Solved

Cisco Pix VPN tunnel needed between Sonicwall and Pix

Posted on 2008-10-01
7
879 Views
Last Modified: 2012-08-13
Hi experts,

I have a Pix 505e in London and a Sonicwall TZ180 in LA, normally we have an MPLS working between the two which facilitates server sync's, email and the like. This has been severed by some brutal builders.

I have already been given a link for Sonicwall to Pix here which looks very  close to what i need: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

The problem I have is with this line (and others??): "crypto ipsec transform-set austinlab esp-aes-256 esp-sha-hmac" as I do not have the relevant installed key on my Pix. Can I use DES instead and change the Sonicwall to match? Will there be any other problems that will arise from this or other changes in commands as a result of using a different encryption type? I am new to VPN tunnels but have an understanding of what is going on in principal.

Many thanks in advance!


0
Comment
Question by:TargetTV
  • 4
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22615844
Good news is that you can apply for a free 3DES/AES key for the PIX if you have a CCO login.
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=119

Yes, you can use DES on both ends. Just replace any mention of "aes-256" with "des"

0
 

Author Comment

by:TargetTV
ID: 22615922
Ok thanks, good news on the DES - ill go down that route i think.

As i have been looking into this a bit further i am worried that if i put in details of the IP's i need for NAT exemption it will knock out anyone coming in on the vpn client? can you have both running? and if so i guess this means setting up separate "crypto map" and isakp commands?

I think the reason i am finding the above difficult is because there is already the commands entered for the client vpn and i didnt know if i could reuse them without messing up vpn clients.

thanks again.


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22615989
Yes, you can do both client and lan-lan vpns at the same time.
Here's a good example.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094cea.shtml
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:TargetTV
ID: 22616792
Hiya,

I have been adding commands as suggested to make this work, but still no joy.
The Sonicwall has crypto suite: ESP DES HMAC MD5 (IKE) with the same password, DH group 1 same life time.

sysopt connection permit-ipsec  <-- already there

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map maptosw 67 ipsec-isakmp
crypto map maptosw 67 match address inside_outbound_nat0_acl
crypto map maptosw 67 set peer xx.xx.xx.xx
crypto map maptosw 67 set transform-set myset
crypto map maptosw interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp policy 67 authentication pre-share
isakmp policy 67 encryption des
isakmp policy 67 hash md5
isakmp policy 67 group 1
isakmp policy 67 lifetime 28800

Is there something i am missing here? I can post other areas if needed...

Thanks for your help.
0
 

Author Comment

by:TargetTV
ID: 22616978
in the Sonicwall log after trying phase1 negotiation:
NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22617022
Try enabling nat-traversal, but I don't see why it reports that...
 isakmp nat-traversal 20
Also make sure that PFS is disabled on the SonicWall
0
 

Accepted Solution

by:
TargetTV earned 0 total points
ID: 22931239
In the end everything came back online and this remained unsolved. thanks for all help anyhow.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
anyconnect password change 2 33
Cisco RSTP portfast 3 53
Telco & Point to Point Internet VPN 3 80
BGP Code 12 42
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now