• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 754
  • Last Modified:

Dynamic (ADSL) PIX 501 to Static PIX 515e VPN issues

Hi folks
I am having tough time getting my two pixes to talk to each other via VPN.  Can anyone look at the config below and advice where am I going wrong?  

The PIX 501 is behind an ADSL router which is not firewalling anything and has a dynamic WAN IP address.


PIX Version 7.0(4)
!
hostname myfirwall
domain-name mydomain.com
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.x
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
 shutdown
 no ip address
!
ftp mode passive
access-list vpn_remote extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm errors
mtu outside 1500
mtu inside 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/adsm-504.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 x.x.x.x
nat (inside) 0 access-list vpn_remote
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside

isakmp identity auto
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800

tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group none
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 authorization-dn-attributes use-entire-name

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default

tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group none
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 authorization-dn-attributes use-entire-name
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global






PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname remote1
domain-name remote1.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_inside permit tcp 192.168.0.0 255.255.255.0 any
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.100.2 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm

arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 101
crypto map newmap 10 set peer x.x.x.x
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
terminal width 80



0
tynamic
Asked:
tynamic
  • 3
  • 3
1 Solution
 
tynamicAuthor Commented:
just to let you know also that debug crypto ipsec /isakmp doesnt return anything at all ! I have however confirmed that nothing is blocking packets from flowing to the Internet from both the firewalls :-)
0
 
lrmooreCommented:
>ip address outside 192.168.100.2 255.255.255.0
Is this your real IP address, or just a placeholder for a real public IP?

You don't have this in your 501:
 nat (inside) 0 access-list 101

0
 
lrmooreCommented:
Use the VPN Wizard on the 515 to create the Lan-2-Lan vpn, but use 0.0.0.0 as the peer
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
tynamicAuthor Commented:
lrmoore: 192.168.100.2 is the IP of the outside interface on the PIX 501 as it is behind an ADSL router which does not get a static IP from the ISP
0
 
lrmooreCommented:
If the outside IP of the PIX is a private IP then the DSL router must be doing NAT on its own. Can you put the dsl router into "bridge" mode and let the PIX get the dynamic public IP address?
Try adding the following command to both pix's
  isakmp nat-traversal

 
0
 
tynamicAuthor Commented:
i erased config and re-did the above config - all is working now...
0

Featured Post

Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now