Solved

PIX 506E to Cisco 2801 VPN?

Posted on 2010-11-27
2
707 Views
Last Modified: 2012-05-10
Hello Experts, I'm trying to connect a PIX at one of my branch offices to my corporate HQ 2800 router, and I can't seem to get the VPN to work. Can you please help? configs are posted for both sides:

PIX CONFIG:


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password kzHqwKsNwOYvqxTT encrypted
passwd kzHqwKsNwOYvqxTT encrypted
hostname NCROUTER
domain-name <DOMAIN>
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list 90 permit ip 192.168.5.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 90 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 90 permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 90 permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ind esp-3des esp-sha-hmac
crypto map toIndy 4 ipsec-isakmp
crypto map toIndy 4 match address 90
crypto map toIndy 4 set peer <HQIP>
crypto map toIndy 4 set transform-set ind
crypto map toIndy interface outside
isakmp enable outside
isakmp key ******** address <HQIP> netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname <PPPOE USERNAME>
vpdn group ISP ppp authentication pap
vpdn username <PPPOE USERNAME> password *********
dhcpd address 192.168.5.100-192.168.5.250 inside
dhcpd dns 192.168.4.5 192.168.15.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain <DOMAIN>
dhcpd enable inside
username admin password <PASSWORD> encrypted privilege 15
terminal width 80
Cryptochecksum:5e35b045bf11c7bb2642453bcf0f2992
: end

2800 Config:


Building configuration...

Current configuration : 6582 bytes
!
! Last configuration change at 14:27:35 eastern Sat Nov 27 2010 by
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname INDYROUTER01
!
boot-start-marker
boot-end-marker
!
enable secret 5 <PASSWORD>
!
no aaa new-model
clock timezone eastern -5
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool MOMLAPTOP
   host 192.168.99.20 255.255.255.0
   client-identifier 0100.1eec.1f74.d2
   default-router 192.168.99.1
   dns-server <dns> <dns>
!
!
ip domain name DOMAIN.NET
ip name-server <dns>
ip name-server <dns>
ip inspect udp idle-time 3600
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall icmp
ip inspect name firewall http
ip inspect name inbound smtp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
!
username admin privilege 15 secret 5 <PASSWORD>
!
!
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key <key> address <IP1>
crypto isakmp key <key> address <IP2>
crypto isakmp key <key> address <IP3>
crypto isakmp key <key> address <PIX IP>
!
!
crypto ipsec transform-set DENVER esp-3des esp-md5-hmac
crypto ipsec transform-set LAFAYETTE esp-3des esp-md5-hmac
crypto ipsec transform-set NC esp-3des esp-sha-hmac
crypto ipsec transform-set FISHERS esp-3des esp-sha-hmac
!
crypto map DOMAIN 1 ipsec-isakmp
 description Tunnel to Denver
 set peer <IP1>
 set transform-set DENVER
 match address 101
crypto map DOMAIN 2 ipsec-isakmp
 description Tunnel to Lafayette
 set peer <IP2>
 set transform-set LAFAYETTE
 match address 102
crypto map DOMAIN 3 ipsec-isakmp
 description Tunnel to NC
 set peer <PIX IP>
 set transform-set NC
 match address 103
crypto map DOMAIN 4 ipsec-isakmp
 description Tunnel to Fishers
 set peer <IP3>
 set transform-set FISHERS
 match address 104
!
!
!
!
interface FastEthernet0/0
 no ip address
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!        
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0.99
 encapsulation dot1Q 99
 ip address 192.168.99.1 255.255.255.0
 ip access-group 150 out
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/1
 ip address <PUBLIC IP> 255.255.255.248
 ip access-group 183 in
 ip nat outside
 ip inspect inbound in
 ip inspect firewall out
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
 crypto map DOMAIN
!        
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <PUBLIC IP>198
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.2.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1
ip route 192.168.9.0 255.255.255.0 FastEthernet0/1
ip route 192.168.15.0 255.255.255.0 FastEthernet0/1
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip nat inside source static 192.168.99.20 <PUBLIC IP>194 route-map MOM
ip nat inside source static tcp 192.168.4.5 443 <PUBLIC IP>195 443 route-map nonat extendable
ip nat inside source static 192.168.4.7 <PUBLIC IP>196 route-map SLING
ip nat inside source static tcp 192.168.99.50 25 <PUBLIC IP>197 25 extendable
ip nat inside source static tcp 192.168.99.50 80 <PUBLIC IP>197 80 extendable
ip nat inside source static tcp 192.168.99.50 443 <PUBLIC IP>197 443 extendable
!
access-list 100 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 100 deny   ip host 192.168.4.7 any
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 remark Tunnel to Denver
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.15.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 101 permit ip 192.168.15.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.255.255 192.168.15.0 0.0.0.255
access-list 102 remark Tunnel to Lafayette
access-list 103 remark Tunnel to NC
access-list 103 permit ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255
access-list 104 remark Tunnel to Fishers
access-list 104 permit ip 192.168.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 110 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 110 permit ip host 192.168.4.7 any
access-list 115 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 115 permit ip host 192.168.99.20 any
access-list 115 remark MOM_NAT
access-list 120 permit ip 192.168.99.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 120 deny   ip any 192.168.0.0 0.0.255.255
access-list 120 permit ip any any
access-list 150 permit tcp host 192.168.4.5 host 192.168.99.50 eq smtp
access-list 150 deny   ip any 192.168.0.0 0.0.63.255
access-list 150 permit ip any any
access-list 183 remark Firewall
access-list 183 permit esp any host <PUBLIC IP>
access-list 183 permit ahp any host <PUBLIC IP>
access-list 183 permit udp any host <PUBLIC IP> eq isakmp
access-list 183 permit tcp any any eq 22
access-list 183 permit tcp any host <PUBLIC IP> eq www
access-list 183 permit udp any host <PUBLIC IP> eq 80
access-list 183 permit tcp any host <PUBLIC IP> eq 443
access-list 183 permit tcp any host <PUBLIC IP> eq smtp
access-list 183 permit ip any host <PUBLIC IP>
access-list 183 permit tcp any host <PUBLIC IP> eq www
access-list 183 permit ip 147.135.0.0 0.0.255.255 host <PUBLIC IP>
access-list 183 permit tcp any host <PUBLIC IP> eq 443
snmp-server community DOMAIN RO
!
route-map MOM permit 10
 match ip address 115
!
route-map SLING permit 10
 match ip address 110
!
route-map nonat permit 10
 match ip address 100
!
!
!
control-plane
!
!
!
!
!        
!
!
!
!
telephony-service
 max-ephones 10
 max-dn 10
 max-conferences 4 gain -6
!
!
line con 0
 login local
line aux 0
line vty 0 4
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178110
ntp server 192.43.244.18
end
0
Comment
Question by:CNTUCKER
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
>isakmp policy 9 group 1
Change this to group 2

On the router side, complete the policy to match:

crypto isakmp policy 1
 authentication pre-share
 encrypt 3des
 group 2
 
0
 

Author Closing Comment

by:CNTUCKER
Comment Utility
Thank you!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now