[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 526
  • Last Modified:

pix to pix cisco vpn

Hi Guys,

I had to reboot my client's PIX 515 this morning. It is configured with a site-to-site VPN (pix to pix) VPN from NJ to Florida. After rebooting, the VPN no longer works.

I tried rebooting both PIX's, no luck. I have access to both the pix in Florida, and in NJ. I did not create the VPN, and to be honest I'm not really sure how to resolve, or recreate the VPN between the 2 sites. I can configure the firewall, perform access list changes,etc, just never learned how to create a VPN.

I am looking for some guidance and assistance, as I need to get this up and running.

Anyone want to help? Thank you.

Ask any information and I will certainly provide.
0
tamaneri
Asked:
tamaneri
  • 16
  • 12
  • 2
1 Solution
 
Voltz-dkCommented:
Can you show the relevant config parts?
Also, do you have any syslogs stating problems?
What software versions are you running?
0
 
periferralCommented:
1. post the 'show running' on both sides.
2. Enable the following debugs
      debug crypto isakmp
      debug crypto ipsec
  and then try to connect from one side to another. It should provide some insight.
0
 
tamaneriAuthor Commented:
Hi Guys,

Sorry it took me so long to reply!

Periferral,

Do you need the ENTIRE running config from both PIX Firewalls?
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
periferralCommented:
yeah.. maybe the full config will help.

also.. since this was a working configuration that seems to be failing, maybe you can post the debug outputs as well. Basically enable the debug on one end.. and send traffic through the tunnel. See what information you get. that should help resolve the problem
0
 
tamaneriAuthor Commented:
okay, here are the configs, please don't hack me :) Thank you for your assistance. It is greatly appreciated!!!!

1st PIX:

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ClhF.3KsltwRpB1h encrypted
passwd LFWRadSrQyLpLMsS encrypted
hostname ToufayanPIX
domain-name toufayan.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit udp any any eq 5060
access-list outside_access_in permit udp any any eq 3478
access-list outside_access_in permit udp any any eq 3479
access-list outside_access_in permit udp any any eq 5010
access-list outside_access_in permit udp any any eq 5011
access-list outside_access_in permit udp any any eq 5012
access-list outside_access_in permit udp any any eq 5013
access-list outside_access_in permit udp any any eq 5014
access-list outside_access_in permit udp any any eq 5015
access-list outside_access_in permit udp any any eq 5016
access-list outside_access_in permit udp any any eq 5017
access-list outside_access_in permit tcp any any eq 2222
access-list outside_access_in permit tcp any host 65.200.176.100 eq pop3
access-list outside_access_in permit tcp any host 65.200.176.100 eq www
access-list outside_access_in permit tcp any host 65.200.176.100 eq pcanywhere-d
ata
access-list outside_access_in permit udp any host 65.200.176.100 eq pcanywhere-s
tatus
access-list outside_access_in permit tcp any host 65.200.176.102 eq 8234
access-list outside_access_in permit udp any host 65.200.176.102 eq 8234
access-list outside_access_in permit tcp any host 65.200.176.101 eq 9080
access-list outside_access_in permit tcp any host 65.200.176.103 eq 3389
access-list outside_access_in permit tcp any host 65.200.176.100 eq 3389
access-list outside_access_in permit tcp any host 65.200.176.104 eq 3389
access-list outside_access_in permit tcp any host 65.200.176.105 eq 8234
access-list outside_access_in permit udp any host 65.200.176.105 eq 8234
access-list outside_access_in permit tcp any host 65.200.176.106 eq 4001
access-list outside_access_in permit tcp any host 65.200.176.106 eq 4000
access-list outside_access_in permit tcp any host 65.200.176.106 eq 2002
access-list outside_access_in permit tcp any host 65.200.176.106 eq 2003
access-list outside_access_in permit tcp any host 65.200.176.106 eq 4004
access-list outside_access_in permit tcp any host 65.200.176.106 eq 2005
access-list outside_access_in permit tcp any host 65.200.176.106 eq 7200
access-list outside_access_in permit udp any host 65.200.176.106 eq 4001
access-list outside_access_in permit udp any host 65.200.176.106 eq 4000
access-list outside_access_in permit udp any host 65.200.176.106 eq 2002
access-list outside_access_in permit udp any host 65.200.176.106 eq 2003
access-list outside_access_in permit udp any host 65.200.176.106 eq 4004
access-list outside_access_in permit udp any host 65.200.176.106 eq 2005
access-list outside_access_in permit udp any host 65.200.176.106 eq 7200
access-list outside_access_in permit tcp any host 65.200.176.106 eq www
access-list outside_access_in permit tcp any host 65.200.176.100 eq imap4
access-list outside_access_in permit tcp 208.65.144.0 255.255.248.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.145.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.146.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.147.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.148.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.149.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.150.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.151.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.81.64.0 255.255.255.0 host 65.200.1
76.100 eq smtp
access-list outside_access_in permit tcp 208.81.65.0 255.255.255.0 host 65.200.1
76.100 eq smtp
access-list outside_access_in permit tcp 208.81.66.0 255.255.255.0 host 65.200.1
76.100 eq smtp
access-list outside_access_in permit tcp 208.81.67.0 255.255.255.0 host 65.200.1
76.100 eq smtp
access-list outside_access_in permit tcp 63.118.69.0 255.255.255.0 host 65.200.1
76.100 eq smtp
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 65.200.176.107 eq 5222
access-list outside_access_in permit tcp any host 65.200.176.98 eq ssh
access-list outside_access_in permit tcp any host 65.200.176.100 eq smtp
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.
0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.253.0 255.255.255.
0
access-list nonat permit ip host 192.168.1.6 host 10.150.4.53
access-list nonat permit ip host 192.168.0.27 host 10.150.4.53
access-list nonat permit ip host 192.168.1.27 host 10.150.4.53
access-list nonat permit ip host 192.168.1.10 host 10.150.4.53
access-list nonat permit ip host 192.168.0.10 host 10.150.4.53
access-list nonat permit ip host 192.168.0.11 host 10.150.4.53
access-list nonat permit ip host 192.168.0.31 host 10.150.4.53
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat permit ip host 192.168.1.16 host 10.150.4.53
access-list gwb permit ip host 192.168.1.6 host 10.150.4.53
access-list gwb permit ip host 192.168.0.27 host 10.150.4.53
access-list gwb permit ip host 192.168.1.27 host 10.150.4.53
access-list gwb permit ip host 192.168.1.10 host 10.150.4.53
access-list gwb permit ip host 192.168.0.10 host 10.150.4.53
access-list gwb permit ip host 192.168.0.11 host 10.150.4.53
access-list gwb permit ip host 192.168.0.31 host 10.150.4.53
access-list gwb permit ip host 192.168.1.16 host 10.150.4.53
access-list splitvpn permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.2
55.0
pager lines 24
logging on
logging buffered notifications
mtu outside 1500
mtu inside 1500
ip address outside 65.200.176.98 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 192.168.254.1-192.168.254.254
pdm history enable
arp timeout 14400
global (outside) 1 65.200.176.99
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 192.168.1.15 64.205.230.243 255.255.255.255
static (inside,outside) udp interface 5060 192.168.1.200 5060 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 3478 192.168.1.200 3478 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 3479 192.168.1.200 3479 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5010 192.168.1.200 5010 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5011 192.168.1.200 5011 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5012 192.168.1.200 5012 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5013 192.168.1.200 5013 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5014 192.168.1.200 5014 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5015 192.168.1.200 5015 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5016 192.168.1.200 5016 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5017 192.168.1.200 5017 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp interface 2222 192.168.1.200 2222 netmask 255.255.25
5.255 0 0
static (inside,outside) 65.200.176.102 192.168.1.8 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.101 192.168.1.3 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.103 192.168.1.4 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.100 192.168.1.15 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.104 192.168.1.16 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.105 192.168.1.9 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.106 192.168.0.41 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.107 192.168.1.121 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 65.200.176.97 1
route inside 192.168.0.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 192.168.1.15 timeout 5 protocol TCP ver
sion 1
url-cache dst 64KB
aaa authentication ssh console LOCAL
filter url except 192.168.1.15 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.0 255.255.255.0 206.17.146.0 255.255.255.0
filter url except 192.168.0.0 255.255.255.0 206.17.146.0 255.255.255.0
filter url except 192.168.1.16 255.255.255.255 0.0.0.0 0.0.0.0
filter url http 192.168.1.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
http server enable
http 192.168.1.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set crawley esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set crawley
crypto map caig 5 ipsec-isakmp
crypto map caig 5 match address gwb
crypto map caig 5 set peer 206.17.146.76
crypto map caig 5 set transform-set crawley
crypto map caig 10 ipsec-isakmp dynamic dynmap
crypto map caig interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address 206.17.146.76 netmask 255.255.255.255
isakmp key ******** address 71.98.244.79 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 28800
vpngroup vpn3000 address-pool vpn
vpngroup vpn3000 dns-server 216.175.203.50 216.175.203.59
vpngroup vpn3000 wins-server 192.168.1.5
vpngroup vpn3000 default-domain toufayan.com
vpngroup vpn3000 split-tunnel splitvpn
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.254.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
username ghost password bog.QgPB8a0NJ/1q encrypted privilege 15
terminal width 80
Cryptochecksum:e6d6ecf3f4aee158e85bdc41a61857c8
: end



2nd PIX:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UL9FxcyAAzZZtAjD encrypted
passwd LFWRadSrQyLpLMsS encrypted
hostname PlantCityPIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any any eq pcanywhere-data
access-list outside_access_in permit udp any any eq pcanywhere-status
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 5632
access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.98.244.79 255.255.255.0
ip address inside 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pcanywhere-data 192.168.5.12 pcanywhere-da
ta netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status 192.168.5.12 pcanywhere-
status netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5632 192.168.5.5 5632 netmask 255.255.255.
255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 71.98.251.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set crawley esp-des esp-md5-hmac
crypto map caig 30 ipsec-isakmp
crypto map caig 30 match address nonat
crypto map caig 30 set peer 65.200.176.98
crypto map caig 30 set transform-set crawley
crypto map caig interface outside
isakmp enable outside
isakmp key ******** address 65.200.176.98 netmask 255.255.255.255
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 28800
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname bizsgbb5
vpdn group pppoex ppp authentication pap
vpdn username bizsgbb5 password *********
dhcpd address 192.168.5.30-192.168.5.60 inside
dhcpd dns 151.198.0.39 151.198.0.38
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:dc209157de362ff2adace2c9d0fdc4c7
: end
[OK]

And I believe this is one of the debug things you were looking for?

ToufayanPIX>
ISADB: reaper checking SA 0xf65344, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 71.98.244.79/500 not found - peers:0
0
 
Voltz-dkCommented:
The debug you are showing is a bit thin, it only shows that things aren't working (we knew that).
It doesn't really show why.

Meanwhile, looking at the configs it seems PIX1 has lost the crypto definitions for this tunnel.  So try these on PIX1:

access-l CityPlantVpn permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
crypto map caig 8 ipsec-isakmp
crypto map caig 8 match address CityPlantVpn
crypto map caig 8 set peer 71.98.244.79
crypto map caig 8 set transform-set crawley
---
And if it still doesn't work, then please show some more interesting parts of the debug.
0
 
tamaneriAuthor Commented:
I am also getting these messages:

ToufayanPIX(config)# IPSEC(sa_initiate): ACL = deny; no sa created

I've typed in those commands:
debug crypto isakmp
debug crypto ipsec

but it isn't really showing me anything. What is it supposed to do? It just jumps to the next command line...


0
 
tamaneriAuthor Commented:
hey, actually,

Here is some info I got from the debug on the Plant City side (Pix #2)

ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:65.200.176.98, dest:71.98.244.79 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 1000
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:65.200.176.98, dest:71.98.244.79 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): ID payload
        next-payload : 8
        type         : 2
        protocol     : 17
        port         : 500
        length       : 16
ISAKMP (0): Total payload length: 20
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (2)...
ISAKMP (0): retransmitting phase 1 (3)...
ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired:
 count = 1,
  (identity) local= 71.98.244.79, remote= 65.200.176.98,
    local_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)

PlantCityPIX(config)#
ISAKMP (0): deleting SA: src 71.98.244.79, dst 65.200.176.98
ISADB: reaper checking SA 0xfad28c, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 65.200.176.98/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 71.98.244.79, remote= 65.200.176.98,
    local_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)


Does this info help at all???
0
 
tamaneriAuthor Commented:
And this is basically all I'm getting from the NJ side:

ISAKMP (0): deleting SA: src 65.200.176.98, dst 172.22.
ISADB: reaper checking SA 0xf5deec, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 172.22.112.12/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 65.200.176.98, remote= 172.22.112.12,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...
0
 
tamaneriAuthor Commented:
Here are what my configs look like now... I am so lost:

PIX NJ:

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ClhF.3KsltwRpB1h encrypted
passwd LFWRadSrQyLpLMsS encrypted
hostname ToufayanPIX
domain-name toufayan.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit udp any any eq 5060
access-list outside_access_in permit udp any any eq 3478
access-list outside_access_in permit udp any any eq 3479
access-list outside_access_in permit udp any any eq 5010
access-list outside_access_in permit udp any any eq 5011
access-list outside_access_in permit udp any any eq 5012
access-list outside_access_in permit udp any any eq 5013
access-list outside_access_in permit udp any any eq 5014
access-list outside_access_in permit udp any any eq 5015
access-list outside_access_in permit udp any any eq 5016
access-list outside_access_in permit udp any any eq 5017
access-list outside_access_in permit tcp any any eq 2222
access-list outside_access_in permit tcp any host 65.200.176.100 eq pop3
access-list outside_access_in permit tcp any host 65.200.176.100 eq www
access-list outside_access_in permit tcp any host 65.200.176.100 eq pcanywhere-d
ata
access-list outside_access_in permit udp any host 65.200.176.100 eq pcanywhere-s
tatus
access-list outside_access_in permit tcp any host 65.200.176.102 eq 8234
access-list outside_access_in permit udp any host 65.200.176.102 eq 8234
access-list outside_access_in permit tcp any host 65.200.176.101 eq 9080
access-list outside_access_in permit tcp any host 65.200.176.103 eq 3389
access-list outside_access_in permit tcp any host 65.200.176.100 eq 3389
access-list outside_access_in permit tcp any host 65.200.176.104 eq 3389
access-list outside_access_in permit tcp any host 65.200.176.105 eq 8234
access-list outside_access_in permit udp any host 65.200.176.105 eq 8234
access-list outside_access_in permit tcp any host 65.200.176.106 eq 4001
access-list outside_access_in permit tcp any host 65.200.176.106 eq 4000
access-list outside_access_in permit tcp any host 65.200.176.106 eq 2002
access-list outside_access_in permit tcp any host 65.200.176.106 eq 2003
access-list outside_access_in permit tcp any host 65.200.176.106 eq 4004
access-list outside_access_in permit tcp any host 65.200.176.106 eq 2005
access-list outside_access_in permit tcp any host 65.200.176.106 eq 7200
access-list outside_access_in permit udp any host 65.200.176.106 eq 4001
access-list outside_access_in permit udp any host 65.200.176.106 eq 4000
access-list outside_access_in permit udp any host 65.200.176.106 eq 2002
access-list outside_access_in permit udp any host 65.200.176.106 eq 2003
access-list outside_access_in permit udp any host 65.200.176.106 eq 4004
access-list outside_access_in permit udp any host 65.200.176.106 eq 2005
access-list outside_access_in permit udp any host 65.200.176.106 eq 7200
access-list outside_access_in permit tcp any host 65.200.176.106 eq www
access-list outside_access_in permit tcp any host 65.200.176.100 eq imap4
access-list outside_access_in permit tcp 208.65.144.0 255.255.248.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.145.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.146.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.147.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.148.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.149.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.150.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.151.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.81.64.0 255.255.255.0 host 65.200.1
76.100 eq smtp
access-list outside_access_in permit tcp 208.81.65.0 255.255.255.0 host 65.200.1
76.100 eq smtp
access-list outside_access_in permit tcp 208.81.66.0 255.255.255.0 host 65.200.1
76.100 eq smtp
access-list outside_access_in permit tcp 208.81.67.0 255.255.255.0 host 65.200.1
76.100 eq smtp
access-list outside_access_in permit tcp 63.118.69.0 255.255.255.0 host 65.200.1
76.100 eq smtp
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 65.200.176.107 eq 5222
access-list outside_access_in permit tcp any host 65.200.176.98 eq ssh
access-list outside_access_in permit tcp any host 65.200.176.100 eq smtp
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.
0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.253.0 255.255.255.
0
access-list nonat permit ip host 192.168.1.6 host 10.150.4.53
access-list nonat permit ip host 192.168.0.27 host 10.150.4.53
access-list nonat permit ip host 192.168.1.27 host 10.150.4.53
access-list nonat permit ip host 192.168.1.10 host 10.150.4.53
access-list nonat permit ip host 192.168.0.10 host 10.150.4.53
access-list nonat permit ip host 192.168.0.11 host 10.150.4.53
access-list nonat permit ip host 192.168.0.31 host 10.150.4.53
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat permit ip host 192.168.1.16 host 10.150.4.53
access-list gwb permit ip host 192.168.1.6 host 10.150.4.53
access-list gwb permit ip host 192.168.0.27 host 10.150.4.53
access-list gwb permit ip host 192.168.1.27 host 10.150.4.53
access-list gwb permit ip host 192.168.1.10 host 10.150.4.53
access-list gwb permit ip host 192.168.0.10 host 10.150.4.53
access-list gwb permit ip host 192.168.0.11 host 10.150.4.53
access-list gwb permit ip host 192.168.0.31 host 10.150.4.53
access-list gwb permit ip host 192.168.1.16 host 10.150.4.53
access-list splitvpn permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.2
55.0
access-list CityPlantVpn permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255
.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list NoNAT permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
logging buffered notifications
mtu outside 1500
mtu inside 1500
ip address outside 65.200.176.98 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 192.168.254.1-192.168.254.254
pdm history enable
arp timeout 14400
global (outside) 1 65.200.176.99
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 192.168.1.15 64.205.230.243 255.255.255.255
static (inside,outside) udp interface 5060 192.168.1.200 5060 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 3478 192.168.1.200 3478 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 3479 192.168.1.200 3479 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5010 192.168.1.200 5010 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5011 192.168.1.200 5011 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5012 192.168.1.200 5012 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5013 192.168.1.200 5013 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5014 192.168.1.200 5014 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5015 192.168.1.200 5015 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5016 192.168.1.200 5016 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5017 192.168.1.200 5017 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp interface 2222 192.168.1.200 2222 netmask 255.255.25
5.255 0 0
static (inside,outside) 65.200.176.102 192.168.1.8 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.101 192.168.1.3 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.103 192.168.1.4 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.100 192.168.1.15 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.104 192.168.1.16 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.105 192.168.1.9 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.106 192.168.0.41 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.107 192.168.1.121 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 65.200.176.97 1
route inside 192.168.0.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 192.168.1.15 timeout 5 protocol TCP ver
sion 1
url-cache dst 64KB
aaa authentication ssh console LOCAL
filter url except 192.168.1.15 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.0 255.255.255.0 206.17.146.0 255.255.255.0
filter url except 192.168.0.0 255.255.255.0 206.17.146.0 255.255.255.0
filter url except 192.168.1.16 255.255.255.255 0.0.0.0 0.0.0.0
filter url http 192.168.1.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
http server enable
http 192.168.1.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set crawley esp-des esp-md5-hmac
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set crawley
crypto map caig 5 ipsec-isakmp
crypto map caig 5 match address gwb
crypto map caig 5 set peer 206.17.146.76
crypto map caig 5 set transform-set crawley
crypto map caig 8 ipsec-isakmp
crypto map caig 8 match address CityPlantVpn
crypto map caig 8 set peer 71.98.244.79
crypto map caig 8 set transform-set crawley
crypto map caig 10 ipsec-isakmp dynamic dynmap
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 71.98.244.79
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address 206.17.146.76 netmask 255.255.255.255
isakmp key ******** address 71.98.244.79 netmask 255.255.255.255
isakmp key ******** address 192.168.5.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 28800
vpngroup vpn3000 address-pool vpn
vpngroup vpn3000 dns-server 216.175.203.50 216.175.203.59
vpngroup vpn3000 wins-server 192.168.1.5
vpngroup vpn3000 default-domain toufayan.com
vpngroup vpn3000 split-tunnel splitvpn
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.254.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.5.1 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
username ghost password bog.QgPB8a0NJ/1q encrypted privilege 15
terminal width 80
Cryptochecksum:e6d6ecf3f4aee158e85bdc41a61857c8
: end
[OK]
ToufayanPIX(config)#


PIX FL:

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UL9FxcyAAzZZtAjD encrypted
passwd LFWRadSrQyLpLMsS encrypted
hostname PlantCityPIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any any eq pcanywhere-data
access-list outside_access_in permit udp any any eq pcanywhere-status
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 5632
access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.98.244.79 255.255.255.0
ip address inside 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pcanywhere-data 192.168.5.12 pcanywhere-da
ta netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status 192.168.5.12 pcanywhere-
status netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5632 192.168.5.5 5632 netmask 255.255.255.
255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 71.98.251.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set crawley esp-des esp-md5-hmac
crypto map caig 30 ipsec-isakmp
crypto map caig 30 match address nonat
crypto map caig 30 set peer 65.200.176.98
crypto map caig 30 set transform-set crawley
crypto map caig interface outside
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 172.22.112.12
crypto map transam 1 set peer 65.200.176.98
isakmp enable outside
isakmp key ******** address 65.200.176.98 netmask 255.255.255.255
isakmp key ******** address 192.168.1.1 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 28800
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname bizsgbb5
vpdn group pppoex ppp authentication pap
vpdn username bizsgbb5 password *********
dhcpd address 192.168.5.30-192.168.5.60 inside
dhcpd dns 151.198.0.39 151.198.0.38
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:dc209157de362ff2adace2c9d0fdc4c7
: end
[OK]
PlantCityPIX(config)#
0
 
periferralCommented:
on pix2.. i see this
crypto map caig 30 ipsec-isakmp
crypto map caig 30 match address nonat
crypto map caig 30 set peer 65.200.176.98
crypto map caig 30 set transform-set crawley
crypto map caig interface outside

this seems to be configured correctly.. where it says my remote peer IP is 65.200.176.98 which seems to be the IP of PIX 1.

However, looking at PIX 1.. I see this
crypto map caig 5 ipsec-isakmp
crypto map caig 5 match address gwb
crypto map caig 5 set peer 206.17.146.76
crypto map caig 5 set transform-set crawley
crypto map caig 10 ipsec-isakmp dynamic dynmap
crypto map caig interface outside

The peer is set to 206.17.146.76 which is not the IP of PIX 2. There might be another PIX that is setup up for site to site but there is no crypto map for PIX 2 at this point. You need something like this on PIX1

crypto map caig 30 ipsec-isakmp
crypto map caig 30 match address nonat
crypto map caig 30 set peer  71.98.244.79
crypto map caig 30 set transform-set crawley

I think that might fix your problem.

Also from a security standpoint, remove this from your configuration
ssh 0.0.0.0 0.0.0.0 outside

this allows ssh access to your PIX from any IP address on the outside (I think it still needs a tunnel to the ASA to get access but still not something that is recommended). If you want to give access to tunnel users, change it to the IP range of the VPN tunnel.

0
 
periferralCommented:
i just saw Voltz-dk comments and it looks very similar to mine. He created an additional access-list which is not needed since you have that IP range in access-list nonat as well. You can keep his configuration or remove it and replace with mine, either way it seems to be more or less the same thing.

Since you have updated your configuration, maybe you can take additional debugs on both end to see if we've made progress.
0
 
tamaneriAuthor Commented:
Periferral I really appreciate your help. Truly!

How does it look now?

ToufayanPIX(config)# wr t
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ClhF.3KsltwRpB1h encrypted
passwd LFWRadSrQyLpLMsS encrypted
hostname ToufayanPIX
domain-name toufayan.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit udp any any eq 5060
access-list outside_access_in permit udp any any eq 3478
access-list outside_access_in permit udp any any eq 3479
access-list outside_access_in permit udp any any eq 5010
access-list outside_access_in permit udp any any eq 5011
access-list outside_access_in permit udp any any eq 5012
access-list outside_access_in permit udp any any eq 5013
access-list outside_access_in permit udp any any eq 5014
access-list outside_access_in permit udp any any eq 5015
access-list outside_access_in permit udp any any eq 5016
access-list outside_access_in permit udp any any eq 5017
access-list outside_access_in permit tcp any any eq 2222
access-list outside_access_in permit tcp any host 65.200.176.100 eq pop3
access-list outside_access_in permit tcp any host 65.200.176.100 eq www
access-list outside_access_in permit tcp any host 65.200.176.100 eq pcanywhere-d
ata
access-list outside_access_in permit udp any host 65.200.176.100 eq pcanywhere-s
tatus
access-list outside_access_in permit tcp any host 65.200.176.102 eq 8234
access-list outside_access_in permit udp any host 65.200.176.102 eq 8234
access-list outside_access_in permit tcp any host 65.200.176.101 eq 9080
access-list outside_access_in permit tcp any host 65.200.176.103 eq 3389
access-list outside_access_in permit tcp any host 65.200.176.100 eq 3389
access-list outside_access_in permit tcp any host 65.200.176.104 eq 3389
access-list outside_access_in permit tcp any host 65.200.176.105 eq 8234
access-list outside_access_in permit udp any host 65.200.176.105 eq 8234
access-list outside_access_in permit tcp any host 65.200.176.106 eq 4001
access-list outside_access_in permit tcp any host 65.200.176.106 eq 4000
access-list outside_access_in permit tcp any host 65.200.176.106 eq 2002
access-list outside_access_in permit tcp any host 65.200.176.106 eq 2003
access-list outside_access_in permit tcp any host 65.200.176.106 eq 4004
access-list outside_access_in permit tcp any host 65.200.176.106 eq 2005
access-list outside_access_in permit tcp any host 65.200.176.106 eq 7200
access-list outside_access_in permit udp any host 65.200.176.106 eq 4001
access-list outside_access_in permit udp any host 65.200.176.106 eq 4000
access-list outside_access_in permit udp any host 65.200.176.106 eq 2002
access-list outside_access_in permit udp any host 65.200.176.106 eq 2003
access-list outside_access_in permit udp any host 65.200.176.106 eq 4004
access-list outside_access_in permit udp any host 65.200.176.106 eq 2005
access-list outside_access_in permit udp any host 65.200.176.106 eq 7200
access-list outside_access_in permit tcp any host 65.200.176.106 eq www
access-list outside_access_in permit tcp any host 65.200.176.100 eq imap4
access-list outside_access_in permit tcp 208.65.144.0 255.255.248.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.145.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.146.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.147.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.148.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.149.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.150.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.65.151.0 255.255.255.0 host 65.200.
176.100 eq smtp
access-list outside_access_in permit tcp 208.81.64.0 255.255.255.0 host 65.200.1
76.100 eq smtp
access-list outside_access_in permit tcp 208.81.65.0 255.255.255.0 host 65.200.1
76.100 eq smtp
access-list outside_access_in permit tcp 208.81.66.0 255.255.255.0 host 65.200.1
76.100 eq smtp
access-list outside_access_in permit tcp 208.81.67.0 255.255.255.0 host 65.200.1
76.100 eq smtp
access-list outside_access_in permit tcp 63.118.69.0 255.255.255.0 host 65.200.1
76.100 eq smtp
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 65.200.176.107 eq 5222
access-list outside_access_in permit tcp any host 65.200.176.98 eq ssh
access-list outside_access_in permit tcp any host 65.200.176.100 eq smtp
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.
0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.253.0 255.255.255.
0
access-list nonat permit ip host 192.168.1.6 host 10.150.4.53
access-list nonat permit ip host 192.168.0.27 host 10.150.4.53
access-list nonat permit ip host 192.168.1.27 host 10.150.4.53
access-list nonat permit ip host 192.168.1.10 host 10.150.4.53
access-list nonat permit ip host 192.168.0.10 host 10.150.4.53
access-list nonat permit ip host 192.168.0.11 host 10.150.4.53
access-list nonat permit ip host 192.168.0.31 host 10.150.4.53
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat permit ip host 192.168.1.16 host 10.150.4.53
access-list gwb permit ip host 192.168.1.6 host 10.150.4.53
access-list gwb permit ip host 192.168.0.27 host 10.150.4.53
access-list gwb permit ip host 192.168.1.27 host 10.150.4.53
access-list gwb permit ip host 192.168.1.10 host 10.150.4.53
access-list gwb permit ip host 192.168.0.10 host 10.150.4.53
access-list gwb permit ip host 192.168.0.11 host 10.150.4.53
access-list gwb permit ip host 192.168.0.31 host 10.150.4.53
access-list gwb permit ip host 192.168.1.16 host 10.150.4.53
access-list splitvpn permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.2
55.0
access-list CityPlantVpn permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255
.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list NoNAT permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
logging buffered notifications
mtu outside 1500
mtu inside 1500
ip address outside 65.200.176.98 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 192.168.254.1-192.168.254.254
pdm history enable
arp timeout 14400
global (outside) 1 65.200.176.99
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 192.168.1.15 64.205.230.243 255.255.255.255
static (inside,outside) udp interface 5060 192.168.1.200 5060 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 3478 192.168.1.200 3478 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 3479 192.168.1.200 3479 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5010 192.168.1.200 5010 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5011 192.168.1.200 5011 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5012 192.168.1.200 5012 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5013 192.168.1.200 5013 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5014 192.168.1.200 5014 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5015 192.168.1.200 5015 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5016 192.168.1.200 5016 netmask 255.255.25
5.255 0 0
static (inside,outside) udp interface 5017 192.168.1.200 5017 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp interface 2222 192.168.1.200 2222 netmask 255.255.25
5.255 0 0
static (inside,outside) 65.200.176.102 192.168.1.8 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.101 192.168.1.3 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.103 192.168.1.4 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.100 192.168.1.15 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.104 192.168.1.16 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.105 192.168.1.9 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.106 192.168.0.41 netmask 255.255.255.255 0 0
static (inside,outside) 65.200.176.107 192.168.1.121 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 65.200.176.97 1
route inside 192.168.0.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 192.168.1.15 timeout 5 protocol TCP ver
sion 1
url-cache dst 64KB
aaa authentication ssh console LOCAL
filter url except 192.168.1.15 255.255.255.255 0.0.0.0 0.0.0.0
filter url except 192.168.1.0 255.255.255.0 206.17.146.0 255.255.255.0
filter url except 192.168.0.0 255.255.255.0 206.17.146.0 255.255.255.0
filter url except 192.168.1.16 255.255.255.255 0.0.0.0 0.0.0.0
filter url http 192.168.1.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
http server enable
http 192.168.1.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set crawley esp-des esp-md5-hmac
crypto map caig 5 ipsec-isakmp
! Incomplete
crypto map caig 8 ipsec-isakmp
! Incomplete
crypto map caig 10 ipsec-isakmp dynamic dynmap
crypto map caig 30 ipsec-isakmp
crypto map caig 30 match address nonat
crypto map caig 30 set peer 71.98.244.79
crypto map caig 30 set transform-set crawley
crypto map transam 1 ipsec-isakmp
! Incomplete
isakmp policy 1 authentication rsa-sig
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
vpngroup vpn3000 address-pool vpn
vpngroup vpn3000 dns-server 216.175.203.50 216.175.203.59
vpngroup vpn3000 wins-server 192.168.1.5
vpngroup vpn3000 default-domain toufayan.com
vpngroup vpn3000 split-tunnel splitvpn
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.254.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.5.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 60
console timeout 0
username ghost password bog.QgPB8a0NJ/1q encrypted privilege 15
terminal width 80
Cryptochecksum:e6d6ecf3f4aee158e85bdc41a61857c8
: end
[OK]
ToufayanPIX(config)#

PlantCityPIX(config)# wr t
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UL9FxcyAAzZZtAjD encrypted
passwd LFWRadSrQyLpLMsS encrypted
hostname PlantCityPIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any any eq pcanywhere-data
access-list outside_access_in permit udp any any eq pcanywhere-status
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 5632
access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.98.244.79 255.255.255.0
ip address inside 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pcanywhere-data 192.168.5.12 pcanywhere-da
ta netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status 192.168.5.12 pcanywhere-
status netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5632 192.168.5.5 5632 netmask 255.255.255.
255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 71.98.251.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set crawley esp-des esp-md5-hmac
crypto map caig 30 ipsec-isakmp
crypto map caig 30 match address nonat
crypto map caig 30 set peer 65.200.176.98
crypto map caig 30 set transform-set crawley
crypto map caig interface outside
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 172.22.112.12
crypto map transam 1 set peer 65.200.176.98
isakmp enable outside
isakmp key ******** address 65.200.176.98 netmask 255.255.255.255
isakmp key ******** address 192.168.1.1 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 28800
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname bizsgbb5
vpdn group pppoex ppp authentication pap
vpdn username bizsgbb5 password *********
dhcpd address 192.168.5.30-192.168.5.60 inside
dhcpd dns 151.198.0.39 151.198.0.38
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:dc209157de362ff2adace2c9d0fdc4c7
: end
[OK]
0
 
tamaneriAuthor Commented:
On PIX 1, I noticed this was missing, so I added it:

isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 28800
0
 
periferralCommented:
you need to add this command back on pix1
crypto map caig interface outside

wr mem.. and try the tunnel again. I see you removed the other IP. You are sure that are no other sites that are tunneling to PIX1?

also, if it is still not working, try doing the debugs again

0
 
tamaneriAuthor Commented:
Okay so I just tried to add:

ToufayanPIX(config)# crypto map caig interface outside
WARNING: This crypto map is incomplete.
        To remedy the situation add a peer and a valid access-list to this crypt
o map.
ToufayanPIX(config)#

Am I Missing an access-list line as well?

I finally feel like I'm getting somewhere!!!
0
 
periferralCommented:
do this
no crypto map caig 5 ipsec-isakmp
no crypto map caig 8 ipsec-isakmp
crypto map caig interface outside

and try again.

Also, once you have done this, paste me the part of the configuration of the crypto maps
0
 
tamaneriAuthor Commented:
Okay here is what I get when I do this:

ToufayanPIX(config)# no crypto map caig 5 ipsec-isakmp
ERROR: unknown subcommand <ipsec-isakmp>
usage no crypto map <map-tag> [ <seqno> [dynamic|match|set] ] ...
ToufayanPIX(config)# no crypto map caig 8 ipsec-isakmp
ERROR: unknown subcommand <ipsec-isakmp>
usage no crypto map <map-tag> [ <seqno> [dynamic|match|set] ] ...

Interesting isn't it?
0
 
periferralCommented:
maybe I had the command wrong. dont have access to a pix myself

try this
no crypto map caig 5
no crypto map caig 8
crypto map caig interface outside
0
 
tamaneriAuthor Commented:
Okay that worked wonderfully. All 3 commands went in properly.

Here is the crypto maps from

PIX 1:

crypto ipsec transform-set crawley esp-des esp-md5-hmac
crypto map caig 10 ipsec-isakmp dynamic dynmap
crypto map caig 30 ipsec-isakmp
crypto map caig 30 match address nonat
crypto map caig 30 set peer 71.98.244.79
crypto map caig 30 set transform-set crawley
crypto map caig interface outside
crypto map transam 1 ipsec-isakmp

PIX 2:

crypto ipsec transform-set crawley esp-des esp-md5-hmac
crypto map caig 30 ipsec-isakmp
crypto map caig 30 match address nonat
crypto map caig 30 set peer 65.200.176.98
crypto map caig 30 set transform-set crawley
crypto map caig interface outside
0
 
periferralCommented:
I'm guess that means it is still not working..
can you also do this
no crypto map transam 1
crypto map caig interface outside

and then try again

Also. post the configuration of only pix1 from sysopt commands to the end

0
 
tamaneriAuthor Commented:
Here are the debugs from both sides:

PlantCityPIX#
ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (2)...
ISAKMP (0): retransmitting phase 1 (3)...
ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired:
 count = 1,
  (identity) local= 71.98.244.79, remote= 65.200.176.98,
    local_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src 71.98.244.79, dst 65.200.176.98
ISADB: reaper checking SA 0xfad804, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 65.200.176.98/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 71.98.244.79, remote= 65.200.176.98,
    local_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)

ToufayanPIX(config)# IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 65.200.176.98, remote= 71.98.244.79,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4)

ISAKMP: No cert, and no keys (public or pre-shared) with remote peer    71.98.24
4.79
VPN Peer:ISAKMP: Peer Info for 71.98.244.79/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 65.200.176.98, remote= 71.98.244.79,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4)

ISAKMP: No cert, and no keys (public or pre-shared) with remote peer    71.98.24
4.79
VPN Peer:ISAKMP: Peer Info for 71.98.244.79/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 65.200.176.98, remote= 71.98.244.79,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4)

ISAKMP: No cert, and no keys (public or pre-shared) with remote peer    71.98.24
4.79
VPN Peer:ISAKMP: Peer Info for 71.98.244.79/500 not found - peers:0


ToufayanPIX(config)# IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 65.200.176.98, remote= 71.98.244.79,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4)

ISAKMP: No cert, and no keys (public or pre-shared) with remote peer    71.98.24
4.79
VPN Peer:ISAKMP: Peer Info for 71.98.244.79/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 65.200.176.98, remote= 71.98.244.79,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4)

ISAKMP: No cert, and no keys (public or pre-shared) with remote peer    71.98.24
4.79
VPN Peer:ISAKMP: Peer Info for 71.98.244.79/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 65.200.176.98, remote= 71.98.244.79,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4)

ISAKMP: No cert, and no keys (public or pre-shared) with remote peer    71.98.24
4.79
VPN Peer:ISAKMP: Peer Info for 71.98.244.79/500 not found - peers:0

ToufayanPIX(config)# IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 65.200.176.98, remote= 71.98.244.79,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4)

ISAKMP: No cert, and no keys (public or pre-shared) with remote peer    71.98.24
4.79
VPN Peer:ISAKMP: Peer Info for 71.98.244.79/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 65.200.176.98, remote= 71.98.244.79,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4)

ISAKMP: No cert, and no keys (public or pre-shared) with remote peer    71.98.24
4.79
VPN Peer:ISAKMP: Peer Info for 71.98.244.79/500 not found - peers:0
0
 
tamaneriAuthor Commented:
Here is from PIX 1 sysopt down:

sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set crawley esp-des esp-md5-hmac
crypto map caig 10 ipsec-isakmp dynamic dynmap
crypto map caig 30 ipsec-isakmp
crypto map caig 30 match address nonat
crypto map caig 30 set peer 71.98.244.79
crypto map caig 30 set transform-set crawley
crypto map caig interface outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 28800
vpngroup vpn3000 address-pool vpn
vpngroup vpn3000 dns-server 216.175.203.50 216.175.203.59
vpngroup vpn3000 wins-server 192.168.1.5
vpngroup vpn3000 default-domain toufayan.com
vpngroup vpn3000 split-tunnel splitvpn
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.254.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.5.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 60
console timeout 0
username ghost password bog.QgPB8a0NJ/1q encrypted privilege 15
terminal width 80
Cryptochecksum:7b71881d88988617dc150b9d9d89c1e3
: end
[OK]
ToufayanPIX(config)#
0
 
periferralCommented:
You seem to be making many changes.... this seems to be causing some confusion..

If you look at your initial configuration paste.. you had some other configuration that you seem to have removed.

You need to add these back. Replace **** with the actual preshared key

isakmp key ******** address 71.98.244.79 netmask 255.255.255.255
isakmp enable outside

Add these back and see if you make progress.
0
 
tamaneriAuthor Commented:
Periferral I do apologize, you are correct. I was getting angry and wanted to house clean and start fresh. Sorry if I keep screwing you up!

Here is how it's looking from both PIXs:

sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set crawley esp-des esp-md5-hmac
crypto map caig 10 ipsec-isakmp dynamic dynmap
crypto map caig 30 ipsec-isakmp
crypto map caig 30 match address nonat
crypto map caig 30 set peer 71.98.244.79
crypto map caig 30 set transform-set crawley
crypto map caig interface outside
isakmp enable outside
isakmp key ******** address 71.98.244.79 netmask 255.255.255.255
isakmp policy 1 authentication rsa-sig
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 28800
vpngroup vpn3000 address-pool vpn
vpngroup vpn3000 dns-server 216.175.203.50 216.175.203.59
vpngroup vpn3000 wins-server 192.168.1.5
vpngroup vpn3000 default-domain toufayan.com
vpngroup vpn3000 split-tunnel splitvpn
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.254.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.5.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 60
console timeout 0
username ghost password bog.QgPB8a0NJ/1q encrypted privilege 15
terminal width 80
Cryptochecksum:ae34450f883ab401a823be13b6152f24
: end
[OK]
ToufayanPIX(config)#

sysopt connection permit-ipsec
crypto ipsec transform-set crawley esp-des esp-md5-hmac
crypto map caig 30 ipsec-isakmp
crypto map caig 30 match address nonat
crypto map caig 30 set peer 65.200.176.98
crypto map caig 30 set transform-set crawley
crypto map caig interface outside
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 172.22.112.12
crypto map transam 1 set peer 65.200.176.98
isakmp enable outside
isakmp key ******** address 192.168.1.1 netmask 255.255.255.255
isakmp key ******** address 65.200.176.98 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 28800
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname bizsgbb5
vpdn group pppoex ppp authentication pap
vpdn username bizsgbb5 password *********
dhcpd address 192.168.5.30-192.168.5.60 inside
dhcpd dns 151.198.0.39 151.198.0.38
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:dbbbdbc0a5749506838653b9398a7d42
: end
[OK]
PlantCityPIX(config)#
0
 
periferralCommented:
okay these look fine. can you post the debugs? maybe we've made progress
0
 
tamaneriAuthor Commented:
Okay,

So I was just testing by pinging 192.168.5.1 (remote PIX) but was unable to ping it.

However, I AM able to ping other equipment, to, and from the remote site. They have a hand-punch utility, punch in and punch out every day --- it sends that data over the VPN. I am now able to ping that equipment from NJ to FL. This is good news! They should be able to do payroll now!

Periferral, you saved my life. Probably about 100 employees were not going to get paid today if it were not for you!!!!! You are the man! Thank you soooooo much!
0
 
periferralCommented:
thats great. i dont think you can ping the remote pix's inside interface anyway. I think this is by design. You can always only ping the interface closet to you. So from the remote side, the closest is the outside interface (however in this case you will not be able to ping the outside interface either.  You need to enable icmp traffic to the interface which is disabled by default).
 
But if the site to site stuff is working, you should be good to go.

0
 
periferralCommented:
you could try this command
management-access inside

this might give you access to ping the inside interface of this pix. You should issue this command on the pix whose inside interface you want to ping.
0
 
tamaneriAuthor Commented:
Thank you Thank you Thank you!!!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 16
  • 12
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now