We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Pix 506 to Pix 501 VPN

it2gostl
it2gostl asked
on
Medium Priority
391 Views
Last Modified: 2013-11-16
Cisco's documentation is too generic, I can't seem to get anything to work.

What I am trying to do is connect a small branch office 192.168.2.0/24 to it's main office network 192.168.1.0/24 using the public internet and IPSEC via the Pix firewalls. Main location in St. Louis, Branch is Kansas City. I have successfully done this before but for some reason the notes I took were not correct because I can't duplicate it. Can someone please assist me? Thank you. Let's call the public IP at KC 2.2.2.2 and the IP at St. Louis 1.1.1.1. The PDM VPN Wizard doesn't do me any good either. Sorry to sound like a whiner :)

Both firewalls are 3DES enabled. I removed all access-list, cryptomap and route entries. The only route is the default gateway. The configs are clean, just need to know what to add to get a vpn going. THANKS AGAIN. I will open a new question for another 500 points if this is too much work for only 500.
Comment
Watch Question

Sr Software Engineer
CERTIFIED EXPERT
Commented:
Okay, I'm not sure whether 192.168.2.0/24 belongs to KC or St. Louis so I'm assuming this
KC: 192.168.2.0/24
St. Louis: 192.168.1.0/24

The below should work, I don't believe I missed anything

KC PIX
sysopt connection permit-ipsec
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list intersitevpn permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
isakmp enable outside
isakmp authen pre-share
isakmp encrypt 3des
isakmp hash md5     <-- Am assuming you are using md5, you can also use sha
isakmp group 2
isakmp key <your key here> address 1.1.1.1
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto map outsidemap 10 set transform-set esp-3des-md5
crypto map outsidemap 10 set peer 1.1.1.1
crypto map outsidemap 10 match address intersitevpn
crypto map outsidemap interface outside

St. Louis PIX
sysopt connection permit-ipsec
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list intersitevpn permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nonat
isakmp enable outside
isakmp authen pre-share
isakmp encrypt 3des
isakmp hash md5     <-- Am assuming you are using md5, you can also use sha
isakmp group 2
isakmp key <your key here> address 2.2.2.2
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto map outsidemap 10 set transform-set esp-3des-md5
crypto map outsidemap 10 set peer 2.2.2.2
crypto map outsidemap 10 match address intersitevpn
crypto map outsidemap interface outside

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
What do you have on the outside of the PIX's (ie DSL router)? This connection to the public Internet. Is it set up as VPN passthrough to allow your PIX outside ports to be viewable at each end?

On your DSL routers (or other CE routers if that is what you have), can you plug in a computer/sniffer to see what traffic is coming out of the PIX? This sounds like traffic is not actually making it out of one PIX to talk to the other?

If you have gone through the PDM wizard, assumming you have active network, you should have a connected pair of firewalls. (Again, taking your word that you have open ACL's and DF gateways).

Can you post the PIX config at either end here please?

Thanks
Barny

Author

Commented:
Thanks both of you for the fast posts. Cyclops this is exactly what I am looking for, will add to the config and post the results. Shoud take me about 1 hour.

STL is behind a Netopia T1 router, all traffic passed through on their 5 IP's.

KC is behind a Linksys BEFSR41 and using a local wireless internet. They have a /29 address. Stand by for updates.

Author

Commented:
Forgot to ask, what's better, SHA or MD5?
Cyclops3590Sr Software Engineer
CERTIFIED EXPERT

Commented:
sha is a higher bit count than md5 thus more secure. but of course takes more cpu cycles to compute
SHA is my preference for the extra security

Barny

Author

Commented:
Cyclops: It worked FLAWLESSLY. Only issue was you need "priority 10" in the isakmp statements. Put these in and it works like a champ. Thanks for your help. I am giving Barny 50 points for getting involved. Thanks!!
Thanks but I asked more questions than answered !!! ;-)
Cyclops3590Sr Software Engineer
CERTIFIED EXPERT

Commented:
I knew it didn't look quite right.  
Glad I could help push you most of the way in the right direction.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.