After upgrading PIX 506E don't resolve VPN connection

Discussion in 'Cisco' started by jaisol, May 12, 2005.

  1. jaisol

    jaisol Guest

    Few days ago I posted same message incorrectly.
    Really I want to say "Once upgraded I can NOT connect with VPN." but I
    missed NOT word.

    Before to upgrade Firewall version and PDM I was using VPN perfectly.
    Once upgraded I can NOT connect with VPN.

    Show ver before upgrade:

    Cisco PIX Firewall Version 6.1(2)
    Cisco PIX Device Manager Version 1.1(2)
    Compiled on Fri 16-Nov-01 14:28 by morlee
    Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 299 MHz
    Flash E28F640J3 @ 0x300, 8MB
    BIOS Flash AM29F400B @ 0xfffd8000, 32KB
    0: ethernet0: address is 0009.b718.b578, irq 10
    1: ethernet1: address is 0009.b718.b579, irq 11
    Licensed Features:
    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES: Disabled
    Maximum Interfaces: 2
    Cut-through Proxy: Enabled
    Guards: Enabled
    Websense: Enabled
    Inside Hosts: Unlimited
    Throughput: Unlimited
    ISAKMP peers: Unlimited

    Show ver after upgrade:

    Cisco PIX Firewall Version 6.3(4)
    Cisco PIX Device Manager Version 3.0(2)
    Compiled on Fri 02-Jul-04 00:07 by morlee
    pixfirewall up 1 day 23 hours
    Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
    Flash E28F640J3 @ 0x300, 8MB
    BIOS Flash AM29F400B @ 0xfffd8000, 32KB
    0: ethernet0: address is 0009.b718.b578, irq 10
    1: ethernet1: address is 0009.b718.b579, irq 11
    Licensed Features:
    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES-AES: Disabled
    Maximum Physical Interfaces: 2
    Maximum Interfaces: 2
    Cut-through Proxy: Enabled
    Guards: Enabled
    URL-filtering: Enabled
    Inside Hosts: Unlimited
    Throughput: Unlimited
    IKE peers: Unlimited

    After upgrade I don't have change configuration.

    How can I resolve it?

    THANKS!
     
    jaisol, May 12, 2005
    #1
    1. Advertising

  2. In article <>,
    jaisol <> wrote:
    :Few days ago I posted same message incorrectly.
    :Really I want to say "Once upgraded I can NOT connect with VPN." but I
    :missed NOT word.

    You didn't respond to my DES + SHA shot in the dark ?
    --
    I was very young in those days, but I was also rather dim.
    -- Christopher Priest
     
    Walter Roberson, May 12, 2005
    #2
    1. Advertising

  3. jaisol

    jaisol Guest

    Sorry, I forgot to answer.

    You are refering to:

    I'll take a shot in the dark:
    The OP does not have the 3DES license, so s/he must be using DES
    encryption for the VPN. Somewhere between 6.1 and 6.3, support
    was dropped for the combination of DES and SHA, so the OP may need
    to change transform sets to esp-des esp-md5-hmac

    I'm a newbie PIX user and I didn't understand what I have to do.

    I appreciate you can be more specific when you mention "so the OP may
    need
    to change transform sets to esp-des esp-md5-hmac "

    Thanks again.
     
    jaisol, May 12, 2005
    #3
  4. "jaisol" <> wrote:

    > I appreciate you can be more specific when you mention "so the OP
    > may need to change transform sets to esp-des esp-md5-hmac"


    Check your configuration. There are two places where you
    can define encrypting and hashing algorithms. The lines
    you are looking for look probably like these:

    1. Crypto map settings

    a) crypto ipsec transform-set [keyword] esp-des esp-sha-hmac
    b) crypto ipsec transform-set [keyword] esp-des esp-md5-hmac
    crypto map [name] [number] set transform-set [keyword]

    2. Isakmp settings

    isakmp policy [number] encryption des
    a) isakmp policy [number] hash sha
    b) isakmp policy [number] hash md5

    As you can see it is possible to use two different hashing
    algorithms: sha and md5. If your current combination is
    des and sha (a), then you might want to change to des/md5 (b).
    Note that the changes must be done at both ends.
     
    Jyri Korhonen, May 13, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kai
    Replies:
    0
    Views:
    7,743
  2. jaisol
    Replies:
    3
    Views:
    604
    Chris
    May 8, 2005
  3. jaisol
    Replies:
    0
    Views:
    410
    jaisol
    May 7, 2005
  4. Replies:
    4
    Views:
    659
    Houston SBC
    Apr 27, 2007
  5. Sabrtooth

    506e wont resolve DNS names

    Sabrtooth, Mar 23, 2008, in forum: Cisco
    Replies:
    0
    Views:
    578
    Sabrtooth
    Mar 23, 2008
Loading...

Share This Page