Link to home
Avatar of abileel
abileel

asked on

Site To Site vpn PIX to 1841 Router

I m trying to set up VPN  between pix 515 and 1841 router, both sites having fixed public ip address,There seems to be no tunnel establishing between sites ,Previously there was tunnel  set upto a different network , i edited that configuration to match my new requirement ,Can any one guide me

A.A.A.A is my pulblic ip on PIX
B.B.B.B is my public ip on 1841 Router
1841-router-config.txt
pix.TXT
Avatar of Les Moore
Les Moore
Flag of United States of America image

On the PIX, add this:

 isakmp identity address

Also on the PIX...
>crypto map igdxb 20 match address 160
I do not see access-list 160 that should look like this:
access-list 160 permit ip 10.100.0.0 255.255.255.0 192.168.13.0 255.255.255.0

On the 1841, acl 161 needs to be reversed:

>access-list 161 permit ip 192.168.13.0 0.0.0.255 any
>access-list 161 deny   ip 192.168.13.0 0.0.0.255 10.100.0.0 0.0.0.255

Should be deny first, then permit. Order is highly important:

access-list 161 deny   ip 192.168.13.0 0.0.0.255 10.100.0.0 0.0.0.255
access-list 161 permit ip 192.168.13.0 0.0.0.255 any
Avatar of abileel
abileel

ASKER

Dear Irmoore

Thanks for your advice ,On Pix - i applied  isakmp identity address, but the access-list 160 is there already and its down the order .  
On 1841 i appreciate your valued input regards to the order. I rearranged the acces-list as per your guidelines.
Still My Tunnel is not Up , i get the following error on PIX

DATACENTER-PIX506E# sh crypto isakmp SA
There are no isakmp sas

And on 1841
Interglobal#sh crypto isakmp sa
dst             src             state          conn-id slot status

I will attach the edited Pix configuration

Any other matter should i take into consideration, as recently MPLS consultants were trying to make pix OSPF enabled,.

EE-pix.txt
Avatar of abileel

ASKER

Dear Irmoore

after Modifiying the config the tunnel is established , but no access from each other .
.Attaching the config on both pix and router
working-tunnel-routerEE.txt
EEworking-Tunnel-pix.TXT
>route outside 192.168.13.0 255.255.255.0 A.A.A.A 1
>route outside 0.0.0.0 0.0.0.0 213.X.X.177 1

Is A.A.A.A the same 213.x.x.177 or a different IP address?
What is the LAN default gateway? Is it the MPLS router or the PIX? I would assume it is the MPLS router and therefore you need to check it to make sure it has a route for 192.168.13.0 that points to the PIX. You might want to enable route-injection on OSPF to add VPN tunnel traffic to the routes.
Avatar of abileel

ASKER

Hi Irmoore

A.A.A.A is my external interface on the PIX which is facing the internet .And the MPLS Router is behind the PIX along with my 2811 router which attachs my local network and the lan default gateway  is my internala ip of 2811 (192.168.16.1) which is nated to 10.100.0.0 network.
Tomorrow i wil have a PC at remote office (192.168.13.0) to Test further, I will update you soon
Thanks
>A.A.A.A is my external interface on the PIX
If this is the case, you must remove this route statement. Never point a route to your own interface. The default route will take it to the next hop IP address.
Avatar of abileel

ASKER

Hi Irmoore
Thanks for your Kind support, VPN Works Fine and Well ,The key factors were
On the PIX, add this:
 isakmp identity address
On the 1841, acl 161 needs to be reversed:
>access-list 161 permit ip 192.168.13.0 0.0.0.255 any
>access-list 161 deny   ip 192.168.13.0 0.0.0.255 10.100.0.0 0.0.0.255
One last question :- Now internal netwok of Pix Can comunicate to 1841 (192.168.13.0) networks, But as i said earliear i  had a 2811 Router between my LAN and the PIX , What should be done to forward the VPN network  to and from 192.168.13.0 to reach my Lan 192.168.16.0 Network.The purpose of 2811 :-.Where 2 site office r conected over 2MB Leased Ciruit and Using OSP Routing.
Sorry if iam not able to make it clear.,

ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of abileel

ASKER

Excellent, Greatful to you for your valued inputs.
Thanks