Pix 506 to Pix 501 VPN

Cisco's documentation is too generic, I can't seem to get anything to work.

What I am trying to do is connect a small branch office 192.168.2.0/24 to it's main office network 192.168.1.0/24 using the public internet and IPSEC via the Pix firewalls. Main location in St. Louis, Branch is Kansas City. I have successfully done this before but for some reason the notes I took were not correct because I can't duplicate it. Can someone please assist me? Thank you. Let's call the public IP at KC 2.2.2.2 and the IP at St. Louis 1.1.1.1. The PDM VPN Wizard doesn't do me any good either. Sorry to sound like a whiner :)

Both firewalls are 3DES enabled. I removed all access-list, cryptomap and route entries. The only route is the default gateway. The configs are clean, just need to know what to add to get a vpn going. THANKS AGAIN. I will open a new question for another 500 points if this is too much work for only 500.
it2gostlAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cyclops3590Commented:
Okay, I'm not sure whether 192.168.2.0/24 belongs to KC or St. Louis so I'm assuming this
KC: 192.168.2.0/24
St. Louis: 192.168.1.0/24

The below should work, I don't believe I missed anything

KC PIX
sysopt connection permit-ipsec
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list intersitevpn permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
isakmp enable outside
isakmp authen pre-share
isakmp encrypt 3des
isakmp hash md5     <-- Am assuming you are using md5, you can also use sha
isakmp group 2
isakmp key <your key here> address 1.1.1.1
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto map outsidemap 10 set transform-set esp-3des-md5
crypto map outsidemap 10 set peer 1.1.1.1
crypto map outsidemap 10 match address intersitevpn
crypto map outsidemap interface outside

St. Louis PIX
sysopt connection permit-ipsec
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list intersitevpn permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nonat
isakmp enable outside
isakmp authen pre-share
isakmp encrypt 3des
isakmp hash md5     <-- Am assuming you are using md5, you can also use sha
isakmp group 2
isakmp key <your key here> address 2.2.2.2
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto map outsidemap 10 set transform-set esp-3des-md5
crypto map outsidemap 10 set peer 2.2.2.2
crypto map outsidemap 10 match address intersitevpn
crypto map outsidemap interface outside

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IPKON_NetworksCommented:
What do you have on the outside of the PIX's (ie DSL router)? This connection to the public Internet. Is it set up as VPN passthrough to allow your PIX outside ports to be viewable at each end?

On your DSL routers (or other CE routers if that is what you have), can you plug in a computer/sniffer to see what traffic is coming out of the PIX? This sounds like traffic is not actually making it out of one PIX to talk to the other?

If you have gone through the PDM wizard, assumming you have active network, you should have a connected pair of firewalls. (Again, taking your word that you have open ACL's and DF gateways).

Can you post the PIX config at either end here please?

Thanks
Barny
it2gostlAuthor Commented:
Thanks both of you for the fast posts. Cyclops this is exactly what I am looking for, will add to the config and post the results. Shoud take me about 1 hour.

STL is behind a Netopia T1 router, all traffic passed through on their 5 IP's.

KC is behind a Linksys BEFSR41 and using a local wireless internet. They have a /29 address. Stand by for updates.
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

it2gostlAuthor Commented:
Forgot to ask, what's better, SHA or MD5?
Cyclops3590Commented:
sha is a higher bit count than md5 thus more secure. but of course takes more cpu cycles to compute
IPKON_NetworksCommented:
SHA is my preference for the extra security

Barny
it2gostlAuthor Commented:
Cyclops: It worked FLAWLESSLY. Only issue was you need "priority 10" in the isakmp statements. Put these in and it works like a champ. Thanks for your help. I am giving Barny 50 points for getting involved. Thanks!!
IPKON_NetworksCommented:
Thanks but I asked more questions than answered !!! ;-)
Cyclops3590Commented:
I knew it didn't look quite right.  
Glad I could help push you most of the way in the right direction.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.