): (10.0.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.5.0/255.255.255.0/0/0)
   current_peer: x.x.91.102:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.54.5, remote crypto endpt.: x.x.91.102
     path mtu 1492, ipsec overhead 0, media mtu 1492
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:

             
     inbound pcp sas:
             
             
     outbound esp sas:
             
             
     outbound ah sas:
             
             
     outbound pcp sas:
             
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13511802
looks like a possible routing issue on the remote end.
Your end looks good as far as i can tell.
0
 
LVL 1

Author Comment

by:cepolly
ID: 13512159
i agree. i was able to remotely connect to the device in texas and take a look at it.

there were no access list settings to allow the 10.0.3.0 and 10.0.5.0 nets to talk once the vpn was up.

i added them, but as i am unfamilair with the bcm50, i'm not sure how to diagnose the issue or if what i did was correct.

i'll keep you posted.
0
 
LVL 1

Author Comment

by:cepolly
ID: 13561892
here's an update.

they decided to remove the pix from the mix all together and see if that makes a difference.

it's been 2 days since the pix has been removed and they are still unable to get the bcm to talk to the remote bcm via a vpn connection with the devices.

at this point i'm just waiting to see what happens.

i'll keep you posted.
0
 
LVL 6

Expert Comment

by:vtsinc
ID: 13561972
I wsh you luck.  If the VPN tunnel is up then both BCMs should be able to "talk" using their private IP addresses, assuming the VPN is "open" between sites.  Removing the PIX, however, makes me think there is not a VPN tunnel.  Still curious what the BCMs capabilities are.  Is this maybe a NAT traversal issue?  
0
 
LVL 1

Author Comment

by:cepolly
ID: 13562483
at least one of the BCMs have vpn capability. and i'm curious as well to see what they can do and what the plan is.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13685402
Any luck with this yet? I'm curious if you ever got it to work...

0
 
LVL 1

Author Comment

by:cepolly
ID: 13697771
nope never did. they removed the PIX completely.

without the PIX, they had some problems over several days as well, but finally got the bcm to bcm solution to work.

now they are calling in another consultant to try on the pix issue, but it has become low priority.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13697900
Thanks for the update!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13703250
Can you close this question?

http://www.experts-exchange.com/help.jsp#hs5

Thanks for attending to this!

<-8}
0
 
LVL 1

Author Comment

by:cepolly
ID: 13708318
ok no problem.

does anyone have any issue with me just having this question deleted as there was no resolution here?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13708357
No objection
0
 

Accepted Solution

by:
OzzMod earned 0 total points
ID: 13741943
Closed, 500 points refunded.
OzzMod
Community Support Moderator (Graveyard shift)
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question