Link to home
Start Free TrialLog in
Avatar of sycomp
sycomp

asked on

Help with a Site-to-Site VPN Cisco PIX 506e and 2611

I already have a site-to-site VPN working between a PIX 506e and 515 PIX.  Now I need to add another site with a Cisco 2611 router.  So far I am just trying to get the VPN between the 2611 and 506 working with no luck.  I'm fairly sure that my PIX configuration is correct because I have just copied my working config with the information for the router. Any help with my config would be greatly appreciated.

PIX 506
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname 506
domain-name ***
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name x.x.x.56 PIX506_Outside
name x.x.x.1 Gateway
name 10.1.1.1 PIX506_Inside
name y.y.y.208 OFFICE_IP
name z.z.z.16 triton_router

object-group network og_ip_nat_clients
  network-object 10.0.1.0 255.255.255.0
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any              
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.0.100.0 255.255.255.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.11.1.0 255.255.255.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.5.1.0 255.255.255.0
access-list splittunnel permit ip 10.1.1.0 255.255.255.0 10.11.1.0 255.255.255.0
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.0.100.0 255.255.255.0
access-list foster_warehouse permit ip 10.1.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list foster_warehouse permit ip 10.1.1.0 255.255.255.0 10.0.100.0 255.255.255.0
access-list triton_warehouse permit ip 10.1.1.0 255.255.255.0 10.5.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside PIX506_Outside 255.255.255.0
ip address inside PIX506_Inside 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ipsec-pool 10.11.1.100-10.11.1.200 mask 255.255.255.0
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 Gateway
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set warehouseset esp-3des esp-md5-hmac
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto ipsec transform-set tritonset esp-des esp-md5-hmac
crypto dynamic-map dynamicmap 11 set transform-set vpnclient
crypto map warehousemap 10 ipsec-isakmp
crypto map warehousemap 10 match address foster_warehouse
crypto map warehousemap 10 set peer OFFICE_IP
crypto map warehousemap 10 set transform-set warehouseset
crypto map warehousemap 20 ipsec-isakmp
crypto map warehousemap 20 match address triton_warehouse
crypto map warehousemap 20 set peer triton_router
crypto map warehousemap 20 set transform-set tritonset
crypto map warehousemap 99 ipsec-isakmp dynamic dynamicmap        
crypto map warehousemap interface outside
isakmp enable outside
isakmp key ******** address OFFICE_IP netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address triton_router netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400

telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.9.0.9 255.255.255.255 inside
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.100-10.1.1.200 inside
dhcpd dns SWMS_Inside 10.0.1.89
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ***.com
dhcpd auto_config outside
dhcpd option 150 ip 10.0.100.1
dhcpd enable inside
terminal width 80
banner exec Enter your password carefully
banner login Enter your password to login
banner motd Think on These Things


2611 ROUTER

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Sycomp_Triton
!
boot-start-marker
boot-end-marker
!
enable secret 5 *****
enable password *****
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip domain name ***
ip dhcp excluded-address 10.5.1.1 10.5.1.10
ip dhcp excluded-address 10.5.1.250 10.5.1.254
ip dhcp excluded-address 10.5.1.111
!
ip dhcp pool clients
   network 10.5.1.0 255.255.255.0
   default-router 10.5.1.1
   domain-name ***
   dns-server ***
   netbios-name-server ***
   netbios-node-type h-node
   option 42 ip ***
!
ip inspect name ethernetin cuseeme timeout 3600
ip inspect name ethernetin ftp timeout 3600
ip inspect name ethernetin h323 timeout 3600
ip inspect name ethernetin http timeout 3600
ip inspect name ethernetin rcmd timeout 3600
ip inspect name ethernetin realaudio timeout 3600
ip inspect name ethernetin smtp timeout 3600
ip inspect name ethernetin sqlnet timeout 3600
ip inspect name ethernetin streamworks timeout 3600
ip inspect name ethernetin tcp timeout 3600
ip inspect name ethernetin tftp timeout 30
ip inspect name ethernetin udp timeout 15
ip inspect name ethernetin vdolive timeout 3600
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username xx privilege 15 secret 5 $1xx
username xx privilege 15 secret 5 $1xx
username xx privilege 15 secret 5 $1xx
!
!
ip ssh time-out 60
ip ssh authentication-retries 5
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key xxx address (pix_IP)
!
!
crypto ipsec transform-set fosterset esp-des esp-md5-hmac
 mode transport
!
crypto map tritonmap 10 ipsec-isakmp
 set peer (PIX_IP)
 set transform-set fosterset
 match address 120
!
!
!
!
interface Ethernet0/0
 description Internal Network
 ip address 10.5.1.1 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip inspect ethernetin in
 half-duplex
!
interface Serial0/0
 no ip address
 shutdown
!
interface Ethernet0/1
 description Outside Network to Sonic.net
 ip address *.*.*.* 255.255.255.0
 ip access-group 112 in
 ip nat outside
 no ip route-cache cef
 no ip route-cache
 half-duplex
 crypto map tritonmap
!
interface Serial0/1
 no ip address
 shutdown
!
ip nat pool triton-pool x.x.x.17 x.x.x.17 netmask 255.255.255.0
ip nat inside source list 1 pool triton-pool overload
ip nat inside source route-map nonat pool triton-pool overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.1
!
!
access-list 1 permit 10.5.1.0 0.0.0.255
access-list 101 permit tcp 10.0.0.0 0.255.255.255 any
access-list 101 permit udp 10.0.0.0 0.255.255.255 any
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any
access-list 101 permit udp host 0.0.0.0 any eq bootps
access-list 101 permit udp host 0.0.0.0 any eq bootpc
access-list 101 deny   ip any any log
access-list 112 permit tcp any any eq 22
access-list 112 permit icmp any x.x.x 0.0.0.255 unreachable
access-list 112 permit icmp any x.x.x 0.0.0.255 echo-reply
access-list 112 permit icmp any x.x.x 0.0.0.255 packet-too-big
access-list 112 permit icmp any x.x.x 0.0.0.255 time-exceeded
access-list 112 permit icmp any x.x.x 0.0.0.255 traceroute
access-list 112 permit icmp any x.x.x 0.0.0.255 administratively-prohibited
access-list 112 permit icmp any x.x.x 0.0.0.255 echo
access-list 112 deny   ip any any log
access-list 120 permit ip 10.5.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny   ip 10.5.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 permit ip 10.5.1.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 130
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 password ***
 login local
 transport input ssh
line vty 5 15
 password ***
 login
transport input ssh
!
ntp clock-period 17180094
ntp server 192.5.41.209
!
end
Avatar of AugustTen
AugustTen
Flag of United Kingdom of Great Britain and Northern Ireland image

You can't use transport mode (defined under transform-set) and you need to allow IKE and ESP traffic in your inbound ACL. A router is quite different from am ASA in many aspects of firewall and VPN configuration.
Avatar of sycomp
sycomp

ASKER

Ok, I changed transport mode to tunnel mode.  How would I allow ike and esp traffic in my inbound ACL?
Add this (above the last line)

access-list 112 permit udp any any eq 500
access-list 112 permit udp any any eq 4500
access-list 112 permit esp any any

ASKER CERTIFIED SOLUTION
Avatar of sycomp
sycomp

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial