[Last Call] Learn how to a build a cloud-first strategyRegister Now


site to site vpn between cisco pix 506 e and cisco 7200

Posted on 2006-03-24
Medium Priority
Last Modified: 2010-04-12
Hi there
I have a PIX 506, and I need to set up a site to site vpn with QWest where they have a bunch of servers behind the 7200 that I need to access..

Tunnel endpoint address on QWest : (I changed the ip for security purposes..)

Tunnel endpoint address on my network: (changed again..)

The requirements are as follows according to QWest:

IPSec Parameters (IKE Phase 1 Proposal)
Pre-Shared key :  eggster34
Auth. Algorithm: ESP/MD5/HMAC-128
Encryption Algorithm: 3DES-168
Diffie-Hellman Group: Group 2 (1024-bits)
Lifetime Measurement: Time
Data Lifetime: N/A
Time Lifetime: 1 hour
Negotiation Mode: Main

IPSec Parameters (IKE Phase 2 Proposal)
Encapsulation Mode: Tunnel
Encryption Algorithm: 3DES-168
Perfect Forward Secrecy: Disabled
Lifetime Measurement: Time
Data Lifetime: N/A
Time Lifetime: 1 hour

The are several hosts on the internal network that I need to access, but if you could help me figure out how to connect to only I can figure out the rest.

My internal network is / 24.

Many thanks indeed.
Question by:eggster34
  • 3
  • 2
LVL 20

Accepted Solution

calvinetter earned 2000 total points
ID: 16286602
 See the following page for an example for your PIX config:
  If your PIX is running 6.3 series, I'd also run the following:
  isakmp nat-traversal
  clear xlate

Referring to the example in the URL above, IPSec parameters you'd change (or add) would look like the following, to match the requirements posted above:

crypto ipsec transform-set DYN-TS esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map IPSEC 10 set peer

isakmp key eggster34 address netmask
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600

  If still having problems, please post your entire "sanitized" PIX config (passwords removed, public IPs either changed as above, or masked out like so: x.x.x.82).


Author Comment

ID: 16288616
thanks I will try this asap.
don't I need to create an access list and set the isakmp policy to use the access list ?
the reason is that I have over 20 ip addresses that I need to connect to once I establish the vpn.
LVL 20

Expert Comment

ID: 16288938
>don't I need to create an access list and set the isakmp policy to use the access list ?
  If you're referring to the line in the example:  "crypto map IPSEC 10 match address 101", then yes you're absolutely correct.  As I mentioned in my post, I only posted what your main IPSec parameters would look like, regarding encryption, etc that would match Qwest's requirements.  You'll of course need to follow the example for all the other ingredients for a complete config, including ACLs.  Sorry if that wasn't clearly spelled out before.

Once again, if you get stuck after going through the example,  post your current complete but "sanitized" PIX config & we'll go from there.


Author Comment

ID: 16288976
ok that's what I thought when I re-read your post..
I'll try it ASAP and let you know and post the config if it still doesn't work.
many thanks indeed.

Author Comment

ID: 16289303
I did it man. Thanks a lot.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question