ipsec tunnel on cisco pix 501

Posted on 2005-04-24
Last Modified: 2008-03-10
I have two Cisco pix 501. One is connected to a centric ADSL line which is our main ADSL line and the other pix 501 is connected to the backup ADSL line. Both Cisco pix are running on different public IP address, but internally, they are on the same network connected to the same switch. The main pix internal IP is and the backup is Now, on the main pix, we have a branch office VPN tunnel to a checkpoint FW in Switzerland which is working ok. The plan is to connect the backup pix as well to the checkpoint FW having the same config as on the main pix acting as a failover if the main ADSL line goes down.

The problem is, I cannot establish the  branch office VPN Tunnel between the second pix and the checkpoint FW because the second pix is on the same internal subnet as the main pix which is confusing the checkpoint FW event though both pix are using different public IP address.

I need a recommendation on how to solve my problem.
1, A way to get the tunnel to work on both pix even though they are connected internally on the same network.
2, if the above is impossible, please recommend a cisco products that will work.
Question by:backbonemd
    LVL 32

    Accepted Solution

    That should not matter, the backup pix has a unique ip address. What error messages are you getting? I would put the PIX into debug mode and see if identifies what it is having difficulties with.

    debug ip ipsec

    Check out this doc:

    LVL 4

    Author Comment

    i got the tunnel to work on the second pix by natting a network i created on the pix created a static nat: - Now network 58 is the actual internal network on the pix. the checkpoint is now pointing to instead of the problem now is i cannot access the internet, but the tunnel is up running. the problem is down to the nat i created. please look at my config and let me know the reason why i cannot access the NET. thanks.

    pixfirewall# show run
    : Saved
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password Z.SDGFD0AHZbBc/z encrypted
    passwd Z.SDGFD0AHZbBc/z encrypted
    hostname pixfirewall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    name SW-TUNNEL
    name SW
    access-list inside_outbound_nat0_acl deny ip interfac
    e outside
    access-list inside_outbound_nat0_acl deny ip SW SW-TUNNEL 255.255.
    access-list outside_cryptomap_20 permit ip SW SW-TUNNEL 255.255.25
    access-list 101 permit ip SW
    pager lines 24
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside ---External IP Address ---
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool PPTP
    pdm location SW inside
    pdm location SW-TUNNEL outside
    pdm location inside
    pdm location outside
    pdm location inside
    pdm location SW outside
    pdm location SW inside
    pdm location outside
    pdm location SW outside
    pdm location ---External IP Address --- inside
    pdm location inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    static (inside,outside) SW netmask 0 0
    route outside Internet Router IP 1
    route inside SW 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer ---cHECKPOINT External IP Address ---
    crypto map outside_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address Checkkpoint ---External IP Address --- netmask no-xauth no-con
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication pap
    vpdn group PPTP-VPDN-GROUP ppp authentication chap
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
    vpdn group PPTP-VPDN-GROUP client configuration address local PPTP
    vpdn group PPTP-VPDN-GROUP client configuration dns
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    vpdn username backbone password *********
    vpdn username dthomas password *********
    vpdn username mnocera password *********
    vpdn enable outside
    dhcpd address inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    LVL 4

    Author Comment

    I will appreciate it if i get a feed back asap. Don’t mind whether the feed back is negative. I just need to get a fix asap as this is quite urgent now. Please HELP!!!  My pix config is above. i just need to know why i cannot access the internet after i added the nat: static (inside,outside) SW(SW: netmask 0 0. if i type show xlate on the pix , i get
    25 in use, 108 most used
    Global Local

    instead of

    PAT Global PIX External IP (3975) Local
    PAT Global PIX External IP (3974) Local
    I need to get PAT working for all traffic to go out through the pix external interface instead of which is the IP i natted for the ipsec tunnel.

    Please Help.............

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now