• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 304
  • Last Modified:

Pix 506 to Pix 501 VPN

Cisco's documentation is too generic, I can't seem to get anything to work.

What I am trying to do is connect a small branch office 192.168.2.0/24 to it's main office network 192.168.1.0/24 using the public internet and IPSEC via the Pix firewalls. Main location in St. Louis, Branch is Kansas City. I have successfully done this before but for some reason the notes I took were not correct because I can't duplicate it. Can someone please assist me? Thank you. Let's call the public IP at KC 2.2.2.2 and the IP at St. Louis 1.1.1.1. The PDM VPN Wizard doesn't do me any good either. Sorry to sound like a whiner :)

Both firewalls are 3DES enabled. I removed all access-list, cryptomap and route entries. The only route is the default gateway. The configs are clean, just need to know what to add to get a vpn going. THANKS AGAIN. I will open a new question for another 500 points if this is too much work for only 500.
0
it2gostl
Asked:
it2gostl
  • 3
  • 3
  • 3
1 Solution
 
Cyclops3590Commented:
Okay, I'm not sure whether 192.168.2.0/24 belongs to KC or St. Louis so I'm assuming this
KC: 192.168.2.0/24
St. Louis: 192.168.1.0/24

The below should work, I don't believe I missed anything

KC PIX
sysopt connection permit-ipsec
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list intersitevpn permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
isakmp enable outside
isakmp authen pre-share
isakmp encrypt 3des
isakmp hash md5     <-- Am assuming you are using md5, you can also use sha
isakmp group 2
isakmp key <your key here> address 1.1.1.1
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto map outsidemap 10 set transform-set esp-3des-md5
crypto map outsidemap 10 set peer 1.1.1.1
crypto map outsidemap 10 match address intersitevpn
crypto map outsidemap interface outside

St. Louis PIX
sysopt connection permit-ipsec
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list intersitevpn permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nonat
isakmp enable outside
isakmp authen pre-share
isakmp encrypt 3des
isakmp hash md5     <-- Am assuming you are using md5, you can also use sha
isakmp group 2
isakmp key <your key here> address 2.2.2.2
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto map outsidemap 10 set transform-set esp-3des-md5
crypto map outsidemap 10 set peer 2.2.2.2
crypto map outsidemap 10 match address intersitevpn
crypto map outsidemap interface outside
0
 
IPKON_NetworksCommented:
What do you have on the outside of the PIX's (ie DSL router)? This connection to the public Internet. Is it set up as VPN passthrough to allow your PIX outside ports to be viewable at each end?

On your DSL routers (or other CE routers if that is what you have), can you plug in a computer/sniffer to see what traffic is coming out of the PIX? This sounds like traffic is not actually making it out of one PIX to talk to the other?

If you have gone through the PDM wizard, assumming you have active network, you should have a connected pair of firewalls. (Again, taking your word that you have open ACL's and DF gateways).

Can you post the PIX config at either end here please?

Thanks
Barny
0
 
it2gostlAuthor Commented:
Thanks both of you for the fast posts. Cyclops this is exactly what I am looking for, will add to the config and post the results. Shoud take me about 1 hour.

STL is behind a Netopia T1 router, all traffic passed through on their 5 IP's.

KC is behind a Linksys BEFSR41 and using a local wireless internet. They have a /29 address. Stand by for updates.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
it2gostlAuthor Commented:
Forgot to ask, what's better, SHA or MD5?
0
 
Cyclops3590Commented:
sha is a higher bit count than md5 thus more secure. but of course takes more cpu cycles to compute
0
 
IPKON_NetworksCommented:
SHA is my preference for the extra security

Barny
0
 
it2gostlAuthor Commented:
Cyclops: It worked FLAWLESSLY. Only issue was you need "priority 10" in the isakmp statements. Put these in and it works like a champ. Thanks for your help. I am giving Barny 50 points for getting involved. Thanks!!
0
 
IPKON_NetworksCommented:
Thanks but I asked more questions than answered !!! ;-)
0
 
Cyclops3590Commented:
I knew it didn't look quite right.  
Glad I could help push you most of the way in the right direction.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now