2 PIX 501's SITE to SITE VPN
I am trying to configure 2 PIX 501's from scratch with a basic config + a VPN site to site using IPSEC.
I have used the cisco article outlined in other posts, but the VPN does not work...
I have the 2 pix's setup in a lab scenario, with dummy IP's and a patch cable going from Ethernet0 to Ethernet0 on each PIX.
I can ping the Public IP's form both PIX's.
Here are the config's. I am familiar with Cisco, but never have had to setup this scenario.
Can anyone see what is wrong?
PIX 1
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list acl_in permit icmp any any
access-list acl_out permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.0.0.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set bec esp-3des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 172.0.0.2
crypto map transam 1 set transform-set bec
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 209.165.201.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
management-access inside
console timeout 0
terminal width 80
PIX 2
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list acl_in permit icmp any any
access-list acl_out permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.0.0.2 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set eleuthera esp-des esp-md5-hmac
crypto map bec 1 ipsec-isakmp
crypto map bec 1 match address 101
crypto map bec 1 set peer 172.0.0.1
crypto map bec 1 set transform-set eleuthera
crypto map bec interface outside
isakmp enable outside
isakmp key ******** address 172.0.0.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:279b4e03124
: end
I have used the cisco article outlined in other posts, but the VPN does not work...
I have the 2 pix's setup in a lab scenario, with dummy IP's and a patch cable going from Ethernet0 to Ethernet0 on each PIX.
I can ping the Public IP's form both PIX's.
Here are the config's. I am familiar with Cisco, but never have had to setup this scenario.
Can anyone see what is wrong?
PIX 1
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list acl_in permit icmp any any
access-list acl_out permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.0.0.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set bec esp-3des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 172.0.0.2
crypto map transam 1 set transform-set bec
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 209.165.201.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
management-access inside
console timeout 0
terminal width 80
PIX 2
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list acl_in permit icmp any any
access-list acl_out permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.0.0.2 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set eleuthera esp-des esp-md5-hmac
crypto map bec 1 ipsec-isakmp
crypto map bec 1 match address 101
crypto map bec 1 set peer 172.0.0.1
crypto map bec 1 set transform-set eleuthera
crypto map bec interface outside
isakmp enable outside
isakmp key ******** address 172.0.0.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:279b4e03124
: end
ASKER
Great Thanks....
I had noticed that and changed the 209.x address...this was the config before i changed it up. Good eye though.
Ill wait for your document.
I had noticed that and changed the 209.x address...this was the config before i changed it up. Good eye though.
Ill wait for your document.
ASKER
The pre share key can be any standard word or numbers right?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
blackss,
Hopefully, if you follow that, you chould get a working L2L VPN. You need to send traffic (eg. ping) over the VPN for the tunnel to come up. You can also change all the encryption/hashing algorithms and DH groups on each end, as long as they match.
Good luck.
Hopefully, if you follow that, you chould get a working L2L VPN. You need to send traffic (eg. ping) over the VPN for the tunnel to come up. You can also change all the encryption/hashing algorithms and DH groups on each end, as long as they match.
Good luck.
ASKER
Thanks Interax,
I am going to go through this from scratch again today and post back if it works.
I appreciate your quick response.
I am going to go through this from scratch again today and post back if it works.
I appreciate your quick response.
ASKER
Ok i tried your suggestion. It seems I am getting further but something is still not working right...
Here is the config on PIX 1 now, PIX 2 is identical.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname CliftonPier
domain-name bahamaselectricity.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list NAT0_Inside permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list NAT0_Inside permit ip 10.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list VPN permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list VPN permit ip 10.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list acl_in permit icmp any any
access-list acl_out permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.0.0.1 255.255.0.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list NAT0_Inside
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 172.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set AES256 esp-aes-256 esp-sha-hmac
crypto map VPN 20 ipsec-isakmp
crypto map VPN 20 match address VPN
crypto map VPN 20 set peer 172.0.0.2
crypto map VPN 20 set transform-set AES256
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address 172.0.0.2 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:758e145caa9
: end
Here is the config on PIX 1 now, PIX 2 is identical.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname CliftonPier
domain-name bahamaselectricity.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list NAT0_Inside permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list NAT0_Inside permit ip 10.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list VPN permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list VPN permit ip 10.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list acl_in permit icmp any any
access-list acl_out permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.0.0.1 255.255.0.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list NAT0_Inside
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 172.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set AES256 esp-aes-256 esp-sha-hmac
crypto map VPN 20 ipsec-isakmp
crypto map VPN 20 match address VPN
crypto map VPN 20 set peer 172.0.0.2
crypto map VPN 20 set transform-set AES256
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address 172.0.0.2 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:758e145caa9
: end
Does it work now?
You accepted my answer, but said it wasn't working yet.
You accepted my answer, but said it wasn't working yet.
> isakmp key ******** address 209.165.201.1 netmask 255.255.255.255
That line in PIX 1 config has the wrong peer address set.
Also, there doesn't appear to be any no-nat statements.
nat (inside) 0 access-list <access-list ID>
I have a brief document that outlines the steps required for setting up a l2l vpn on Pix 6.3 I'll post it in a moment.
Good Luck,
Chris