Solved

Help with a Site-to-Site VPN Cisco PIX 506e and 2611

Posted on 2008-06-25
4
538 Views
Last Modified: 2012-05-05
I already have a site-to-site VPN working between a PIX 506e and 515 PIX.  Now I need to add another site with a Cisco 2611 router.  So far I am just trying to get the VPN between the 2611 and 506 working with no luck.  I'm fairly sure that my PIX configuration is correct because I have just copied my working config with the information for the router. Any help with my config would be greatly appreciated.

PIX 506
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname 506
domain-name ***
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name x.x.x.56 PIX506_Outside
name x.x.x.1 Gateway
name 10.1.1.1 PIX506_Inside
name y.y.y.208 OFFICE_IP
name z.z.z.16 triton_router

object-group network og_ip_nat_clients
  network-object 10.0.1.0 255.255.255.0
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any              
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.0.100.0 255.255.255.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.11.1.0 255.255.255.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.5.1.0 255.255.255.0
access-list splittunnel permit ip 10.1.1.0 255.255.255.0 10.11.1.0 255.255.255.0
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.0.100.0 255.255.255.0
access-list foster_warehouse permit ip 10.1.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list foster_warehouse permit ip 10.1.1.0 255.255.255.0 10.0.100.0 255.255.255.0
access-list triton_warehouse permit ip 10.1.1.0 255.255.255.0 10.5.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside PIX506_Outside 255.255.255.0
ip address inside PIX506_Inside 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ipsec-pool 10.11.1.100-10.11.1.200 mask 255.255.255.0
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 Gateway
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set warehouseset esp-3des esp-md5-hmac
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto ipsec transform-set tritonset esp-des esp-md5-hmac
crypto dynamic-map dynamicmap 11 set transform-set vpnclient
crypto map warehousemap 10 ipsec-isakmp
crypto map warehousemap 10 match address foster_warehouse
crypto map warehousemap 10 set peer OFFICE_IP
crypto map warehousemap 10 set transform-set warehouseset
crypto map warehousemap 20 ipsec-isakmp
crypto map warehousemap 20 match address triton_warehouse
crypto map warehousemap 20 set peer triton_router
crypto map warehousemap 20 set transform-set tritonset
crypto map warehousemap 99 ipsec-isakmp dynamic dynamicmap        
crypto map warehousemap interface outside
isakmp enable outside
isakmp key ******** address OFFICE_IP netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address triton_router netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400

telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.9.0.9 255.255.255.255 inside
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.100-10.1.1.200 inside
dhcpd dns SWMS_Inside 10.0.1.89
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ***.com
dhcpd auto_config outside
dhcpd option 150 ip 10.0.100.1
dhcpd enable inside
terminal width 80
banner exec Enter your password carefully
banner login Enter your password to login
banner motd Think on These Things


2611 ROUTER

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Sycomp_Triton
!
boot-start-marker
boot-end-marker
!
enable secret 5 *****
enable password *****
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip domain name ***
ip dhcp excluded-address 10.5.1.1 10.5.1.10
ip dhcp excluded-address 10.5.1.250 10.5.1.254
ip dhcp excluded-address 10.5.1.111
!
ip dhcp pool clients
   network 10.5.1.0 255.255.255.0
   default-router 10.5.1.1
   domain-name ***
   dns-server ***
   netbios-name-server ***
   netbios-node-type h-node
   option 42 ip ***
!
ip inspect name ethernetin cuseeme timeout 3600
ip inspect name ethernetin ftp timeout 3600
ip inspect name ethernetin h323 timeout 3600
ip inspect name ethernetin http timeout 3600
ip inspect name ethernetin rcmd timeout 3600
ip inspect name ethernetin realaudio timeout 3600
ip inspect name ethernetin smtp timeout 3600
ip inspect name ethernetin sqlnet timeout 3600
ip inspect name ethernetin streamworks timeout 3600
ip inspect name ethernetin tcp timeout 3600
ip inspect name ethernetin tftp timeout 30
ip inspect name ethernetin udp timeout 15
ip inspect name ethernetin vdolive timeout 3600
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username xx privilege 15 secret 5 $1xx
username xx privilege 15 secret 5 $1xx
username xx privilege 15 secret 5 $1xx
!
!
ip ssh time-out 60
ip ssh authentication-retries 5
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key xxx address (pix_IP)
!
!
crypto ipsec transform-set fosterset esp-des esp-md5-hmac
 mode transport
!
crypto map tritonmap 10 ipsec-isakmp
 set peer (PIX_IP)
 set transform-set fosterset
 match address 120
!
!
!
!
interface Ethernet0/0
 description Internal Network
 ip address 10.5.1.1 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip inspect ethernetin in
 half-duplex
!
interface Serial0/0
 no ip address
 shutdown
!
interface Ethernet0/1
 description Outside Network to Sonic.net
 ip address *.*.*.* 255.255.255.0
 ip access-group 112 in
 ip nat outside
 no ip route-cache cef
 no ip route-cache
 half-duplex
 crypto map tritonmap
!
interface Serial0/1
 no ip address
 shutdown
!
ip nat pool triton-pool x.x.x.17 x.x.x.17 netmask 255.255.255.0
ip nat inside source list 1 pool triton-pool overload
ip nat inside source route-map nonat pool triton-pool overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.1
!
!
access-list 1 permit 10.5.1.0 0.0.0.255
access-list 101 permit tcp 10.0.0.0 0.255.255.255 any
access-list 101 permit udp 10.0.0.0 0.255.255.255 any
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any
access-list 101 permit udp host 0.0.0.0 any eq bootps
access-list 101 permit udp host 0.0.0.0 any eq bootpc
access-list 101 deny   ip any any log
access-list 112 permit tcp any any eq 22
access-list 112 permit icmp any x.x.x 0.0.0.255 unreachable
access-list 112 permit icmp any x.x.x 0.0.0.255 echo-reply
access-list 112 permit icmp any x.x.x 0.0.0.255 packet-too-big
access-list 112 permit icmp any x.x.x 0.0.0.255 time-exceeded
access-list 112 permit icmp any x.x.x 0.0.0.255 traceroute
access-list 112 permit icmp any x.x.x 0.0.0.255 administratively-prohibited
access-list 112 permit icmp any x.x.x 0.0.0.255 echo
access-list 112 deny   ip any any log
access-list 120 permit ip 10.5.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny   ip 10.5.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 permit ip 10.5.1.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 130
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 password ***
 login local
 transport input ssh
line vty 5 15
 password ***
 login
transport input ssh
!
ntp clock-period 17180094
ntp server 192.5.41.209
!
end
0
Comment
Question by:sycomp
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:AugustTen
Comment Utility
You can't use transport mode (defined under transform-set) and you need to allow IKE and ESP traffic in your inbound ACL. A router is quite different from am ASA in many aspects of firewall and VPN configuration.
0
 

Author Comment

by:sycomp
Comment Utility
Ok, I changed transport mode to tunnel mode.  How would I allow ike and esp traffic in my inbound ACL?
0
 
LVL 3

Expert Comment

by:AugustTen
Comment Utility
Add this (above the last line)

access-list 112 permit udp any any eq 500
access-list 112 permit udp any any eq 4500
access-list 112 permit esp any any

0
 

Accepted Solution

by:
sycomp earned 0 total points
Comment Utility
I ended up giving up and not using the 2611 router.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now