?
Solved

VPN tunnel between CISCO 837 & CISCO PIX 501

Posted on 2006-04-14
15
Medium Priority
?
861 Views
Last Modified: 2008-01-09
At work we have a cisco pix 501 firewall which has VPN setup.  I've bought a cisco 837 modem/router at home and would like to connect to the server at work to create a vpn tunnel.  When I use the VPN client on XP  it just connects without an y problem.

For some reason the an old copy of Netscape navigator web browser doesn't work anymore and so I need to configure my 837 via the CLI.  Can anyone help with the correct sequence of command to get this setup.
0
Comment
Question by:y2k_rinser
  • 8
  • 7
15 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16463000
I assume you don't have a static ip at your home connection. So checkout the document which has the scenario and commands as well to make this work;

http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a0080094a87.shtml

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:y2k_rinser
ID: 16464895
I do have a static IP at home and the link above is asking for a username and password to access the content:-(
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16464986
Oh you don't have a CCO account, then try this link;

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094a87.shtml

It is the same link except that it won't ask for a userid/password.

Cheers,
Rajesh
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:y2k_rinser
ID: 16465220
Thanks Rajesh, but how do I activate the connections.  I've followed the instructions (changing IPs as required) but when I do "show crypto engine connections active" the output is blank as below.

  ID Interface       IP-Address      State  Algorithm           Encrypt  Decrypt
                                                                                                                                                                                                         
If it halps I've included my "show version & show running"

Cisco Internetwork Operating System Software
IOS (tm) C837 Software (C837-K9O3SY6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Thu 04-Mar-04 01:03 by ealyon
Image text-base: 0x800131E8, data-base: 0x80CCB8C0

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: C837 Software (C837-K9O3SY6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

uptime is 43 minutes
System returned to ROM by power-on
System image file is "flash:c837-k9o3sy6-mz.123-2.XC2.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
         
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

CISCO C837 (MPC857DSL) processor (revision 0x500) with 44237K/4915K bytes of memory.
Processor board ID AMB08310B15 (1991376029), with hardware revision 0000
CPU rev number 7
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
4 FastEthernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102                                          

============================
Current configuration : 3751 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname HOSTNAME
!
no logging buffered
no logging console
enable secret 5 $1$fulV$j3iEGdn05676YzAd2iuZq1
enable password 7 091E160878334AED5F5B57
!
username USERNAME password 7 PASSWORD
no aaa new-model
ip subnet-zero
ip domain name DOMAIN.COM
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.151 10.10.10.254
!
ip dhcp pool CLIENT
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 194.74.65.68 194.72.9.38
   lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key 0 *************** address A.B.C.D
!
!
crypto ipsec transform-set pix-set esp-des esp-md5-hmac
!
crypto map pix 10 ipsec-isakmp
 set peer A.B.C.D
 set transform-set pix-set
 match address 101
!
!
!
!
interface Ethernet0
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer1
 ip address negotiated
 ip access-group 111 in
 ip nat outside
 ip inspect myfw out
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname DSL-USERNAME
 ppp chap password 7 DSL-PASSWORD
 ppp pap sent-username DSL-USERNAME password 7 DSL-PASSWORD
 ppp ipcp dns request
 ppp ipcp wins request
 crypto map pix
 hold-queue 224 in
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 10.10.10.250 3389 interface Dialer1 3389
ip nat inside source static tcp 10.10.10.250 1723 interface Dialer1 1723
ip nat inside source static tcp 10.10.10.250 47 interface Dialer1 47
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
no ip http secure-server
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 110 deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map nonat permit 10
 match ip address 110
!
banner login ^C Access is prohibited ^C
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login local
 length 0
 transport input ssh
!
scheduler max-task-time 5000
!
end
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16465475
Have you also configured on the PIX for site-to-site VPN?

If so, try pinging from your network to the corporate network (Don't worry even it makes through) then on the pix do 'show crypto isakmp sa' and post it here.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:y2k_rinser
ID: 16465531
The PIX is already setup to accept VPN connections.  I can connect to it using the VPNClient software on win XP.  I would however like to setup a tunnel between my home network & work.


0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16465559
Y2k_rinser,

  VPN Configuration on PIX for vpn client and site-to-site needs to be configured separately. I mean, you cannot connect your router to the existing configuration.

  Take a look at this documentation where in it describes Pix-to-Pix vpn + VPN Client access.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:y2k_rinser
ID: 16465627
Thanks Rajesh, It looks like I can't do what I want.  I need to do some work on the PIX first :-(

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16465645
Yes, Client VPN is something which comes and goes. But when we are talking about site-to-site vpn that is something which always stays up.

Now if you want something like easyvpn, then also take a look at this link;

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml#intro

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:y2k_rinser
ID: 16465895
Rajesh

I've followed those instructions and seem to have something working.  Not really sure however that the VPN connection is up.  Here's the outputs

=== OUTPUT FROM PIX ===

# show crypto isakmp sa
Total     : 0
Embryonic : 0
        dst               src        state     pending     created
 
# show crypto ipsec sa

interface: outside
    Crypto map tag: VPN, local addr. W.X.Y.Z


== OUTPUT FROM 837 Router ===

#show crypto isakmp sa
dst             src             state          conn-id slot
W.X.Y.Z    A.B.C.D   AG_INIT_EXCH        13    0
W.X.Y.Z    A.B.C.D   MM_NO_STATE         12    0 (deleted)

#show crypto ipsec sa  

No SAs found
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16466343
That is good. we want the MM_NO_STATE to go away and get QM_IDLE state and that happens when the VPN Connection is built.

MM_NO_STATE happens for multiple reasons. Now, closely check your configuration and make sure that everything matches (transform-set, access-lists etc). Also your home internal ip addresses are different than the company's right? If not reconfigure.

Keep the ping in an infinte loop. After you have done checking; then we can start debug and see what is wrong.

On your router, openup 'debug crypto isakmp' or 'debug crypto ipsec' and post it here.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:y2k_rinser
ID: 16467594
Hey Rajesh, I think it's worked.  Here's the outputs

=== ROUTER OUTPUT ===

parkroad#sh crypto isakmp sa
dst             src             state          conn-id slot
W.X.Y.Z    A.B.C.D   QM_IDLE              6    0

---------------------------------------------------
 
parkroad#sh crypto ipsec sa

interface: Dialer1
    Crypto map tag: Dialer1-head-0, local addr. A.B.C.D

   protected vrf:
   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer: W.X.Y.Z:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 56, #pkts encrypt: 56, #pkts digest 56
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: A.B.C.D, remote crypto endpt.: W.X.Y.Z
     path mtu 1500, media mtu 1500
     current outbound spi: C6FD9CEB

     inbound esp sas:
      spi: 0x822F700E(2184146958)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 20, flow_id: 1, crypto map: Dialer1-head-0
        sa timing: remaining key lifetime (k/sec): (4489955/27179)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xC6FD9CEB(3338509547)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 21, flow_id: 2, crypto map: Dialer1-head-0
        sa timing: remaining key lifetime (k/sec): (4489947/27179)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

         
interface: Virtual-Access2
    Crypto map tag: Dialer1-head-0, local addr. A.B.C.D

   protected vrf:
   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer: W.X.Y.Z:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 56, #pkts encrypt: 56, #pkts digest 56
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: A.B.C.D, remote crypto endpt.: W.X.Y.Z
     path mtu 1500, media mtu 1500
     current outbound spi: C6FD9CEB

     inbound esp sas:
      spi: 0x822F700E(2184146958)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 20, flow_id: 1, crypto map: Dialer1-head-0
        sa timing: remaining key lifetime (k/sec): (4489955/27178)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xC6FD9CEB(3338509547)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 21, flow_id: 2, crypto map: Dialer1-head-0
        sa timing: remaining key lifetime (k/sec): (4489947/27178)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:
                         
-------------------------------------------------------

parkroad#sh crypto ipsec client ezvpn  
Easy VPN Remote Phase: 2

Tunnel name : helios
Inside interface list: Ethernet0,
Outside interface: Dialer1
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Split Tunnel List: 1
       Address    : 192.168.1.0
       Mask       : 255.255.255.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
parkroad#              

---------------------------------------------------

=== PIX OUTPUT ===

helios# sh crypto isakmp sa
Total     : 2
Embryonic : 0
        dst               src        state     pending     created
    W.X.Y.Z    A.B.C.D    QM_IDLE         0           1
    W.X.Y.Z    A.B.C.D    QM_IDLE         0           1
helios#
helios# sh crypto ipsec sa


interface: outside
    Crypto map tag: parkroad, local addr. W.X.Y.Z

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)
   current_peer: A.B.C.D:4500
   dynamic allocated peer ip: 192.168.2.1

     PERMIT, flags={transport_parent,}
    #pkts encaps: 142, #pkts encrypt: 142, #pkts digest 142
    #pkts decaps: 123, #pkts decrypt: 123, #pkts verify 134
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 22

     local crypto endpt.: W.X.Y.Z, remote crypto endpt.: A.B.C.D
     path mtu 1500, ipsec overhead 64, media mtu 1500
     current outbound spi: f3cab3d2

     inbound esp sas:
      spi: 0x910b8ed9(2433453785)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 3, crypto map: parkroad
        sa timing: remaining key lifetime (k/sec): (4607983/27568)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0xf3cab3d2(4090147794)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 4, crypto map: parkroad
        sa timing: remaining key lifetime (k/sec): (4607979/27559)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:
             

     outbound pcp sas:



   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   current_peer: A.B.C.D:500
   dynamic allocated peer ip: 0.0.0.0

     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 56, #pkts decrypt: 56, #pkts verify 67
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 22

     local crypto endpt.: W.X.Y.Z, remote crypto endpt.: A.B.C.D
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 822f700e

     inbound esp sas:
      spi: 0xc6fd9ceb(3338509547)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: parkroad
        sa timing: remaining key lifetime (k/sec): (4607992/27082)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x822f700e(2184146958)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: parkroad
        sa timing: remaining key lifetime (k/sec): (4608000/27082)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:
                             
Thanks

Rinser

0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 1000 total points
ID: 16469088
Yes, the tunnel is up :-) If you can ping from your private ip range (at home) to the private ip range (at office, the ones that are not natted) then there you go. You got the solution :-)

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:y2k_rinser
ID: 16471514
Thanks Rajesh for all  the help.  I can't ping but I can see from the syslogs that it's because of my access list.

Cheers

Rinser
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16471547
Perfect. As long as you can communicate thatz all what matters :-)

Glad you got it working. Happy VPNing..

Cheers,
Rajesh
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question