Pix 506 to Pix 501 VPN

Cisco's documentation is too generic, I can't seem to get anything to work.

What I am trying to do is connect a small branch office 192.168.2.0/24 to it's main office network 192.168.1.0/24 using the public internet and IPSEC via the Pix firewalls. Main location in St. Louis, Branch is Kansas City. I have successfully done this before but for some reason the notes I took were not correct because I can't duplicate it. Can someone please assist me? Thank you. Let's call the public IP at KC 2.2.2.2 and the IP at St. Louis 1.1.1.1. The PDM VPN Wizard doesn't do me any good either. Sorry to sound like a whiner :)

Both firewalls are 3DES enabled. I removed all access-list, cryptomap and route entries. The only route is the default gateway. The configs are clean, just need to know what to add to get a vpn going. THANKS AGAIN. I will open a new question for another 500 points if this is too much work for only 500.
it2gostlAsked:
Who is Participating?
 
Cyclops3590Commented:
Okay, I'm not sure whether 192.168.2.0/24 belongs to KC or St. Louis so I'm assuming this
KC: 192.168.2.0/24
St. Louis: 192.168.1.0/24

The below should work, I don't believe I missed anything

KC PIX
sysopt connection permit-ipsec
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list intersitevpn permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
isakmp enable outside
isakmp authen pre-share
isakmp encrypt 3des
isakmp hash md5     <-- Am assuming you are using md5, you can also use sha
isakmp group 2
isakmp key <your key here> address 1.1.1.1
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto map outsidemap 10 set transform-set esp-3des-md5
crypto map outsidemap 10 set peer 1.1.1.1
crypto map outsidemap 10 match address intersitevpn
crypto map outsidemap interface outside

St. Louis PIX
sysopt connection permit-ipsec
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list intersitevpn permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nonat
isakmp enable outside
isakmp authen pre-share
isakmp encrypt 3des
isakmp hash md5     <-- Am assuming you are using md5, you can also use sha
isakmp group 2
isakmp key <your key here> address 2.2.2.2
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto map outsidemap 10 set transform-set esp-3des-md5
crypto map outsidemap 10 set peer 2.2.2.2
crypto map outsidemap 10 match address intersitevpn
crypto map outsidemap interface outside
0
 
IPKON_NetworksCommented:
What do you have on the outside of the PIX's (ie DSL router)? This connection to the public Internet. Is it set up as VPN passthrough to allow your PIX outside ports to be viewable at each end?

On your DSL routers (or other CE routers if that is what you have), can you plug in a computer/sniffer to see what traffic is coming out of the PIX? This sounds like traffic is not actually making it out of one PIX to talk to the other?

If you have gone through the PDM wizard, assumming you have active network, you should have a connected pair of firewalls. (Again, taking your word that you have open ACL's and DF gateways).

Can you post the PIX config at either end here please?

Thanks
Barny
0
 
it2gostlAuthor Commented:
Thanks both of you for the fast posts. Cyclops this is exactly what I am looking for, will add to the config and post the results. Shoud take me about 1 hour.

STL is behind a Netopia T1 router, all traffic passed through on their 5 IP's.

KC is behind a Linksys BEFSR41 and using a local wireless internet. They have a /29 address. Stand by for updates.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
it2gostlAuthor Commented:
Forgot to ask, what's better, SHA or MD5?
0
 
Cyclops3590Commented:
sha is a higher bit count than md5 thus more secure. but of course takes more cpu cycles to compute
0
 
IPKON_NetworksCommented:
SHA is my preference for the extra security

Barny
0
 
it2gostlAuthor Commented:
Cyclops: It worked FLAWLESSLY. Only issue was you need "priority 10" in the isakmp statements. Put these in and it works like a champ. Thanks for your help. I am giving Barny 50 points for getting involved. Thanks!!
0
 
IPKON_NetworksCommented:
Thanks but I asked more questions than answered !!! ;-)
0
 
Cyclops3590Commented:
I knew it didn't look quite right.  
Glad I could help push you most of the way in the right direction.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.