Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Pix-to-Pix and Client-to-Pix VPN

Reply
Thread Tools

Pix-to-Pix and Client-to-Pix VPN

 
 
AlanP
Guest
Posts: n/a
 
      04-06-2004
Have got two working configs for a Pix that allow either a Pix-to-Pix
VPN, or remote users to connecting into a Pix using the Cisco client
(created these using two excellent documents on Cisco.com - #6211 and
#14091). Am trying to combine the two but am having a few problems.

Ideally, would like to find equiv document from Cisco but have had no
joy (is it just me or is Cisco web-site diabolical for searching?).
Current non-working config is as follows:

:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password utXGGJbasURbvYXQ encrypted
passwd utXGGJbasURbvYXQ encrypted
hostname hosthost
domain-name host.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name x.x.x.x router
name y.y.y.y WAN
name 10.0.0.4 Boardroom
name 192.168.0.0 remoteoffice-nw
name z.z.z.z remoteoffice
access-list 102 permit tcp any host a.a.a.a eq smtp
access-list 102 permit tcp any host a.a.a.a eq www
access-list 102 permit tcp any host a.a.a.a eq 3389
access-list 102 permit tcp any host b.b.b.b eq pcanywhere-data
access-list 102 permit udp any host b.b.b.b eq pcanywhere-status
access-list 102 permit tcp any host c.c.c.c eq 3389
access-list 101 permit ip 10.0.0.0 255.255.255.0 remoteoffice-nw
255.255.255.0
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.1.0
255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside WAN 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.0.1.1-10.0.1.254
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) a.a.a.a 10.0.0.3 netmask 255.255.255.255 0 0
static (inside,outside) b.b.b.b Boardroom netmask 255.255.255.255 0 0
static (inside,outside) c.c.c.c 10.0.0.2 netmask 255.255.255.255 0 0
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 router 1
route outside router 255.255.255.255 router 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn 30 match address 101
crypto dynamic-map outside_dyn 30 set transform-set myset
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 101
crypto map outside_map 20 set peer remoteoffice
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address remoteoffice netmask 255.255.255.255
no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup dialin address-pool ippool
vpngroup dialin dns-server 10.0.0.3 195.10.102.11
vpngroup dialin idle-time 1800
vpngroup dialin password ********
telnet timeout 5
ssh timeout 5
terminal width 80
: end
#
 
Reply With Quote
 
 
 
 
Martin Bilgrav
Guest
Posts: n/a
 
      04-06-2004
upgrade to 6.3.3
and add command isakmp nat-t

This will do it for you.

Regards
Martin Bilgrav

"AlanP" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Have got two working configs for a Pix that allow either a Pix-to-Pix
> VPN, or remote users to connecting into a Pix using the Cisco client
> (created these using two excellent documents on Cisco.com - #6211 and
> #14091). Am trying to combine the two but am having a few problems.
>
> Ideally, would like to find equiv document from Cisco but have had no
> joy (is it just me or is Cisco web-site diabolical for searching?).
> Current non-working config is as follows:
>
> :
> PIX Version 6.2(2)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password utXGGJbasURbvYXQ encrypted
> passwd utXGGJbasURbvYXQ encrypted
> hostname hosthost
> domain-name host.com
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> name x.x.x.x router
> name y.y.y.y WAN
> name 10.0.0.4 Boardroom
> name 192.168.0.0 remoteoffice-nw
> name z.z.z.z remoteoffice
> access-list 102 permit tcp any host a.a.a.a eq smtp
> access-list 102 permit tcp any host a.a.a.a eq www
> access-list 102 permit tcp any host a.a.a.a eq 3389
> access-list 102 permit tcp any host b.b.b.b eq pcanywhere-data
> access-list 102 permit udp any host b.b.b.b eq pcanywhere-status
> access-list 102 permit tcp any host c.c.c.c eq 3389
> access-list 101 permit ip 10.0.0.0 255.255.255.0 remoteoffice-nw
> 255.255.255.0
> access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.1.0
> 255.255.255.0
> pager lines 24
> interface ethernet0 10baset
> interface ethernet1 10full
> mtu outside 1500
> mtu inside 1500
> ip address outside WAN 255.255.255.248
> ip address inside 10.0.0.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool ippool 10.0.1.1-10.0.1.254
> no pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list 101
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) a.a.a.a 10.0.0.3 netmask 255.255.255.255 0 0
> static (inside,outside) b.b.b.b Boardroom netmask 255.255.255.255 0 0
> static (inside,outside) c.c.c.c 10.0.0.2 netmask 255.255.255.255 0 0
> access-group 102 in interface outside
> route outside 0.0.0.0 0.0.0.0 router 1
> route outside router 255.255.255.255 router 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> http server enable
> http 10.0.0.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> no sysopt route dnat
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set myset esp-3des esp-sha-hmac
> crypto dynamic-map outside_dyn 30 match address 101
> crypto dynamic-map outside_dyn 30 set transform-set myset
> crypto map outside_map 20 ipsec-isakmp
> crypto map outside_map 20 match address 101
> crypto map outside_map 20 set peer remoteoffice
> crypto map outside_map 20 set transform-set ESP-DES-SHA
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp key ******** address remoteoffice netmask 255.255.255.255
> no-xauth no-config-mode
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash sha
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> vpngroup dialin address-pool ippool
> vpngroup dialin dns-server 10.0.0.3 195.10.102.11
> vpngroup dialin idle-time 1800
> vpngroup dialin password ********
> telnet timeout 5
> ssh timeout 5
> terminal width 80
> : end
> #



 
Reply With Quote
 
 
 
 
Dominic
Guest
Posts: n/a
 
      04-06-2004
http://www.velocityreviews.com/forums/(E-Mail Removed) (AlanP) wrote in message news:<(E-Mail Removed). com>...
> Have got two working configs for a Pix that allow either a Pix-to-Pix
> VPN, or remote users to connecting into a Pix using the Cisco client
> (created these using two excellent documents on Cisco.com - #6211 and
> #14091). Am trying to combine the two but am having a few problems.
>
> Ideally, would like to find equiv document from Cisco but have had no
> joy (is it just me or is Cisco web-site diabolical for searching?).
> Current non-working config is as follows:
>
> :
> PIX Version 6.2(2)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password utXGGJbasURbvYXQ encrypted
> passwd utXGGJbasURbvYXQ encrypted
> hostname hosthost
> domain-name host.com
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> name x.x.x.x router
> name y.y.y.y WAN
> name 10.0.0.4 Boardroom
> name 192.168.0.0 remoteoffice-nw
> name z.z.z.z remoteoffice
> access-list 102 permit tcp any host a.a.a.a eq smtp
> access-list 102 permit tcp any host a.a.a.a eq www
> access-list 102 permit tcp any host a.a.a.a eq 3389
> access-list 102 permit tcp any host b.b.b.b eq pcanywhere-data
> access-list 102 permit udp any host b.b.b.b eq pcanywhere-status
> access-list 102 permit tcp any host c.c.c.c eq 3389
> access-list 101 permit ip 10.0.0.0 255.255.255.0 remoteoffice-nw
> 255.255.255.0
> access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.1.0
> 255.255.255.0
> pager lines 24
> interface ethernet0 10baset
> interface ethernet1 10full
> mtu outside 1500
> mtu inside 1500
> ip address outside WAN 255.255.255.248
> ip address inside 10.0.0.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool ippool 10.0.1.1-10.0.1.254
> no pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list 101
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) a.a.a.a 10.0.0.3 netmask 255.255.255.255 0 0
> static (inside,outside) b.b.b.b Boardroom netmask 255.255.255.255 0 0
> static (inside,outside) c.c.c.c 10.0.0.2 netmask 255.255.255.255 0 0
> access-group 102 in interface outside
> route outside 0.0.0.0 0.0.0.0 router 1
> route outside router 255.255.255.255 router 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> http server enable
> http 10.0.0.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> no sysopt route dnat
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set myset esp-3des esp-sha-hmac
> crypto dynamic-map outside_dyn 30 match address 101
> crypto dynamic-map outside_dyn 30 set transform-set myset
> crypto map outside_map 20 ipsec-isakmp
> crypto map outside_map 20 match address 101
> crypto map outside_map 20 set peer remoteoffice
> crypto map outside_map 20 set transform-set ESP-DES-SHA
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp key ******** address remoteoffice netmask 255.255.255.255
> no-xauth no-config-mode
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash sha
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> vpngroup dialin address-pool ippool
> vpngroup dialin dns-server 10.0.0.3 195.10.102.11
> vpngroup dialin idle-time 1800
> vpngroup dialin password ********
> telnet timeout 5
> ssh timeout 5
> terminal width 80
> : end
> #



Everything's looking fine... but, I guess that you should remove:

PIX(config)#no crypto dynamic-map outside_dyn 30 match address 101

Also, I'm NOT sure whether you can setup the seq num 65535 or not. Can
you try 30 instead?

Be aware that you will only have access to your 10.0.0.0/24 network
and NOT to 192.168.0.0/24 network.

Thanks!
________________________________________________
Dominic Longpre, CCNA & CSPFA (PIX Certified)
IT Specialist
 
Reply With Quote
 
Mirek
Guest
Posts: n/a
 
      04-07-2004

Uzytkownik "Dominic" <(E-Mail Removed)> wrote
________________________________________________
> Dominic Longpre, CCNA & CSPFA (PIX Certified)
> IT Specialist


Hello

Could uou help me. I see that you are real professional.
My probem is:

|
| -- inside 10.0.1.1 /16 WEB Server 10.0.1.2
|
-------------
| PIX | -- dmz 172.16.1.1 /16 --DNS Server 172.16.1.2
-------------
|
|
| outside 20.20.20.3 /28
|
|
My perm. router
20.20.20.2

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet1 dmz security90
access-list ipsec permit ip 10.0.0.0 255.255.0.0 10.2.2.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.2.2.0 255.255.255.0
ip address outside 20.20.20.3 255.255.255.240
ip address inside 10.0.1.1 255.255.0.0
ip address dmz 172.16.1.1 255.255.0.0
global (outside) 1 20.20.20.1
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.1.0 255.255.0.0 0 0
nat (dmz) 1 172.16.0.0 255.255.0.0 0 0
static (inside,outside) 20.20.20.5 10.0.1.2 netmask 255.255.255.255 0 0
static (dmz, outside) 20.20.20.6 172.16.1.2 netmask 255.255.255.255 0 0
conduit permit ip 20.20.20.5 host any
conduit permit ip 20.20.20.6 host any
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 20.20.20.2 1
sysopt connection permit-ipsec
crypto ipsec transform-set lanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map forg 21 ipsec-isakmp
crypto map forg 21 match address ipsec
crypto map forg 21 set peer 30.30.30.1
crypto map forg 21 set transform-set lanche
crypto map forg interface outside
isakmp enable outside
isakmp key fin2000 address 30.30.30.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1

So. I have 3 problems, questions.
1st question: Is this configuration good, because my banch router from the
other side doesn't response. How to set up more the one
VPN tunnel to another Cisco router?

2nd, main question: I did static address translation, but with ip
address outside 20.20.20.3 255.255.255.240
hosts from protected networks inside are invisible for themselves. For
example: I can't not ping, or telnet to 20.20.20.5 from
20.20.20.6 using IP or hostsnames. Where I did a mistakes? Please help. With
ip address outside 20.20.20.3 255.255.255.255 everything goes
fine. But for me is a bad netmask? I can't ping (no response) to outside
interface from any host in inside and dmz? Is it correct?

3rd: Why my VPN doesn't work. What I did wrong?

Best regards
Mirek


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN site to site & Remote access VPN ( vpn client) over the same interface pasatealinux Cisco 1 12-17-2007 07:41 PM
Cisco vpn server enabled / VPN and no-VPN connections mix Elise Cisco 6 05-22-2004 07:55 AM
Cant establish a VPN tunnel between PIX 501 and Cisco VPN Client Martin Nowles Cisco 0 11-10-2003 03:46 PM
Easy VPN Server and Cisco VPN Client 4.0.3 Masud Reza Cisco 2 10-20-2003 06:12 PM
VPN IPSEC connection between a cisco 17xx and Nortel vpn box Joris Deschacht Cisco 0 10-16-2003 02:13 PM



Advertisments