ipsec tunnel on cisco pix 501

Posted on 2005-04-24
Medium Priority
Last Modified: 2008-03-10
I have two Cisco pix 501. One is connected to a centric ADSL line which is our main ADSL line and the other pix 501 is connected to the backup ADSL line. Both Cisco pix are running on different public IP address, but internally, they are on the same network connected to the same switch. The main pix internal IP is and the backup is Now, on the main pix, we have a branch office VPN tunnel to a checkpoint FW in Switzerland which is working ok. The plan is to connect the backup pix as well to the checkpoint FW having the same config as on the main pix acting as a failover if the main ADSL line goes down.

The problem is, I cannot establish the  branch office VPN Tunnel between the second pix and the checkpoint FW because the second pix is on the same internal subnet as the main pix which is confusing the checkpoint FW event though both pix are using different public IP address.

I need a recommendation on how to solve my problem.
1, A way to get the tunnel to work on both pix even though they are connected internally on the same network.
2, if the above is impossible, please recommend a cisco products that will work.
Question by:backbonemd
  • 2
LVL 32

Accepted Solution

harbor235 earned 750 total points
ID: 13860662
That should not matter, the backup pix has a unique ip address. What error messages are you getting? I would put the PIX into debug mode and see if identifies what it is having difficulties with.

debug ip ipsec

Check out this doc:



Author Comment

ID: 13875047
i got the tunnel to work on the second pix by natting a network i created on the pix created a static nat: - Now network 58 is the actual internal network on the pix. the checkpoint is now pointing to instead of the problem now is i cannot access the internet, but the tunnel is up running. the problem is down to the nat i created. please look at my config and let me know the reason why i cannot access the NET. thanks.

pixfirewall# show run
: Saved
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Z.SDGFD0AHZbBc/z encrypted
passwd Z.SDGFD0AHZbBc/z encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name SW
access-list inside_outbound_nat0_acl deny ip interfac
e outside
access-list inside_outbound_nat0_acl deny ip SW SW-TUNNEL 255.255.
access-list outside_cryptomap_20 permit ip SW SW-TUNNEL 255.255.25
access-list 101 permit ip SW
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside ---External IP Address ---
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool PPTP
pdm location SW inside
pdm location SW-TUNNEL outside
pdm location inside
pdm location outside
pdm location inside
pdm location SW outside
pdm location SW inside
pdm location outside
pdm location SW outside
pdm location ---External IP Address --- inside
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
nat (inside) 1 0 0
static (inside,outside) SW netmask 0 0
route outside Internet Router IP 1
route inside SW 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer ---cHECKPOINT External IP Address ---
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address Checkkpoint ---External IP Address --- netmask no-xauth no-con
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local PPTP
vpdn group PPTP-VPDN-GROUP client configuration dns
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username backbone password *********
vpdn username dthomas password *********
vpdn username mnocera password *********
vpdn enable outside
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80

Author Comment

ID: 13889180
I will appreciate it if i get a feed back asap. Don’t mind whether the feed back is negative. I just need to get a fix asap as this is quite urgent now. Please HELP!!!  My pix config is above. i just need to know why i cannot access the internet after i added the nat: static (inside,outside) SW(SW: netmask 0 0. if i type show xlate on the pix , i get
25 in use, 108 most used
Global Local

instead of

PAT Global PIX External IP (3975) Local
PAT Global PIX External IP (3974) Local
I need to get PAT working for all traffic to go out through the pix external interface instead of which is the IP i natted for the ipsec tunnel.

Please Help.............

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question