?
Solved

PIX 501 static to dynamic dsl vpn not working

Posted on 2007-07-26
6
Medium Priority
?
299 Views
Last Modified: 2008-02-01
Scenario:
Creating VPN between two PIX 501 using latest IOS
Main_site is static IP
Remote_site is dynamic DSL using PPPoE

Initial attempt to test the VPN failed.  Does anyone know if dynamic DSL with PPPoE is suppose to work?

Open to any ideas and suggestion.  Anything obvious missing from config files?  The outside 172 address is only

for purposes of posting to this public site.

***************** main_site config ***********************

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname main_site
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.10.0.0 255.255.0.0 10.51.0.0 255.255.0.0
access-list NoNAT permit ip 10.10.0.0 255.255.0.0 10.51.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.46.39.245 255.255.255.0
ip address inside 10.10.110.60 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NoNAT
route outside 0.0.0.0 0.0.0.0 172.46.39.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set shraset1 esp-des esp-md5-hmac
crypto dynamic-map shradynmap 1 set transform-set shraset1
crypto map shramap1 1 ipsec-isakmp dynamic shradynmap
crypto map shramap1 interface outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp keepalive 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 43200
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:632a5280b73fce80b96321d7b9eadba4
main_site#




***************** remote_site config ***********************



PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname remote_site
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.51.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list NoNAT permit ip 10.51.0.0 255.255.0.0 10.10.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 10.51.110.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NoNAT
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.51.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set shraset2 esp-des esp-md5-hmac
crypto map shramap2 1 ipsec-isakmp
crypto map shramap2 1 match address 101
crypto map shramap2 1 set peer 172.46.39.245
crypto map shramap2 1 set transform-set shraset2
crypto map shramap2 interface outside
isakmp enable outside
isakmp key ******** address 172.46.39.245 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 43200
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_sbc request dialout pppoe
vpdn group pppoe_sbc localname blabla@isp.net
vpdn username blabla@isp.net password ********
terminal width 80
Cryptochecksum:41b0d5c0550863b36cb381922abc5c27
remote_site#



0
Comment
Question by:dalva
  • 3
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 19585317
0
 
LVL 1

Author Comment

by:dalva
ID: 19593351
Genius,
Thanks for your reply but that's the reference document I used to create the current config posted above.

The reference implies that any dynamic ip will work when it shows the following command:
ip address outside dhcp

My particular situation requires dynamic ip using pppoe
ip address outside pppoe setroute

I don't want to assume it should work and want to hear from anyone who has actually done a pppoe vpn type of connection.
0
 
LVL 1

Author Comment

by:dalva
ID: 19747767
After many hours of research and testing this is the working configuration which we had success with.  Hopefully this will be beneficial to others who travel this road.

This VPN was setup between the main site which has a static IP and remote site using dynamic dsl with pppoe login.
Both sites used a PIX 501 with version 6.3.
We chose to allow the remote PIX to be the dhcp server for remote site since it made for a cleaner setup.  The other option was to use the dhcprelay command but several sites discussed how it appeared to be buggy.  In addition if the link is down then the remote site will not be able to function without access to a dhcp server.



******************* Main site *****************

: Written by enable_15 at 10:14:04.314 UTC Mon Aug 20 2007
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname MAIN
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list NoNAT permit ip 10.10.0.0 255.255.0.0 10.51.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.39.245 255.255.255.0
ip address inside 10.10.110.60 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NoNAT
route outside 0.0.0.0 0.0.0.0 192.168.39.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set shraset1 esp-des esp-md5-hmac
crypto dynamic-map dynmap1 1 set transform-set shraset1
crypto map shramap1 20 ipsec-isakmp dynamic dynmap1
crypto map shramap1 interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp keepalive 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 43200
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80


******************* Remote site *****************

: Written by enable_15 at 14:41:52.359 UTC Mon Aug 20 2007
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname REMOTE
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.51.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list NoNAT permit ip 10.51.0.0 255.255.0.0 10.10.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 10.51.110.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NoNAT
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.51.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set shraset2 esp-des esp-md5-hmac
crypto map shramap2 1 ipsec-isakmp
crypto map shramap2 1 match address 101
crypto map shramap2 1 set peer 192.168.39.245
crypto map shramap2 1 set transform-set shraset2
crypto map shramap2 interface outside
isakmp enable outside
isakmp key ******** address 192.168.39.245 netmask 255.255.255.255
isakmp keepalive 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 43200
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_sbc request dialout pppoe
vpdn group pppoe_sbc localname blabla@isp.net
vpdn username blabla@isp.net password ********
dhcpd address 10.51.130.100-10.51.130.131 inside
dhcpd dns 10.10.120.55 10.10.120.60
dhcpd wins 10.10.120.100
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain domain.com
dhcpd enable inside
terminal width 80
0
 
LVL 1

Accepted Solution

by:
dalva earned 0 total points
ID: 19747805
Just to clarify.

You would substitute all IP addresses with your IP addresses EXCEPT in the MAIN configuration setting line shown below.  The zeros should stay as shown.

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
0

Featured Post

Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question