Pix 515e Site to site VPN

Hi,

Sorry to do this, but just had two Cisco PIX 515e's dropped on my desk, which I have to get set up my end of the week.

I have very limited Cisco experience, and no one to ask!

In basic terms the I have two buildings with a WiMax link running between them, I have put the pix in line and run the setup and the VPN site to site wizard on both as described on Ciscos TAC website.  No Joy, can't establish a VPN at all been through all the configs can't see anything obvious.  Running latest IOS and PDM on both.

This is really cheeky but could someone post a working basic site to site VPN between these two boxes which I could use?  I need to enable SIP, http, https and tftp across the VPN.

If anyone could help I would be very grateful.

Thanks

Jon
JonBarnardAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Biggest "gotcha" in setting up VPN accross a bridge, private line, or in a lab setting -
forgot to set default route . . .
Since this VPN tunnel is simply providing the encryption across a WiMAX bridge (good choice), I'm going to assume that you are assigning private IP's on each one'e outside interface.
Just add a static default on each one that points to the other's outside ip.
Example:
 site A
ip address outside 192.168.255.1 255.255.255.0
ip address inside 10.10.100.1 255.255.255.0
ip route 10.10.200.0 255.255.255.0 192.168.255.2

Site B
ip address outside 192.168.255.2 255.255.255.0
ip address inside 10.10.200.0 255.255.255.0
ip route 10.10.100.0 255.255.255.0 192.168.255.1

> Running latest IOS and PDM on both.
Can you be more specific? "show ver" will tell you
Latest OS for the 515e is 7.21 and does not use PDM, but rather it uses ASDM
Latest OS that does use PDM is 6.3(5)

Don't know of you've seen this config example, but it is pretty easy to follow
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/sit2site.htm

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmooreCommented:
Also, if you want to post up your existing configs, put them on htt://www.ee-stuff.com and reference this question #

If you can include output from 'show cry is sa' and 'show cry ip sa' that would be helpful, too
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Keith AlabasterEnterprise ArchitectCommented:
Sorry LR, didn't hit the refresh.
JonBarnardAuthor Commented:
Hi,

Sort of working however for some reason only some things seem to be going over the VPN when I try from Site A to connect to a Http://172.20.130.3 it tries to go a normal route not via the VPN and the pix blocks it in ACL rules!

grateful for any suggestions or ideas!!  Also TFTP does the same thing, had to add an ACL to allow it for now!



Config A

: Saved
:
PIX Version 7.2(2)
!
hostname pixlocal
domain-name default.domain.invalid
enable password  encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.19.129.1 255.255.0.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.18.128.2 255.255.0.0
!
passwd  encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_20_cryptomap extended permit ip 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_cryptomap_1 extended permit tcp 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_cryptomap_2 extended permit udp 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_cryptomap_3 extended permit icmp 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_access_in extended permit udp host 172.19.129.4 host 172.18.128.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 172.20.0.0 255.255.0.0 172.19.129.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.18.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 172.19.129.4
crypto map outside_map 1 set transform-set ESP-AES-256-MD5
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer 172.19.129.4
crypto map outside_map 2 set transform-set ESP-AES-256-MD5
crypto map outside_map 2 set reverse-route
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer 172.19.129.4
crypto map outside_map 3 set transform-set ESP-AES-256-MD5
crypto map outside_map 3 set reverse-route
crypto map outside_map 4 set peer 172.19.129.4
crypto map outside_map 4 set transform-set ESP-AES-256-MD5
crypto map outside_map 4 set reverse-route
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 172.19.129.4
crypto map outside_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map 20 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 172.19.129.4 type ipsec-l2l
tunnel-group 172.19.129.4 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 172.18.128.3-172.18.129.2 inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
!
service-policy global_policy global
tftp-server inside 172.18.128.240 pixlocal
prompt hostname context
Cryptochecksum:612ee2a03c76d5a8cc7e4ae1104bac90
: end
asdm image flash:/pdm
no asdm history enable

Config B


: Saved
:
PIX Version 7.2(2)
!
hostname pixremote
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.19.129.4 255.255.0.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.20.130.2 255.255.0.0
!
passwd  encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_20_cryptomap extended permit ip 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list outside_cryptomap_1 extended permit tcp 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list outside_cryptomap_2 extended permit udp 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list outside_cryptomap_3 extended permit icmp 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0
route outside 172.18.0.0 255.255.0.0 172.19.129.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.20.0.0 255.255.0.0 inside
http 172.18.128.240 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 172.19.129.1
crypto map outside_map 1 set transform-set ESP-AES-256-MD5
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer 172.19.129.1
crypto map outside_map 2 set transform-set ESP-AES-256-MD5
crypto map outside_map 2 set reverse-route
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer 172.19.129.1
crypto map outside_map 3 set transform-set ESP-AES-256-MD5
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 172.19.129.1
crypto map outside_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 86400
tunnel-group 172.19.129.1 type ipsec-l2l
tunnel-group 172.19.129.1 ipsec-attributes
 pre-shared-key *
telnet 172.20.130.240 255.255.255.255 inside
telnet 172.18.128.240 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 172.20.130.3-172.20.131.2 inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
!
service-policy global_policy global
tftp-server inside 172.18.128.240 pixremote
prompt hostname context
: end
asdm image flash:/pdm
no asdm history enable


lrmooreCommented:
Simplify the following, mirror on the other end...

Keep this:
 >access-list outside_20_cryptomap extended permit ip 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
>crypto map outside_map 20 match address outside_20_cryptomap
>crypto map outside_map 20 set pfs
>crypto map outside_map 20 set peer 172.19.129.1
>crypto map outside_map 20 set transform-set ESP-AES-256-MD5


Now, remove all the other extra crypto map entries..
no crypto map outside_map 1
no crypto map outside_map 2
no crypto map outside_map 3

Re-apply the crypto map to the interface
crypto map outside_map interface outside

Now, add this
access-list no_nat permit ip 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
nat (inside) 0 access-list no_nat

JonBarnardAuthor Commented:
Thank you so very much, talk about saving my bacon!!  I don't understand though, why when you run the wizard does it not create the access rules, it's kinda like doin half a job??  

Don't think I'll ever understand Cisco kit, don't get me wrong it's great kit and works brilliant once its up and running, I just always seem to have to fight to get it there!!  Arh well more practice I guess!

Thanks again!

Jon
JonBarnardAuthor Commented:
The only outstanding issue I have now is that everything works, remote login to far side pix all the SIP clients are working great, but.....the remote pix site B, I have configured so it's TFTP server is on Side A, which was working but has now stopped, not sure what changed can't seem to find it!  It looks like it's being blocked by the ACL on Side A it appears in the log as No translation route for blah blah.  I've added just for now an allow all incoming UDP from outside IP address of remote PIX but it still throughs a fit.

Is this possible?  I've been told else where that you can't configure a pix to pass TFTP traffic trough it's outside port which I think sounds a bit strange.  any ideas greatful recieved!

lrmooreCommented:
TFTP works fine through the vpn, depending what you're using it for.
If you're using it for maintaining the pix itself then you have to remember what your source IP is as traffic goes out the outside interface.

If you have something like IP PHones on site that go to a tftp server on the other side it should work just fine. Mine does.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.