Solved

Site to Site VPN between a Cisco 2801 and PIX515E

Posted on 2006-07-20
2
899 Views
Last Modified: 2007-12-19
Hi -

I am trying to establish a site-to-site VPN tunel between a 2801 router and a PIX, for some reasons the Packets are not encrypted from the Router side and it seems that are going through the internet instead of going to the Tunnel.
Here's the Router configuration. Local Network on the router side is 172.16.97.192/26, Remote Network (PIX side) 192.168.214.0/26
Any help is really appreciated.
Thanks
M


BOSOIPVPN01#sh conf
Using 4951 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BOSOIPVPN01
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$9O7F$uOTugrG6bidTO6wcLfg/p0
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
ip domain name yourdomain.com
!
!
!
crypto pki trustpoint TP-self-signed-2029473065
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2029473065
 revocation-check none
 rsakeypair TP-self-signed-2029473065
!
!
crypto pki certificate chain TP-self-signed-2029473065
 certificate self-signed 01 nvram:IOS-Self-Sig#3501.cer
username matsco privilege 15 secret 5 $1$1ovG$MW5PmI7KNb/LT0WIA71Hk.
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key <my key> address <Remote PIX outside IP>
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to <Remote PIX outside IP> (London)
 set peer <Remote PIX outside IP>
 set transform-set ESP-3DES-SHA1
 match address 100
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 38.113.25.66 255.255.255.0
 ip access-group 104 in
 speed 100
 full-duplex
 crypto map SDM_CMAP_1
!
interface FastEthernet0/1
 description VPN DMZ Address$ETH-LAN$
 ip address 192.168.212.5 255.255.255.0
 ip access-group 101 in
 speed 100
 full-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 38.113.25.1
ip route 172.16.97.192 255.255.255.192 192.168.212.1
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.10.10.2
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.16.97.192 0.0.0.63 192.168.214.0 0.0.0.63
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ahp host <Remote PIX outside IP> host 192.168.212.5
access-list 101 permit esp host <Remote PIX outside IP> host 192.168.212.5
access-list 101 permit udp host <Remote PIX outside IP> host 192.168.212.5 eq isakmp
access-list 101 permit udp host <Remote PIX outside IP> host 192.168.212.5 eq non500-isakmp
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.214.0 0.0.0.63 172.16.97.192 0.0.0.63
access-list 101 permit tcp 83.146.48.80 0.0.0.15 host 192.168.212.5 eq telnet
access-list 101 permit tcp 172.16.97.192 0.0.0.63 host 192.168.212.5 eq 22
access-list 101 permit tcp 83.146.48.80 0.0.0.15 host 192.168.212.5 eq 22
access-list 101 permit tcp 192.168.214.0 0.0.0.63 host 192.168.212.5 eq 22
access-list 101 deny   tcp any host 192.168.212.5 eq telnet
access-list 101 deny   tcp any host 192.168.212.5 eq 22
access-list 101 deny   tcp any host 192.168.212.5 eq www
access-list 101 deny   tcp any host 192.168.212.5 eq 443
access-list 101 deny   tcp any host 192.168.212.5 eq cmd
access-list 101 deny   udp any host 192.168.212.5 eq snmp
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 172.16.97.192 0.0.0.63 any
access-list 102 permit ip 83.146.48.80 0.0.0.15 any
access-list 102 permit ip 192.168.214.0 0.0.0.63 any
access-list 102 permit ip host 10.10.10.2 any
access-list 102 permit ip 10.10.10.0 0.0.0.7 any
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 172.16.97.192 0.0.0.63 any
access-list 103 permit ip 83.146.48.80 0.0.0.15 any
access-list 103 permit ip 192.168.214.0 0.0.0.63 any
access-list 103 permit ip host 10.10.10.2 any
access-list 103 permit ip 10.10.10.0 0.0.0.7 any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp 83.146.48.80 0.0.0.15 host 38.113.25.66 eq telnet
access-list 104 permit tcp 83.146.48.80 0.0.0.15 host 38.113.25.66 eq 22
access-list 104 permit tcp 83.146.48.80 0.0.0.15 host 38.113.25.66 eq 443
access-list 104 permit tcp 83.146.48.80 0.0.0.15 host 38.113.25.66 eq cmd
access-list 104 deny   tcp any host 38.113.25.66 eq telnet
access-list 104 deny   tcp any host 38.113.25.66 eq 22
access-list 104 deny   tcp any host 38.113.25.66 eq www
access-list 104 deny   tcp any host 38.113.25.66 eq 443
access-list 104 deny   tcp any host 38.113.25.66 eq cmd
access-list 104 deny   udp any host 38.113.25.66 eq snmp
access-list 104 permit ip any any
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 102 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 103 in
 privilege level 15
 login local
 transport input telnet ssh
!
end

BOSOIPVPN01#
0
Comment
Question by:Matsco
2 Comments
 
LVL 1

Author Comment

by:Matsco
Comment Utility
I found the pbm, a route was missing in the inside Network

ip route 192.168.214.0 255.255.255.192 192.168.212.5
0
 

Accepted Solution

by:
EE_AutoDeleter earned 0 total points
Comment Utility
Matsco,
Because you have presented a solution to your own problem which may be helpful to future searches, this question is now PAQed and your points have been refunded.

EE_AutoDeleter
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now