Solved

Dynamic (ADSL) PIX 501 to Static PIX 515e VPN issues

Posted on 2006-07-06
6
743 Views
Last Modified: 2013-11-16
Hi folks
I am having tough time getting my two pixes to talk to each other via VPN.  Can anyone look at the config below and advice where am I going wrong?  

The PIX 501 is behind an ADSL router which is not firewalling anything and has a dynamic WAN IP address.


PIX Version 7.0(4)
!
hostname myfirwall
domain-name mydomain.com
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.x
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
 shutdown
 no ip address
!
ftp mode passive
access-list vpn_remote extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm errors
mtu outside 1500
mtu inside 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/adsm-504.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 x.x.x.x
nat (inside) 0 access-list vpn_remote
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside

isakmp identity auto
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800

tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group none
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 authorization-dn-attributes use-entire-name

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default

tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group none
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 authorization-dn-attributes use-entire-name
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global






PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname remote1
domain-name remote1.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_inside permit tcp 192.168.0.0 255.255.255.0 any
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.100.2 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm

arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 101
crypto map newmap 10 set peer x.x.x.x
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
terminal width 80



0
Comment
Question by:tynamic
  • 3
  • 3
6 Comments
 

Author Comment

by:tynamic
ID: 17048945
just to let you know also that debug crypto ipsec /isakmp doesnt return anything at all ! I have however confirmed that nothing is blocking packets from flowing to the Internet from both the firewalls :-)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17049710
>ip address outside 192.168.100.2 255.255.255.0
Is this your real IP address, or just a placeholder for a real public IP?

You don't have this in your 501:
 nat (inside) 0 access-list 101

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17049723
Use the VPN Wizard on the 515 to create the Lan-2-Lan vpn, but use 0.0.0.0 as the peer
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:tynamic
ID: 17049828
lrmoore: 192.168.100.2 is the IP of the outside interface on the PIX 501 as it is behind an ADSL router which does not get a static IP from the ISP
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17049871
If the outside IP of the PIX is a private IP then the DSL router must be doing NAT on its own. Can you put the dsl router into "bridge" mode and let the PIX get the dynamic public IP address?
Try adding the following command to both pix's
  isakmp nat-traversal

 
0
 

Author Comment

by:tynamic
ID: 17079350
i erased config and re-did the above config - all is working now...
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now