Cisco PIX 501 Questions

I have two cisco pix 501 routers, and I want to create a vpn connection between them to share files and printer in 2 different geographical locations.  Could someone explain what needs to be done to the network on both ends as well as the PIX router.  The PIX router will be running DHCP on both ends, and both locations have static IPs.  Please help.

Thanks.
LVL 5
jtarabayAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tmesiasCommented:
check out

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

basically I'll post what I can here if you can't get to the site.  It's document # 6211

Also make sure that your IOS supports the ipsec features..  do a show version.

Introduction
This configuration allows two Cisco Secure PIX Firewalls to run a simple virtual private network (VPN) tunnel from PIX to PIX over the Internet or any public network that uses IP Security (IPSec). IPSec is a combination of open standards that provides data confidentiality, data integrity, and data origin authentication between IPSec peers.

Before You Begin
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.

Prerequisites
There are no specific prerequisites for this document.

Components Used
The information in this document is based on the software and hardware versions below.

Cisco Secure PIX 515 Firewall with Cisco IOS® Software version 5.1(1).

Cisco Secure PIX 520 Firewall with Cisco IOS® Software version 5.1(1).

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you work in a live network, ensure that you understand the potential impact of any command before you use it.

Background Theory
IPSec negotiation can be broken down into five steps, including two Internet Key Exchange (IKE) phases.

An IPSec tunnel is initiated by interesting traffic. Traffic is considered interesting when it travels between the IPSec peers.

In IKE Phase 1, the IPSec peers negotiate the established IKE Security Association (SA) policy. Once the peers are authenticated, a secure tunnel is created using Internet Security Association and Key Management Protocol (ISAKMP).

In IKE Phase 2, the IPSec peers use the authenticated and secure tunnel to negotiate IPSec SA transforms. The negotiation of the shared policy determines how the IPSec tunnel is established.

The IPSec tunnel is created and data is transferred between the IPSec peers based on the IPSec parameters configured in the IPSec transform sets.

The IPSec tunnel terminates when the IPSec SAs are deleted or when their lifetime expires.

Note: IPSec negotiation between the two PIXs fails if the SAs on both of the IKE phases do not match on the peers.

Configure
In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Network Diagram
This document uses this network diagram:



IKE and IPSec Configuration
The IPSec configuration on each PIX should only vary when putting in the peer information and the naming convention chosen for the crypto maps and transform sets. The configuration can be verified with the write terminal or show commands. The relevant commands are show isakmp, show isakmp policy, show access-list, show crypto ipsec transform-set, and show crypto map. Information on these commands can be found in the Cisco Secure PIX Firewall Command References.

Complete these steps to configure IPSec:

Configure IKE for Preshared Keys

Configure IPSec

Configure Network Address Translation (NAT)

Configure PIX System Options

Configure IKE for Preshared Keys
Enable IKE on the IPSec terminating interfaces by using the isakmp enable command. In this scenario, the outside interface is the IPSec terminating interface on both PIXs. IKE would be configured on both PIXs; these commands only show Maui-PIX-01.

isakmp enable outside
You also need to define the IKE policies that are used during the IKE negotiations by using the isakmp policy command. When using this command, you must assign a priority level so that the policies are uniquely identified. In this case, the highest priority of 1 is assigned to the policy. The policy is also set to use a preshared key, use MD5 hashing algorithm for data authentication, use DES for Encapsulating Security Payload (ESP), use Diffie-Hellman group1, and set the Security Association (SA) lifetime

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
The IKE configuration can be verified with the show isakmp policy command:

Maui-PIX-01# show isakmp policy
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 1000 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Finally, configure the preshared key and assign a peer address by using the isakmp key command. The same preshared key must match on the IPSec peers when using preshared keys. The address differs, depending on the IP address of the remote peer.

isakmp key ********** address 172.22.112.12 netmask 255.255.255.255
Maui-PIX-01#The policy can be verified with the write terminal or show isakmp command:

Maui-PIX-01# show isakmp
isakmp enable outside
isakmp key ********** address 172.22.112.12 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000 Configure IPSec
IPSec is initiated when one of the PIXs receives traffic that is destined for the other PIX's inside network. This traffic is deemed interesting traffic that needs to be protected by IPSec. An access list is used to determine which traffic initiates the IKE and IPSec negotiations. The access list shown below permits traffic to be sent from the 10.1.1.x network, via the IPSec tunnel, to the 172.16.1.x network. The access list on the opposite PIX's configuration mirrors this access list. This would be appropriate for Maui-PIX-01.

access-list 101 permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
The IPSec transform set defines the security policy that the peers use to protect the data flow. The IPSec transform is defined by using the crypto ipsec transform-set command. A unique name must be chosen for the transform set and up to three transforms can be selected to define the IPSec security protocols. This configuration only uses two transforms: esp-hmac-md5 and esp-des.

crypto ipsec transform-set chevelle esp-des esp-md5-hmac
Crypto maps set up IPSec SAs for the encrypted traffic. To create a crypto map, you must assign a map name and a sequence number, and define the crypto map parameters. The crypto map "transam" shown below uses IKE to establish IPSec SAs, encrypts anything that matches access-list 101, has a set peer, and uses the chevelle transform-set to enact its security policy for traffic.

crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 172.22.112.12
crypto map transam 1 set transform-set chevelle
After defining the crypto map, apply the crypto map to an interface. The interface chosen should be the IPSec terminating interface.

crypto map transam interface outside
The crypto map attributes can be verified by using the show crypto map command:

Maui-PIX-01# show crypto map

Crypto Map: "transam" interfaces: { outside }

Crypto Map "transam" 1 ipsec-isakmp
Peer = 172.22.112.12
access-list 101 permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255
Current peer: 172.22.112.12
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ chevelle, }Configure Network Address Translation (NAT)
This command tells the PIX not to NAT any traffic deemed as interesting for IPSec. Thus, all traffic that matches the access-list command statements is exempt from the NAT services.

nat (inside) 0 access-list 101
Configure PIX System Options
Because all inbound sessions must be explicitly permitted by an access list or a conduit, the sysopt connection permit-ipsec command is used to permit all inbound IPSec authenticated cipher sessions. With IPSec protected traffic, the secondary conduit check could be redundant and cause the tunnel creation to fail. The sysopt command tunes various PIX Firewall security and configuration features.

sysopt connection permit-ipsec
Configurations
If you have the output of a write terminal command from your Cisco device, you can use Output Interpreter  (registered customers only) to display potential issues and fixes. To use Output Interpreter  (registered customers only) , you must be logged in and have JavaScript enabled.

Maui-PIX-01 at 192.68.1.52
 
PIX Version 5.1(5)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <snipped>
passwd <snipped>  encrypted
hostname Maui-PIX-01
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
names

!--- Defines interesting traffic that is protected by IPSec Tunnel.


access-list 101 permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
no logging standby
no logging consoleno logging monitor
no logging bufferedno logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500


!--- Sets the outside address on the PIX Firewall.

ip address outside 192.168.1.52 255.255.255.0


!--- Sets the inside address on the PIX Firewall.

ip address inside 10.1.1.1 255.255.255.0
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400


!--- This command tells the PIX not to NAT any traffic
!--- deemed interesting for IPSec.

nat (inside) 0 access-list 101


!--- Sets the default route to the default gateway.

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
AAA-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable


!--- Allows IPSec traffic to pass through the PIX Firewall
!--- and does not require an additional conduit
!--- or access-list statements to permit IPSec traffic.
 
sysopt connection permit-ipsec
no sysopt route dnat


!--- IKE Phase 2:
!--- The IPSec transform-set "chevelle" uses esp-md5-hmac to provide
!--- data authentication.
 
esp-des provides 56-bit encryption.
crypto ipsec transform-set chevelle esp-des esp-md5-hmac


!--- Crypto maps set up the security associations for IPSec traffic.
!--- Indicates that IKE is used to establish IPSec SAs.

crypto map transam 1 ipsec-isakmp


!--- Assigning interesting traffic to peer 172.22.112.12.

crypto map transam 1 match address 101


!--- Setting IPSec peer.

crypto map transam 1 set peer 172.22.112.12


!--- Sets the IPSec transform set "chevelle"
!--- to be used with the crypto map entry "transam".

crypto map transam 1 set transform-set chevelle


!--- Assigning the crypto map transam to the interface.

crypto map transam interface outside


!--- IKE Phase 1:
!--- Enables IKE on the interface used for terminating IPSec tunnel.

isakmp enable outside


!--- Sets the peer's ISAKMP identity and
!--- sets the pre-shared key between the IPSec peers.
!--- The same preshared key must be configured on the
!--- IPSec peers for IKE authentication.

isakmp key ********** address 172.22.112.12 netmask 255.255.255.255


!--- The PIX uses the IP address method by default
!--- for the IKE identity in the IKE negotiations.


isakmp identity address


!--- The ISAKMP policy defines the set of parameters
!--- that are used for IKE negotiations.
!--- If these parameters are not set, the default parameters are used.
!--- The show isakmp policy command shows the differences in
!--- the default and configured policy.
 
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
terminal width 80
Cryptochecksum:<snipped>
: end
[OK]      
 

Maui-PIX-02 at 172.22.112.12
 
PIX Version 5.1(5)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password <snipped> encrypted
passwd <snipped> encrypted
hostname Maui-PIX-02
fixup protocol ftp 21fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514fixup protocol rtsp 554
fixup protocol smtp 25fixup protocol sqlnet 1521
names


!--- Defines interesting traffic that is protected by the IPSec Tunnel.

access-list 101 permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500


!--- Sets the outside address on the PIX Firewall.

ip address outside 172.22.112.12 255.255.0.0


!--- Sets the inside address on the PIX Firewall.

ip address inside 172.16.1.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0failover ip address intf2 0.0.0.0
arp timeout 14400


!--- This command tells the PIX not to NAT any traffic
!--- deemed interesting for IPSec.

nat (inside) 0 access-list 101


!--- Sets the default route to the default gateway.

route outside 0.0.0.0 0.0.0.0 172.22.112.1 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable


!--- Allows IPSec traffic to pass through the PIX Firewall
!--- and does not require an additional conduit
!--- or access-list statements to permit IPSec traffic.
 
sysopt connection permit-ipsec
no sysopt route dnat


!--- IKE Phase 2:
!--- The IPSec transform set defines the negotiated security policy
!--- that the peers use to protect the data flow.
!--- The IPSec transform-set "toyota" uses hmac-md5 authentication header
!--- and encapsulates the payload with des.

crypto ipsec transform-set toyota esp-des esp-md5-hmac


!--- Crypto maps set up the security associations for IPSec traffic.
!--- Indicates that IKE is used to establish IPSec SAs.

crypto map bmw 1 ipsec-isakmp


!--- Assigning interesting traffic to peer 192.168.1.52.

crypto map bmw 1 match address 101


!--- Setting IPSec peer.

crypto map bmw 1 set peer 192.168.1.52


!--- Sets the IPSec transform set "toyota"
!--- to be used with the crypto map entry "bmw".

crypto map bmw 1 set transform-set toyota


!--- Assigning the crypto map bmw to the interface.

crypto map bmw interface outside


!--- IKE Phase 1:
!--- Enables IKE on the interface used for terminating IPSec tunnel.

isakmp enable outside


!--- Sets the peer's ISAKMP identity and
!--- sets the preshared key between the IPSec peers.
!--- The same preshared key must be configured on the
!--- IPSec peers for IKE authentication.

isakmp key ********** address 192.168.1.52 netmask 255.255.255.255


!--- The PIX uses the IP address method by default
!--- For the IKE identity in the IKE negotiations.

isakmp identity address


!--- The ISAKMP policy defines the set of parameters
!--- that are used for IKE negotiations.
!--- If these parameters are not set, the default parameters are used.
 
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
terminal width 80
Cryptochecksum:<snipped>
: end
[OK]
 



Verify
This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool  (registered customers only) , which allows you to view an analysis of show command output.

show crypto ipsec sa – Displays the current status of the IPSec security associations and is useful in determining if traffic is being encrypted.

show crypto isakmp sa – Shows the current state of the IKE security associations.

Maui-PIX-01 show Commands
Maui-PIX-01 show Commands
 
Maui-PIX-01# show crypto ipsec sa
interface: outside
Crypto map tag: transam, local addr. 192.168.1.52

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer: 172.22.112.12
PERMIT, flags={origin_is_acl,}

!--- This verifies that encrypted packets are being sent
!--- and received without any errors.
 
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0

local crypto endpt.: 192.168.1.52, remote crypto endpt.: 172.22.112.12
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 6f09cbf1

!--- Shows inbound SAs that are established.
 
inbound esp sas:
spi: 0x70be0c04(1891503108)
transform: esp-des esp-md5-hmac
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: transam
sa timing: remaining key lifetime (k/sec): (4607999/28430)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

!--- Shows outbound SAs that are established.

outbound ESP sas:
spi: 0x6f09cbf1(1862913009)
transform: esp-des esp-md5-hmac
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: transam
sa timing: remaining key lifetime (k/sec): (4607999/28430)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound PCP sas:



!--- The ISAKMP SA is in the quiescent state (QM_IDLE) when it exists.
!--- The ISAKMP SA is idle. The ISAKMP SA remains authenticated with its
!--- peer and may be used for subsequent Quick Mode exchanges.

Maui-PIX-01# show crypto isakmp sa
     dst             src          state      pending        created  
172.22.112.12    192.168.1.52    QM_IDLE        0        1Maui-PIX-01#
 


Maui-PIX-02 show Commands
Maui-PIX-02 show Commands
 
Maui-PIX-02# show crypto ipsec sa

interface: outside
Crypto map tag: bmw, local addr. 172.22.112.12

local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 192.168.1.52
PERMIT, flags={origin_is_acl,}

!--- This verifies that encrypted packets are
!--- being sent and recede without any errors.
 
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. Failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.22.112.12, remote crypto endpt.: 192.168.1.52
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 70be0c04

!--- Shows inbound SAs that are established.

Inbound ESP sas:
spi: 0x6f09cbf1(1862913009)
transform: esp-des esp-md5-hmac
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: bmw
sa timing: remaining key lifetime (k/sec): (4607999/28097)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound PCP sas:

!--- Shows outbound SAs that are established.

Outbound ESP sas:
spi: 0x70be0c04(1891503108)
transform: esp-des esp-md5-hmac
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: bmw
sa timing: remaining key lifetime (k/sec): (4607999/28097)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound PCP sas:



!--- The ISAKMP SA is in the quiescent state (QM_IDLE) when it exists.
!--- The ISAKMP SA is idle. The ISAKMP SA remains authenticated with its
!--- peer and may be used for subsequent Quick Mode exchanges.

Maui-PIX-02# show crypto isakmp sa
     dst             src          state      pending       created  
172.22.112.12    192.168.1.52    QM_IDLE        0       1Maui-PIX-02#
 


Troubleshoot
This section provides information you can use to troubleshoot your configuration.

Troubleshooting Commands
Note: The clear commands must be performed in configuration mode.

clear crypto ipsec sa – Resets the IPSec associations after failed attempts to negotiate a VPN tunnel.

clear crypto isakmp sa – Resets the ISAKMP security associations after failed attempts to negotiate a VPN tunnel.

Note: Before issuing debug commands, please see Important Information on Debug Commands.

debug crypto ipsec – Shows if a client is negotiating the IPSec portion of the VPN connection.

debug crypto isakmp – Shows if the peers are negotiating the ISAKMP portion of the VPN connection.

After the connection is complete, it can be verified using the show commands.

jtarabayAuthor Commented:
That is all great info, but I am sort of new to Cisco routers, is there anyway this can be explained through the PDM?  Thanks.
tmesiasCommented:
it will be easier to do through the command prompt.  go to each pix and do a show config (editing out your passwords) and post that here.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

lrmooreCommented:
The PDM GUI has a really nice easy to use VPN wizard that will walk you through step-by-step...
#1 thing is that the 501 uses 192.168.1.0 subnet on the inside by default. You *must* change one side or the other to be a different subnet before you can continue...
jtarabayAuthor Commented:
lrmoore, I have changed one of the PIX routers to the subnet 192.168.16.0.  I have been looking at the Easy VPN Wizard, I just dont understand it.  I have configured Linksys VPN routers, they are just so much easier.  Anything out there to explain the VPN Wizard more clearly?  Also does the Cisco PIX 501 have to connect to another PIX 501, or could it connect to a Linksys VPN router.  The reason I ask is because I dont have the other PIX setup at the other location yet.  I am in NC, there is one PIX here, the other needs to go to VA, so I want to at least get one capable of connecting to another VPN router and establish a VPN gateway before I take the other one to the VA location.  Thanks.
lrmooreCommented:
What version of PDM do you have? PDM 3.03 is the latest and it just keeps getting better.
3.02 has some issues with the latest Java Runtime
3.01 should be upgraded for sure..

>I have been looking at the Easy VPN Wizard
Don't use the Easy VPN. Ain't nothin' easy about it.
Use the site-to-site vpn wizard..

Using PDM 3.02
PIX 6.3(4)

Launch the wizard
Choose site-to-site
Select interface VPN enabled on [outside ]
 Next>
Peer IP address: remote PIX public IP
* pre-shared key:  G00dPa$$worD!
 Next>
3DES
MD5
Group2 (1024-bit)
 Next>
3DES
MD5
 Next>
* IP address
inside
192.168.16.0 <== my local LAN IP subnet
255.255.255.0
[ >>] put it over in the Selected box
 Next>
On Remote site
outside
192.168.1.0 <== remote LAN IP subnet
255.255.255.0  [>>] put it in Selected box
 Finish


>Also does the Cisco PIX 501 have to connect to another PIX 501, or could it connect to a Linksys VPN router.
Easily connect to another Linksys. I have a WRV54G at home and PIX at work with VPN no problems..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jtarabayAuthor Commented:
PDM Version 3.0(1)
PIX Version 6.3(3)

How do I upgrade the PDM version, I guess I should do that before I hook up the VPN.
jtarabayAuthor Commented:
lrmoore, I followed the directions you gave, so now that the info is in the router, how is the connection established?
lrmooreCommented:
As soon as you do the other side the same, you should be able to ping back-forth between networks.
Be sure that you use the exact same pre-shared key password..
In the GUi, Monitoring,
-VPN Statistics
    IKE SAs   <== choose this and you should see remote ip and QM_IDLE state
    IPSec VPNs <== choose this and you should be able to see # packets enapsulated/decapuslated

jtarabayAuthor Commented:
Lrmoore,  I will know if this VPn is workong on thursday because the offsite router will be in place.  Before I can take it there, I have have port forwarding on the router send to an internet IP.  I want to remore desktop to a windows 2003 server, so when the type in the Outside IP xxx.xxx.xxx.xxx it needs to hit the router, and foward to the servers internet IP xxx.xxx.xxx.xxx on port 3389.  How could I make that happen?

Thanks.
lrmooreCommented:
jtarabay,
That is an entirely new question and should be posted by itself.
Let's get one problem/one solution set in a single thread.

Thanks!
jtarabayAuthor Commented:
Its alright, I figured it out anyway.
jtarabayAuthor Commented:
I am trying to configure the VPN as both routers are now where they need to be.  I'm using:

PIX Version: 6.3(3)
PDM Version: 3.0(1)

I need a step by step on the versions above.  If I need to upgrade the version, how do I do that?

Thanks.
lrmooreCommented:
The step by step should be exactly as I posted before. There is very little change between what you have and what I have. Mostly cosmetic and stability with Java Runtime updates in the PDM, and a couple of bug fixes in the OS that are not relevant to what you are trying to do.
If you have a CCO account you should be able to download the new OS and PDM. If you don't have one, that's the only place to legally get the software.

jtarabayAuthor Commented:
Nevermind, I figure this out. Sorry about that.
jtarabayAuthor Commented:
Oh okay, I don't have CCO account.  Thanks for all your help.  The VPN is now working.  Sorry about being so annoying.
lrmooreCommented:
Yeah! Good work!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.