Pix 501 startup problem (newbie)

Discussion in 'Cisco' started by Steve, Nov 19, 2004.

  1. Steve

    Steve Guest

    I have just installed a PIX 501 at a client's site, and am trying to
    establish a VPN with a PIX 515 at another site. My problem is that
    the 501 does not appear to be even attempting to set up the VPN. I
    see absolutely NO traffic coming out of the OUTSIDE interface, and
    when I turn on the ipsec and isakmp debug - there is no output either.
    I know I am connected, because I can ping the remote pix from the 501
    console port. What simple thing have I missed. I have taken the
    confi directly from Cisco's documentation.

    Thanks,
    Steve Cohn
     
    Steve, Nov 19, 2004
    #1
    1. Advertising

  2. In article <>,
    Steve <> wrote:
    :I have just installed a PIX 501 at a client's site, and am trying to
    :establish a VPN with a PIX 515 at another site. My problem is that
    :the 501 does not appear to be even attempting to set up the VPN. I
    :see absolutely NO traffic coming out of the OUTSIDE interface, and
    :when I turn on the ipsec and isakmp debug - there is no output either.
    : I know I am connected, because I can ping the remote pix from the 501
    :console port. What simple thing have I missed. I have taken the
    :confi directly from Cisco's documentation.

    If you took the config *directly* from Cisco's documentation, then
    the first problem is that the IP addresses will not match the real world
    IP addresses.

    Cisco has a lot of different example configurations. It would help if you
    would post your configuration (making sure you don't leave any
    passwords in the posted version.)

    My preliminary conjecture is that you do not have the correct
    ACL for the 'match address' clause of the crypto map.
    --
    Would you buy a used bit from this man??
     
    Walter Roberson, Nov 19, 2004
    #2
    1. Advertising

  3. Steve

    Steve Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<cnln6h$nv1$>...
    > In article <>,
    > Steve <> wrote:
    > :I have just installed a PIX 501 at a client's site, and am trying to
    > :establish a VPN with a PIX 515 at another site. My problem is that
    > :the 501 does not appear to be even attempting to set up the VPN. I
    > :see absolutely NO traffic coming out of the OUTSIDE interface, and
    > :when I turn on the ipsec and isakmp debug - there is no output either.
    > : I know I am connected, because I can ping the remote pix from the 501
    > :console port. What simple thing have I missed. I have taken the
    > :confi directly from Cisco's documentation.
    >
    > If you took the config *directly* from Cisco's documentation, then
    > the first problem is that the IP addresses will not match the real world
    > IP addresses.
    >
    > Cisco has a lot of different example configurations. It would help if you
    > would post your configuration (making sure you don't leave any
    > passwords in the posted version.)
    >
    > My preliminary conjecture is that you do not have the correct
    > ACL for the 'match address' clause of the crypto map.



    OK - here are the details:


    Warehouse - > T1 to Net to - > DSL - > Store

    First config below is warehouse, second is Store.

    The warehouse and it's T1 connection have been around for years, no
    problem, can do a remote VPN in, no problem. We had a DSL line put in
    the store,and want to do a permanant VPN PIX to PIX, but I can't seem
    to get it to work.

    WAREHOUSE PIX :

    : Written by enable_15 at 09:16:47.467 CST Mon Nov 22 2004
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    hostname hmkr-pix515e
    domain-name jewishsource.com
    clock timezone CST -6
    clock summer-time CDT recurring
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 10.0.1.0 store-net
    name 10.0.0.1 h-01-in
    name 10.0.0.2 h-02-in
    name 10.0.0.6 h-03-in
    name 216.146.94.74 h-01-out
    name 216.146.94.76 h-02-out
    name 216.146.94.75 h-03-out
    name 10.0.0.10 h-test-in
    name 216.146.94.78 h-test-out
    access-list acl-inbound permit tcp any host h-03-out eq www
    access-list acl-inbound permit tcp any host h-03-out eq smtp
    access-list acl-inbound permit tcp any host h-03-out eq pop3
    access-list acl-inbound permit tcp any host h-03-out eq https
    access-list acl-inbound permit udp any host h-03-out eq domain
    access-list acl-inbound permit tcp any host h-03-out eq domain
    access-list acl-inbound permit tcp any host h-03-out eq ftp-data
    access-list acl-inbound permit tcp any host h-03-out eq ftp
    access-list acl-inbound permit tcp any host h-01-out eq https
    access-list acl-inbound permit tcp any host h-01-out eq ftp-data
    access-list acl-inbound permit tcp any host h-01-out eq ftp
    access-list acl-inbound permit udp any host h-01-out eq domain
    access-list acl-inbound permit tcp any host h-01-out eq domain
    access-list acl-inbound permit icmp any host h-03-out echo-reply
    access-list acl-inbound permit icmp any host h-03-out time-exceeded
    access-list acl-inbound permit icmp any host h-01-out echo-reply
    access-list acl-inbound permit icmp any host h-01-out time-exceeded
    access-list acl-inbound permit udp any host h-01-out eq 407
    access-list acl-inbound permit tcp any host h-01-out range 1417 1420
    access-list acl-inbound permit tcp any host h-01-out eq www
    access-list acl-inbound permit udp any host h-02-out eq 407
    access-list acl-inbound permit tcp any host h-02-out range 1417 1420
    access-list acl-inbound permit udp any host h-test-out eq 407
    access-list acl-inbound permit tcp any host h-test-out range 1417 1420
    access-list acl-inbound permit tcp any host h-test-out eq ftp
    access-list acl-inbound permit tcp any host h-test-out eq ftp-data
    access-list acl-inbound permit tcp any host h-test-out eq www
    access-list acl-outbound deny tcp host h-01-in any eq 69
    access-list acl-outbound deny udp host h-01-in any eq tftp
    access-list acl-outbound permit ip any any log
    access-list acl-outbound permit ip host 10.0.0.156 any
    access-list acl-outbound permit icmp any any
    access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 192.168.75.0
    255.255.255.0
    access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 store-net
    255.255.255.0
    access-list 90 permit ip 10.0.0.0 255.255.255.0 store-net
    255.255.255.0
    pager lines 22
    logging on
    logging host inside h-03-in
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside 216.146.94.77 255.255.255.248
    ip address inside 10.0.0.253 255.255.255.0
    ip address dmz 127.0.0.1 255.255.255.0
    ip verify reverse-path interface inside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ptpvpnpool 192.168.75.1-192.168.75.100
    ip local pool storepool 10.0.0.75-10.0.0.90
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list pptp-vpn
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) h-02-out h-02-in netmask 255.255.255.255 1000
    700
    static (inside,outside) h-03-out h-03-in netmask 255.255.255.255 3000
    2100
    static (inside,outside) h-01-out h-01-in netmask 255.255.255.255 3000
    2100
    static (inside,outside) h-test-out h-test-in netmask 255.255.255.255
    1000 700
    access-group acl-inbound in interface outside
    access-group acl-outbound in interface inside
    route outside 0.0.0.0 0.0.0.0 216.146.94.73 1
    route inside store-net 255.255.255.0 10.0.0.254 2
    route inside 10.0.100.0 255.255.255.252 10.0.0.254 1
    route inside 192.168.75.0 255.255.255.0 10.0.0.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    aaa authorization command LOCAL
    ntp server 10.0.0.100 source inside
    http server enable
    http 10.0.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto map toStore 20 ipsec-isakmp
    crypto map toStore 20 match address 90
    crypto map toStore 20 set peer 216.146.67.126
    crypto map toStore 20 set transform-set strong
    crypto map toStore interface outside
    isakmp enable outside
    isakmp key ******** address 216.146.67.126 netmask 255.255.255.255
    isakmp nat-traversal 20
    isakmp policy 9 authentication pre-share
    isakmp policy 9 encryption 3des
    isakmp policy 9 hash sha
    isakmp policy 9 group 1
    isakmp policy 9 lifetime 86400
    vpngroup STORE address-pool storepool
    vpngroup STORE idle-time 1800
    vpngroup STORE password ********
    telnet 192.168.75.0 255.255.255.0 outside
    telnet h-03-in 255.255.255.255 inside
    telnet 10.0.0.0 255.0.0.0 inside
    telnet 192.168.75.0 255.255.255.0 inside
    telnet h-03-in 255.255.255.255 dmz
    telnet timeout 10
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 10.0.0.0 255.255.255.0 inside
    ssh timeout 45
    management-access inside
    console timeout 0
    vpdn group clientpptp accept dialin pptp
    vpdn group clientpptp ppp authentication pap
    vpdn group clientpptp ppp authentication chap
    vpdn group clientpptp ppp authentication mschap
    vpdn group clientpptp ppp encryption mppe 128 required
    vpdn group clientpptp client configuration address local ptpvpnpool
    vpdn group clientpptp client configuration dns h-03-in
    vpdn group clientpptp pptp echo 60
    vpdn group clientpptp client authentication local
    vpdn group test accept dialin pptp
    vpdn group test ppp authentication pap
    vpdn group test ppp authentication chap
    vpdn group test ppp authentication mschap
    vpdn group test ppp encryption mppe 128 required
    vpdn group test client configuration address local storepool
    vpdn group test client configuration dns h-03-in
    vpdn group test client configuration wins h-03-in
    vpdn group test pptp echo 60
    vpdn group test client authentication local
    vpdn enable outside
    privilege show level 0 command version
    privilege show level 0 command curpriv
    privilege show level 3 command pdm
    privilege show level 3 command blocks
    privilege show level 3 command ssh
    privilege configure level 3 command who
    privilege show level 3 command isakmp
    privilege show level 3 command ipsec
    privilege show level 3 command vpdn
    privilege show level 3 command local-host
    privilege show level 3 command interface
    privilege show level 3 command ip
    privilege configure level 3 command ping
    privilege configure level 5 mode enable command configure
    privilege show level 5 command running-config
    privilege show level 5 command privilege
    privilege show level 5 command clock
    privilege show level 5 command ntp
    terminal width 60
    Cryptochecksum:ca3c3c87971665b6eaecfcfd5d1b0a2f

    hmkr-pix515e(config)# show ver

    Cisco PIX Firewall Version 6.3(1)
    Cisco PIX Device Manager Version 2.0(2)

    Compiled on Wed 19-Mar-03 11:49 by morlee

    hmkr-pix515e up 5 days 10 hours

    Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
    Flash E28F128J3 @ 0x300, 16MB
    BIOS Flash AM29F400B @ 0xfffd8000, 32KB

    0: ethernet0: address is 0009.e89d.032e, irq 10
    1: ethernet1: address is 0009.e89d.032f, irq 11
    2: ethernet2: address is 0002.b336.3214, irq 5
    Licensed Features:
    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES-AES: Enabled
    Maximum Interfaces: 3
    Cut-through Proxy: Enabled
    Guards: Enabled
    URL-filtering: Enabled
    Inside Hosts: Unlimited
    Throughput: Unlimited
    IKE peers: Unlimited

    This PIX has a Restricted (R) license.

    Serial Number: 806233226 (0x300e248a)
    Running Activation Key: 0x78693c37 0x9d9480fd 0x8786de1b 0xd02dfe70
    Configuration last modified by enable_15 at 09:17:27.978 CST Mon Nov
    22 2004

    hmkr-pix515e(config)#


    STORE PIX :

    pixfirewall(config)# show conf
    : Saved
    : Written by enable_15 at 11:01:16.877 UTC Mon Nov 22 2004
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pixfirewall
    domain-name jewishsource.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 80 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
    pager lines 22
    mtu outside 1500
    mtu inside 1500
    ip address outside 216.146.67.126 255.255.255.252
    ip address inside 10.0.1.253 255.0.0.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool remotevpn 10.0.1.50-10.0.1.75
    pdm location 10.0.0.0 255.0.0.0 outside
    pdm location 216.146.94.76 255.255.255.252 outside
    pdm location 10.0.1.0 255.255.255.128 outside
    pdm group warehouse-net outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 80
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 216.146.67.125 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 10.0.0.0 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto map toWhouse 10 ipsec-isakmp
    crypto map toWhouse 10 match address 80
    crypto map toWhouse 10 set peer 216.146.94.77
    crypto map toWhouse 10 set transform-set strong
    crypto map toWhouse interface outside
    isakmp enable outside
    isakmp key ******** address 216.146.94.77 netmask 255.255.255.255
    isakmp policy 8 authentication pre-share
    isakmp policy 8 encryption 3des
    isakmp policy 8 hash sha
    isakmp policy 8 group 1
    isakmp policy 8 lifetime 86400
    telnet 10.0.0.0 255.0.0.0 outside
    telnet 216.146.94.76 255.255.255.252 outside
    telnet 10.0.1.0 255.255.255.0 outside
    telnet 10.0.0.0 255.0.0.0 inside
    telnet 10.0.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    management-access inside
    console timeout 0
    vpdn group remote accept dialin pptp
    vpdn group remote ppp authentication pap
    vpdn group remote ppp authentication chap
    vpdn group remote ppp authentication mschap
    vpdn group remote ppp encryption mppe 128 required
    vpdn group remote client configuration address local remotevpn
    vpdn group remote client configuration dns 10.0.0.6
    vpdn group remote pptp echo 60
    vpdn group remote client authentication local
    vpdn enable outside
    terminal width 80
    Cryptochecksum:24941c9dc4746595338453bfe3d9ffeb

    pixfirewall(config)# show ver

    Cisco PIX Firewall Version 6.3(3)
    Cisco PIX Device Manager Version 3.0(1)

    Compiled on Wed 13-Aug-03 13:55 by morlee

    pixfirewall up 2 days 19 hours

    Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
    Flash E28F640J3 @ 0x3000000, 8MB
    BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

    0: ethernet0: address is 0011.bb3d.bcea, irq 9
    1: ethernet1: address is 0011.bb3d.bceb, irq 10
    Licensed Features:
    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES-AES: Enabled
    Maximum Physical Interfaces: 2
    Maximum Interfaces: 2
    Cut-through Proxy: Enabled
    Guards: Enabled
    URL-filtering: Enabled
    Inside Hosts: 10
    Throughput: Unlimited
    IKE peers: 10

    This PIX has a Restricted (R) license.

    Serial Number: 808321753 (0x302e02d9)
    Running Activation Key: 0x209b6840 0x01b54239 0x2b3f9100 0xe6cc4495
    Configuration last modified by enable_15 at 11:03:21.261 UTC Mon Nov
    22 2004

    pixfirewall(config)#
     
    Steve, Nov 22, 2004
    #3
  4. Steve

    PES Guest

    Steve wrote:
    > -cnrc.gc.ca (Walter Roberson) wrote in message news:<cnln6h$nv1$>...
    >
    >>In article <>,
    >>Steve <> wrote:
    >>:I have just installed a PIX 501 at a client's site, and am trying to
    >>:establish a VPN with a PIX 515 at another site. My problem is that
    >>:the 501 does not appear to be even attempting to set up the VPN. I
    >>:see absolutely NO traffic coming out of the OUTSIDE interface, and
    >>:when I turn on the ipsec and isakmp debug - there is no output either.
    >>: I know I am connected, because I can ping the remote pix from the 501
    >>:console port. What simple thing have I missed. I have taken the
    >>:confi directly from Cisco's documentation.
    >>
    >>If you took the config *directly* from Cisco's documentation, then
    >>the first problem is that the IP addresses will not match the real world
    >>IP addresses.
    >>
    >>Cisco has a lot of different example configurations. It would help if you
    >>would post your configuration (making sure you don't leave any
    >>passwords in the posted version.)
    >>
    >>My preliminary conjecture is that you do not have the correct
    >>ACL for the 'match address' clause of the crypto map.

    >
    >
    >
    > OK - here are the details:
    >
    >
    > Warehouse - > T1 to Net to - > DSL - > Store
    >
    > First config below is warehouse, second is Store.
    >
    > The warehouse and it's T1 connection have been around for years, no
    > problem, can do a remote VPN in, no problem. We had a DSL line put in
    > the store,and want to do a permanant VPN PIX to PIX, but I can't seem
    > to get it to work.
    >

    I think the line listed below is causing the packets to be dropped. The
    route is back into the interface you would have received the packets on.
    On a Pix this will always cause them to be dropped. If you don't have
    a 10.0.1.x behind the warehouse pix, you need to remove the following line.

    route inside store-net 255.255.255.0 10.0.0.254 2

    Now the packets should route properly. The crypto should then be
    applied and an association formed. This may not be everything, but we
    need to get the packets to the right interface so we can troubleshoot
    the vpn.

    > WAREHOUSE PIX :
    >
    > : Written by enable_15 at 09:16:47.467 CST Mon Nov 22 2004
    > PIX Version 6.3(1)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > interface ethernet2 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 dmz security50
    > hostname hmkr-pix515e
    > domain-name jewishsource.com
    > clock timezone CST -6
    > clock summer-time CDT recurring
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > names
    > name 10.0.1.0 store-net
    > name 10.0.0.1 h-01-in
    > name 10.0.0.2 h-02-in
    > name 10.0.0.6 h-03-in
    > name 216.146.94.74 h-01-out
    > name 216.146.94.76 h-02-out
    > name 216.146.94.75 h-03-out
    > name 10.0.0.10 h-test-in
    > name 216.146.94.78 h-test-out
    > access-list acl-inbound permit tcp any host h-03-out eq www
    > access-list acl-inbound permit tcp any host h-03-out eq smtp
    > access-list acl-inbound permit tcp any host h-03-out eq pop3
    > access-list acl-inbound permit tcp any host h-03-out eq https
    > access-list acl-inbound permit udp any host h-03-out eq domain
    > access-list acl-inbound permit tcp any host h-03-out eq domain
    > access-list acl-inbound permit tcp any host h-03-out eq ftp-data
    > access-list acl-inbound permit tcp any host h-03-out eq ftp
    > access-list acl-inbound permit tcp any host h-01-out eq https
    > access-list acl-inbound permit tcp any host h-01-out eq ftp-data
    > access-list acl-inbound permit tcp any host h-01-out eq ftp
    > access-list acl-inbound permit udp any host h-01-out eq domain
    > access-list acl-inbound permit tcp any host h-01-out eq domain
    > access-list acl-inbound permit icmp any host h-03-out echo-reply
    > access-list acl-inbound permit icmp any host h-03-out time-exceeded
    > access-list acl-inbound permit icmp any host h-01-out echo-reply
    > access-list acl-inbound permit icmp any host h-01-out time-exceeded
    > access-list acl-inbound permit udp any host h-01-out eq 407
    > access-list acl-inbound permit tcp any host h-01-out range 1417 1420
    > access-list acl-inbound permit tcp any host h-01-out eq www
    > access-list acl-inbound permit udp any host h-02-out eq 407
    > access-list acl-inbound permit tcp any host h-02-out range 1417 1420
    > access-list acl-inbound permit udp any host h-test-out eq 407
    > access-list acl-inbound permit tcp any host h-test-out range 1417 1420
    > access-list acl-inbound permit tcp any host h-test-out eq ftp
    > access-list acl-inbound permit tcp any host h-test-out eq ftp-data
    > access-list acl-inbound permit tcp any host h-test-out eq www
    > access-list acl-outbound deny tcp host h-01-in any eq 69
    > access-list acl-outbound deny udp host h-01-in any eq tftp
    > access-list acl-outbound permit ip any any log
    > access-list acl-outbound permit ip host 10.0.0.156 any
    > access-list acl-outbound permit icmp any any
    > access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 192.168.75.0
    > 255.255.255.0
    > access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 store-net
    > 255.255.255.0
    > access-list 90 permit ip 10.0.0.0 255.255.255.0 store-net
    > 255.255.255.0
    > pager lines 22
    > logging on
    > logging host inside h-03-in
    > mtu outside 1500
    > mtu inside 1500
    > mtu dmz 1500
    > ip address outside 216.146.94.77 255.255.255.248
    > ip address inside 10.0.0.253 255.255.255.0
    > ip address dmz 127.0.0.1 255.255.255.0
    > ip verify reverse-path interface inside
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool ptpvpnpool 192.168.75.1-192.168.75.100
    > ip local pool storepool 10.0.0.75-10.0.0.90
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list pptp-vpn
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) h-02-out h-02-in netmask 255.255.255.255 1000
    > 700
    > static (inside,outside) h-03-out h-03-in netmask 255.255.255.255 3000
    > 2100
    > static (inside,outside) h-01-out h-01-in netmask 255.255.255.255 3000
    > 2100
    > static (inside,outside) h-test-out h-test-in netmask 255.255.255.255
    > 1000 700
    > access-group acl-inbound in interface outside
    > access-group acl-outbound in interface inside
    > route outside 0.0.0.0 0.0.0.0 216.146.94.73 1
    > route inside store-net 255.255.255.0 10.0.0.254 2
    > route inside 10.0.100.0 255.255.255.252 10.0.0.254 1
    > route inside 192.168.75.0 255.255.255.0 10.0.0.254 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > aaa authentication ssh console LOCAL
    > aaa authorization command LOCAL
    > ntp server 10.0.0.100 source inside
    > http server enable
    > http 10.0.0.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > crypto ipsec transform-set strong esp-3des esp-sha-hmac
    > crypto map toStore 20 ipsec-isakmp
    > crypto map toStore 20 match address 90
    > crypto map toStore 20 set peer 216.146.67.126
    > crypto map toStore 20 set transform-set strong
    > crypto map toStore interface outside
    > isakmp enable outside
    > isakmp key ******** address 216.146.67.126 netmask 255.255.255.255
    > isakmp nat-traversal 20
    > isakmp policy 9 authentication pre-share
    > isakmp policy 9 encryption 3des
    > isakmp policy 9 hash sha
    > isakmp policy 9 group 1
    > isakmp policy 9 lifetime 86400
    > vpngroup STORE address-pool storepool
    > vpngroup STORE idle-time 1800
    > vpngroup STORE password ********
    > telnet 192.168.75.0 255.255.255.0 outside
    > telnet h-03-in 255.255.255.255 inside
    > telnet 10.0.0.0 255.0.0.0 inside
    > telnet 192.168.75.0 255.255.255.0 inside
    > telnet h-03-in 255.255.255.255 dmz
    > telnet timeout 10
    > ssh 0.0.0.0 0.0.0.0 outside
    > ssh 10.0.0.0 255.255.255.0 inside
    > ssh timeout 45
    > management-access inside
    > console timeout 0
    > vpdn group clientpptp accept dialin pptp
    > vpdn group clientpptp ppp authentication pap
    > vpdn group clientpptp ppp authentication chap
    > vpdn group clientpptp ppp authentication mschap
    > vpdn group clientpptp ppp encryption mppe 128 required
    > vpdn group clientpptp client configuration address local ptpvpnpool
    > vpdn group clientpptp client configuration dns h-03-in
    > vpdn group clientpptp pptp echo 60
    > vpdn group clientpptp client authentication local
    > vpdn group test accept dialin pptp
    > vpdn group test ppp authentication pap
    > vpdn group test ppp authentication chap
    > vpdn group test ppp authentication mschap
    > vpdn group test ppp encryption mppe 128 required
    > vpdn group test client configuration address local storepool
    > vpdn group test client configuration dns h-03-in
    > vpdn group test client configuration wins h-03-in
    > vpdn group test pptp echo 60
    > vpdn group test client authentication local
    > vpdn enable outside
    > privilege show level 0 command version
    > privilege show level 0 command curpriv
    > privilege show level 3 command pdm
    > privilege show level 3 command blocks
    > privilege show level 3 command ssh
    > privilege configure level 3 command who
    > privilege show level 3 command isakmp
    > privilege show level 3 command ipsec
    > privilege show level 3 command vpdn
    > privilege show level 3 command local-host
    > privilege show level 3 command interface
    > privilege show level 3 command ip
    > privilege configure level 3 command ping
    > privilege configure level 5 mode enable command configure
    > privilege show level 5 command running-config
    > privilege show level 5 command privilege
    > privilege show level 5 command clock
    > privilege show level 5 command ntp
    > terminal width 60
    > Cryptochecksum:ca3c3c87971665b6eaecfcfd5d1b0a2f
    >
    > hmkr-pix515e(config)# show ver
    >
    > Cisco PIX Firewall Version 6.3(1)
    > Cisco PIX Device Manager Version 2.0(2)
    >
    > Compiled on Wed 19-Mar-03 11:49 by morlee
    >
    > hmkr-pix515e up 5 days 10 hours
    >
    > Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
    > Flash E28F128J3 @ 0x300, 16MB
    > BIOS Flash AM29F400B @ 0xfffd8000, 32KB
    >
    > 0: ethernet0: address is 0009.e89d.032e, irq 10
    > 1: ethernet1: address is 0009.e89d.032f, irq 11
    > 2: ethernet2: address is 0002.b336.3214, irq 5
    > Licensed Features:
    > Failover: Disabled
    > VPN-DES: Enabled
    > VPN-3DES-AES: Enabled
    > Maximum Interfaces: 3
    > Cut-through Proxy: Enabled
    > Guards: Enabled
    > URL-filtering: Enabled
    > Inside Hosts: Unlimited
    > Throughput: Unlimited
    > IKE peers: Unlimited
    >
    > This PIX has a Restricted (R) license.
    >
    > Serial Number: 806233226 (0x300e248a)
    > Running Activation Key: 0x78693c37 0x9d9480fd 0x8786de1b 0xd02dfe70
    > Configuration last modified by enable_15 at 09:17:27.978 CST Mon Nov
    > 22 2004
    >
    > hmkr-pix515e(config)#
    >
    >
    > STORE PIX :
    >
    > pixfirewall(config)# show conf
    > : Saved
    > : Written by enable_15 at 11:01:16.877 UTC Mon Nov 22 2004
    > PIX Version 6.3(3)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > hostname pixfirewall
    > domain-name jewishsource.com
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > access-list 80 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
    > pager lines 22
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 216.146.67.126 255.255.255.252
    > ip address inside 10.0.1.253 255.0.0.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool remotevpn 10.0.1.50-10.0.1.75
    > pdm location 10.0.0.0 255.0.0.0 outside
    > pdm location 216.146.94.76 255.255.255.252 outside
    > pdm location 10.0.1.0 255.255.255.128 outside
    > pdm group warehouse-net outside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 80
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > route outside 0.0.0.0 0.0.0.0 216.146.67.125 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > http 10.0.0.0 255.0.0.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > crypto ipsec transform-set strong esp-3des esp-sha-hmac
    > crypto map toWhouse 10 ipsec-isakmp
    > crypto map toWhouse 10 match address 80
    > crypto map toWhouse 10 set peer 216.146.94.77
    > crypto map toWhouse 10 set transform-set strong
    > crypto map toWhouse interface outside
    > isakmp enable outside
    > isakmp key ******** address 216.146.94.77 netmask 255.255.255.255
    > isakmp policy 8 authentication pre-share
    > isakmp policy 8 encryption 3des
    > isakmp policy 8 hash sha
    > isakmp policy 8 group 1
    > isakmp policy 8 lifetime 86400
    > telnet 10.0.0.0 255.0.0.0 outside
    > telnet 216.146.94.76 255.255.255.252 outside
    > telnet 10.0.1.0 255.255.255.0 outside
    > telnet 10.0.0.0 255.0.0.0 inside
    > telnet 10.0.1.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh timeout 5
    > management-access inside
    > console timeout 0
    > vpdn group remote accept dialin pptp
    > vpdn group remote ppp authentication pap
    > vpdn group remote ppp authentication chap
    > vpdn group remote ppp authentication mschap
    > vpdn group remote ppp encryption mppe 128 required
    > vpdn group remote client configuration address local remotevpn
    > vpdn group remote client configuration dns 10.0.0.6
    > vpdn group remote pptp echo 60
    > vpdn group remote client authentication local
    > vpdn enable outside
    > terminal width 80
    > Cryptochecksum:24941c9dc4746595338453bfe3d9ffeb
    >
    > pixfirewall(config)# show ver
    >
    > Cisco PIX Firewall Version 6.3(3)
    > Cisco PIX Device Manager Version 3.0(1)
    >
    > Compiled on Wed 13-Aug-03 13:55 by morlee
    >
    > pixfirewall up 2 days 19 hours
    >
    > Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
    > Flash E28F640J3 @ 0x3000000, 8MB
    > BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
    >
    > 0: ethernet0: address is 0011.bb3d.bcea, irq 9
    > 1: ethernet1: address is 0011.bb3d.bceb, irq 10
    > Licensed Features:
    > Failover: Disabled
    > VPN-DES: Enabled
    > VPN-3DES-AES: Enabled
    > Maximum Physical Interfaces: 2
    > Maximum Interfaces: 2
    > Cut-through Proxy: Enabled
    > Guards: Enabled
    > URL-filtering: Enabled
    > Inside Hosts: 10
    > Throughput: Unlimited
    > IKE peers: 10
    >
    > This PIX has a Restricted (R) license.
    >
    > Serial Number: 808321753 (0x302e02d9)
    > Running Activation Key: 0x209b6840 0x01b54239 0x2b3f9100 0xe6cc4495
    > Configuration last modified by enable_15 at 11:03:21.261 UTC Mon Nov
    > 22 2004
    >
    > pixfirewall(config)#



    --
    -------------------------
    Paul Stewart
    Lexnet Inc.
    Email address is in ROT13
     
    PES, Nov 22, 2004
    #4
  5. Steve

    Steve Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<cnln6h$nv1$>...
    > In article <>,
    > Steve <> wrote:
    > :I have just installed a PIX 501 at a client's site, and am trying to
    > :establish a VPN with a PIX 515 at another site. My problem is that
    > :the 501 does not appear to be even attempting to set up the VPN. I
    > :see absolutely NO traffic coming out of the OUTSIDE interface, and
    > :when I turn on the ipsec and isakmp debug - there is no output either.
    > : I know I am connected, because I can ping the remote pix from the 501
    > :console port. What simple thing have I missed. I have taken the
    > :confi directly from Cisco's documentation.
    >
    > If you took the config *directly* from Cisco's documentation, then
    > the first problem is that the IP addresses will not match the real world
    > IP addresses.
    >
    > Cisco has a lot of different example configurations. It would help if you
    > would post your configuration (making sure you don't leave any
    > passwords in the posted version.)
    >
    > My preliminary conjecture is that you do not have the correct
    > ACL for the 'match address' clause of the crypto map.


    OK - here are the details:


    Warehouse - > T1 to Net to - > DSL - > Store

    First config below is warehouse, second is Store.

    The warehouse and it's T1 connection have been around for years, no
    problem, can do a remote VPN in, no problem. We had a DSL line put in
    the store,and want to do a permanant VPN PIX to PIX, but I can't seem
    to get it to work.

    WAREHOUSE PIX :

    : Written by enable_15 at 09:16:47.467 CST Mon Nov 22 2004
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    hostname hmkr-pix515e
    domain-name jewishsource.com
    clock timezone CST -6
    clock summer-time CDT recurring
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 10.0.1.0 store-net
    name 10.0.0.1 h-01-in
    name 10.0.0.2 h-02-in
    name 10.0.0.6 h-03-in
    name 216.146.94.74 h-01-out
    name 216.146.94.76 h-02-out
    name 216.146.94.75 h-03-out
    name 10.0.0.10 h-test-in
    name 216.146.94.78 h-test-out
    access-list acl-inbound permit tcp any host h-03-out eq www
    access-list acl-inbound permit tcp any host h-03-out eq smtp
    access-list acl-inbound permit tcp any host h-03-out eq pop3
    access-list acl-inbound permit tcp any host h-03-out eq https
    access-list acl-inbound permit udp any host h-03-out eq domain
    access-list acl-inbound permit tcp any host h-03-out eq domain
    access-list acl-inbound permit tcp any host h-03-out eq ftp-data
    access-list acl-inbound permit tcp any host h-03-out eq ftp
    access-list acl-inbound permit tcp any host h-01-out eq https
    access-list acl-inbound permit tcp any host h-01-out eq ftp-data
    access-list acl-inbound permit tcp any host h-01-out eq ftp
    access-list acl-inbound permit udp any host h-01-out eq domain
    access-list acl-inbound permit tcp any host h-01-out eq domain
    access-list acl-inbound permit icmp any host h-03-out echo-reply
    access-list acl-inbound permit icmp any host h-03-out time-exceeded
    access-list acl-inbound permit icmp any host h-01-out echo-reply
    access-list acl-inbound permit icmp any host h-01-out time-exceeded
    access-list acl-inbound permit udp any host h-01-out eq 407
    access-list acl-inbound permit tcp any host h-01-out range 1417 1420
    access-list acl-inbound permit tcp any host h-01-out eq www
    access-list acl-inbound permit udp any host h-02-out eq 407
    access-list acl-inbound permit tcp any host h-02-out range 1417 1420
    access-list acl-inbound permit udp any host h-test-out eq 407
    access-list acl-inbound permit tcp any host h-test-out range 1417 1420
    access-list acl-inbound permit tcp any host h-test-out eq ftp
    access-list acl-inbound permit tcp any host h-test-out eq ftp-data
    access-list acl-inbound permit tcp any host h-test-out eq www
    access-list acl-outbound deny tcp host h-01-in any eq 69
    access-list acl-outbound deny udp host h-01-in any eq tftp
    access-list acl-outbound permit ip any any log
    access-list acl-outbound permit ip host 10.0.0.156 any
    access-list acl-outbound permit icmp any any
    access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 192.168.75.0
    255.255.255.0
    access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 store-net
    255.255.255.0
    access-list 90 permit ip 10.0.0.0 255.255.255.0 store-net
    255.255.255.0
    pager lines 22
    logging on
    logging host inside h-03-in
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside 216.146.94.77 255.255.255.248
    ip address inside 10.0.0.253 255.255.255.0
    ip address dmz 127.0.0.1 255.255.255.0
    ip verify reverse-path interface inside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ptpvpnpool 192.168.75.1-192.168.75.100
    ip local pool storepool 10.0.0.75-10.0.0.90
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list pptp-vpn
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) h-02-out h-02-in netmask 255.255.255.255 1000
    700
    static (inside,outside) h-03-out h-03-in netmask 255.255.255.255 3000
    2100
    static (inside,outside) h-01-out h-01-in netmask 255.255.255.255 3000
    2100
    static (inside,outside) h-test-out h-test-in netmask 255.255.255.255
    1000 700
    access-group acl-inbound in interface outside
    access-group acl-outbound in interface inside
    route outside 0.0.0.0 0.0.0.0 216.146.94.73 1
    route inside store-net 255.255.255.0 10.0.0.254 2
    route inside 10.0.100.0 255.255.255.252 10.0.0.254 1
    route inside 192.168.75.0 255.255.255.0 10.0.0.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    aaa authorization command LOCAL
    ntp server 10.0.0.100 source inside
    http server enable
    http 10.0.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto map toStore 20 ipsec-isakmp
    crypto map toStore 20 match address 90
    crypto map toStore 20 set peer 216.146.67.126
    crypto map toStore 20 set transform-set strong
    crypto map toStore interface outside
    isakmp enable outside
    isakmp key ******** address 216.146.67.126 netmask 255.255.255.255
    isakmp nat-traversal 20
    isakmp policy 9 authentication pre-share
    isakmp policy 9 encryption 3des
    isakmp policy 9 hash sha
    isakmp policy 9 group 1
    isakmp policy 9 lifetime 86400
    vpngroup STORE address-pool storepool
    vpngroup STORE idle-time 1800
    vpngroup STORE password ********
    telnet 192.168.75.0 255.255.255.0 outside
    telnet h-03-in 255.255.255.255 inside
    telnet 10.0.0.0 255.0.0.0 inside
    telnet 192.168.75.0 255.255.255.0 inside
    telnet h-03-in 255.255.255.255 dmz
    telnet timeout 10
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 10.0.0.0 255.255.255.0 inside
    ssh timeout 45
    management-access inside
    console timeout 0
    vpdn group clientpptp accept dialin pptp
    vpdn group clientpptp ppp authentication pap
    vpdn group clientpptp ppp authentication chap
    vpdn group clientpptp ppp authentication mschap
    vpdn group clientpptp ppp encryption mppe 128 required
    vpdn group clientpptp client configuration address local ptpvpnpool
    vpdn group clientpptp client configuration dns h-03-in
    vpdn group clientpptp pptp echo 60
    vpdn group clientpptp client authentication local
    vpdn group test accept dialin pptp
    vpdn group test ppp authentication pap
    vpdn group test ppp authentication chap
    vpdn group test ppp authentication mschap
    vpdn group test ppp encryption mppe 128 required
    vpdn group test client configuration address local storepool
    vpdn group test client configuration dns h-03-in
    vpdn group test client configuration wins h-03-in
    vpdn group test pptp echo 60
    vpdn group test client authentication local
    vpdn enable outside
    privilege show level 0 command version
    privilege show level 0 command curpriv
    privilege show level 3 command pdm
    privilege show level 3 command blocks
    privilege show level 3 command ssh
    privilege configure level 3 command who
    privilege show level 3 command isakmp
    privilege show level 3 command ipsec
    privilege show level 3 command vpdn
    privilege show level 3 command local-host
    privilege show level 3 command interface
    privilege show level 3 command ip
    privilege configure level 3 command ping
    privilege configure level 5 mode enable command configure
    privilege show level 5 command running-config
    privilege show level 5 command privilege
    privilege show level 5 command clock
    privilege show level 5 command ntp
    terminal width 60
    Cryptochecksum:ca3c3c87971665b6eaecfcfd5d1b0a2f

    hmkr-pix515e(config)# show ver

    Cisco PIX Firewall Version 6.3(1)
    Cisco PIX Device Manager Version 2.0(2)

    Compiled on Wed 19-Mar-03 11:49 by morlee

    hmkr-pix515e up 5 days 10 hours

    Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
    Flash E28F128J3 @ 0x300, 16MB
    BIOS Flash AM29F400B @ 0xfffd8000, 32KB

    0: ethernet0: address is 0009.e89d.032e, irq 10
    1: ethernet1: address is 0009.e89d.032f, irq 11
    2: ethernet2: address is 0002.b336.3214, irq 5
    Licensed Features:
    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES-AES: Enabled
    Maximum Interfaces: 3
    Cut-through Proxy: Enabled
    Guards: Enabled
    URL-filtering: Enabled
    Inside Hosts: Unlimited
    Throughput: Unlimited
    IKE peers: Unlimited

    This PIX has a Restricted (R) license.

    Serial Number: 806233226 (0x300e248a)
    Running Activation Key: 0x78693c37 0x9d9480fd 0x8786de1b 0xd02dfe70
    Configuration last modified by enable_15 at 09:17:27.978 CST Mon Nov
    22 2004

    hmkr-pix515e(config)#


    STORE PIX :

    pixfirewall(config)# show conf
    : Saved
    : Written by enable_15 at 11:01:16.877 UTC Mon Nov 22 2004
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pixfirewall
    domain-name jewishsource.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 80 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
    pager lines 22
    mtu outside 1500
    mtu inside 1500
    ip address outside 216.146.67.126 255.255.255.252
    ip address inside 10.0.1.253 255.0.0.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool remotevpn 10.0.1.50-10.0.1.75
    pdm location 10.0.0.0 255.0.0.0 outside
    pdm location 216.146.94.76 255.255.255.252 outside
    pdm location 10.0.1.0 255.255.255.128 outside
    pdm group warehouse-net outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 80
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 216.146.67.125 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 10.0.0.0 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto map toWhouse 10 ipsec-isakmp
    crypto map toWhouse 10 match address 80
    crypto map toWhouse 10 set peer 216.146.94.77
    crypto map toWhouse 10 set transform-set strong
    crypto map toWhouse interface outside
    isakmp enable outside
    isakmp key ******** address 216.146.94.77 netmask 255.255.255.255
    isakmp policy 8 authentication pre-share
    isakmp policy 8 encryption 3des
    isakmp policy 8 hash sha
    isakmp policy 8 group 1
    isakmp policy 8 lifetime 86400
    telnet 10.0.0.0 255.0.0.0 outside
    telnet 216.146.94.76 255.255.255.252 outside
    telnet 10.0.1.0 255.255.255.0 outside
    telnet 10.0.0.0 255.0.0.0 inside
    telnet 10.0.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    management-access inside
    console timeout 0
    vpdn group remote accept dialin pptp
    vpdn group remote ppp authentication pap
    vpdn group remote ppp authentication chap
    vpdn group remote ppp authentication mschap
    vpdn group remote ppp encryption mppe 128 required
    vpdn group remote client configuration address local remotevpn
    vpdn group remote client configuration dns 10.0.0.6
    vpdn group remote pptp echo 60
    vpdn group remote client authentication local
    vpdn enable outside
    terminal width 80
    Cryptochecksum:24941c9dc4746595338453bfe3d9ffeb

    pixfirewall(config)# show ver

    Cisco PIX Firewall Version 6.3(3)
    Cisco PIX Device Manager Version 3.0(1)

    Compiled on Wed 13-Aug-03 13:55 by morlee

    pixfirewall up 2 days 19 hours

    Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
    Flash E28F640J3 @ 0x3000000, 8MB
    BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

    0: ethernet0: address is 0011.bb3d.bcea, irq 9
    1: ethernet1: address is 0011.bb3d.bceb, irq 10
    Licensed Features:
    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES-AES: Enabled
    Maximum Physical Interfaces: 2
    Maximum Interfaces: 2
    Cut-through Proxy: Enabled
    Guards: Enabled
    URL-filtering: Enabled
    Inside Hosts: 10
    Throughput: Unlimited
    IKE peers: 10

    This PIX has a Restricted (R) license.

    Serial Number: 808321753 (0x302e02d9)
    Running Activation Key: 0x209b6840 0x01b54239 0x2b3f9100 0xe6cc4495
    Configuration last modified by enable_15 at 11:03:21.261 UTC Mon Nov
    22 2004

    pixfirewall(config)#
     
    Steve, Nov 23, 2004
    #5
  6. Steve

    Steve Guest

    PES - This may be part of it, (it is there currently beacuse there is
    a leased line connection to the store currently that I am replacing),
    but how does this explain why the STORE Pix does not even SEND any
    packets out to try to establish the Crypto SA? I guess my basic
    quesation is - what is it that actually causes the PIX to try to
    establish the SAs? And which PIX will start it - or do they both try?

    Steve

    PES <> wrote in message news:<41a23ced$>...
    > Steve wrote:
    > > -cnrc.gc.ca (Walter Roberson) wrote in message news:<cnln6h$nv1$>...
    > >
    > >>In article <>,
    > >>Steve <> wrote:
    > >>:I have just installed a PIX 501 at a client's site, and am trying to
    > >>:establish a VPN with a PIX 515 at another site. My problem is that
    > >>:the 501 does not appear to be even attempting to set up the VPN. I
    > >>:see absolutely NO traffic coming out of the OUTSIDE interface, and
    > >>:when I turn on the ipsec and isakmp debug - there is no output either.
    > >>: I know I am connected, because I can ping the remote pix from the 501
    > >>:console port. What simple thing have I missed. I have taken the
    > >>:confi directly from Cisco's documentation.
    > >>
    > >>If you took the config *directly* from Cisco's documentation, then
    > >>the first problem is that the IP addresses will not match the real world
    > >>IP addresses.
    > >>
    > >>Cisco has a lot of different example configurations. It would help if you
    > >>would post your configuration (making sure you don't leave any
    > >>passwords in the posted version.)
    > >>
    > >>My preliminary conjecture is that you do not have the correct
    > >>ACL for the 'match address' clause of the crypto map.

    > >
    > >
    > >
    > > OK - here are the details:
    > >
    > >
    > > Warehouse - > T1 to Net to - > DSL - > Store
    > >
    > > First config below is warehouse, second is Store.
    > >
    > > The warehouse and it's T1 connection have been around for years, no
    > > problem, can do a remote VPN in, no problem. We had a DSL line put in
    > > the store,and want to do a permanant VPN PIX to PIX, but I can't seem
    > > to get it to work.
    > >

    > I think the line listed below is causing the packets to be dropped. The
    > route is back into the interface you would have received the packets on.
    > On a Pix this will always cause them to be dropped. If you don't have
    > a 10.0.1.x behind the warehouse pix, you need to remove the following line.
    >
    > route inside store-net 255.255.255.0 10.0.0.254 2
    >
    > Now the packets should route properly. The crypto should then be
    > applied and an association formed. This may not be everything, but we
    > need to get the packets to the right interface so we can troubleshoot
    > the vpn.
    >
    > > WAREHOUSE PIX :
    > >
    > > : Written by enable_15 at 09:16:47.467 CST Mon Nov 22 2004
    > > PIX Version 6.3(1)
    > > interface ethernet0 auto
    > > interface ethernet1 auto
    > > interface ethernet2 auto
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > nameif ethernet2 dmz security50
    > > hostname hmkr-pix515e
    > > domain-name jewishsource.com
    > > clock timezone CST -6
    > > clock summer-time CDT recurring
    > > fixup protocol ftp 21
    > > fixup protocol h323 h225 1720
    > > fixup protocol h323 ras 1718-1719
    > > fixup protocol http 80
    > > fixup protocol ils 389
    > > fixup protocol rsh 514
    > > fixup protocol rtsp 554
    > > fixup protocol sip 5060
    > > fixup protocol sip udp 5060
    > > fixup protocol skinny 2000
    > > fixup protocol smtp 25
    > > fixup protocol sqlnet 1521
    > > names
    > > name 10.0.1.0 store-net
    > > name 10.0.0.1 h-01-in
    > > name 10.0.0.2 h-02-in
    > > name 10.0.0.6 h-03-in
    > > name 216.146.94.74 h-01-out
    > > name 216.146.94.76 h-02-out
    > > name 216.146.94.75 h-03-out
    > > name 10.0.0.10 h-test-in
    > > name 216.146.94.78 h-test-out
    > > access-list acl-inbound permit tcp any host h-03-out eq www
    > > access-list acl-inbound permit tcp any host h-03-out eq smtp
    > > access-list acl-inbound permit tcp any host h-03-out eq pop3
    > > access-list acl-inbound permit tcp any host h-03-out eq https
    > > access-list acl-inbound permit udp any host h-03-out eq domain
    > > access-list acl-inbound permit tcp any host h-03-out eq domain
    > > access-list acl-inbound permit tcp any host h-03-out eq ftp-data
    > > access-list acl-inbound permit tcp any host h-03-out eq ftp
    > > access-list acl-inbound permit tcp any host h-01-out eq https
    > > access-list acl-inbound permit tcp any host h-01-out eq ftp-data
    > > access-list acl-inbound permit tcp any host h-01-out eq ftp
    > > access-list acl-inbound permit udp any host h-01-out eq domain
    > > access-list acl-inbound permit tcp any host h-01-out eq domain
    > > access-list acl-inbound permit icmp any host h-03-out echo-reply
    > > access-list acl-inbound permit icmp any host h-03-out time-exceeded
    > > access-list acl-inbound permit icmp any host h-01-out echo-reply
    > > access-list acl-inbound permit icmp any host h-01-out time-exceeded
    > > access-list acl-inbound permit udp any host h-01-out eq 407
    > > access-list acl-inbound permit tcp any host h-01-out range 1417 1420
    > > access-list acl-inbound permit tcp any host h-01-out eq www
    > > access-list acl-inbound permit udp any host h-02-out eq 407
    > > access-list acl-inbound permit tcp any host h-02-out range 1417 1420
    > > access-list acl-inbound permit udp any host h-test-out eq 407
    > > access-list acl-inbound permit tcp any host h-test-out range 1417 1420
    > > access-list acl-inbound permit tcp any host h-test-out eq ftp
    > > access-list acl-inbound permit tcp any host h-test-out eq ftp-data
    > > access-list acl-inbound permit tcp any host h-test-out eq www
    > > access-list acl-outbound deny tcp host h-01-in any eq 69
    > > access-list acl-outbound deny udp host h-01-in any eq tftp
    > > access-list acl-outbound permit ip any any log
    > > access-list acl-outbound permit ip host 10.0.0.156 any
    > > access-list acl-outbound permit icmp any any
    > > access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 192.168.75.0
    > > 255.255.255.0
    > > access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 store-net
    > > 255.255.255.0
    > > access-list 90 permit ip 10.0.0.0 255.255.255.0 store-net
    > > 255.255.255.0
    > > pager lines 22
    > > logging on
    > > logging host inside h-03-in
    > > mtu outside 1500
    > > mtu inside 1500
    > > mtu dmz 1500
    > > ip address outside 216.146.94.77 255.255.255.248
    > > ip address inside 10.0.0.253 255.255.255.0
    > > ip address dmz 127.0.0.1 255.255.255.0
    > > ip verify reverse-path interface inside
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > ip local pool ptpvpnpool 192.168.75.1-192.168.75.100
    > > ip local pool storepool 10.0.0.75-10.0.0.90
    > > pdm history enable
    > > arp timeout 14400
    > > global (outside) 1 interface
    > > nat (inside) 0 access-list pptp-vpn
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > static (inside,outside) h-02-out h-02-in netmask 255.255.255.255 1000
    > > 700
    > > static (inside,outside) h-03-out h-03-in netmask 255.255.255.255 3000
    > > 2100
    > > static (inside,outside) h-01-out h-01-in netmask 255.255.255.255 3000
    > > 2100
    > > static (inside,outside) h-test-out h-test-in netmask 255.255.255.255
    > > 1000 700
    > > access-group acl-inbound in interface outside
    > > access-group acl-outbound in interface inside
    > > route outside 0.0.0.0 0.0.0.0 216.146.94.73 1
    > > route inside store-net 255.255.255.0 10.0.0.254 2
    > > route inside 10.0.100.0 255.255.255.252 10.0.0.254 1
    > > route inside 192.168.75.0 255.255.255.0 10.0.0.254 1
    > > timeout xlate 3:00:00
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > > 1:00:00
    > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server RADIUS protocol radius
    > > aaa-server LOCAL protocol local
    > > aaa authentication ssh console LOCAL
    > > aaa authorization command LOCAL
    > > ntp server 10.0.0.100 source inside
    > > http server enable
    > > http 10.0.0.0 255.255.255.0 inside
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > no snmp-server enable traps
    > > floodguard enable
    > > sysopt connection permit-ipsec
    > > sysopt connection permit-pptp
    > > crypto ipsec transform-set strong esp-3des esp-sha-hmac
    > > crypto map toStore 20 ipsec-isakmp
    > > crypto map toStore 20 match address 90
    > > crypto map toStore 20 set peer 216.146.67.126
    > > crypto map toStore 20 set transform-set strong
    > > crypto map toStore interface outside
    > > isakmp enable outside
    > > isakmp key ******** address 216.146.67.126 netmask 255.255.255.255
    > > isakmp nat-traversal 20
    > > isakmp policy 9 authentication pre-share
    > > isakmp policy 9 encryption 3des
    > > isakmp policy 9 hash sha
    > > isakmp policy 9 group 1
    > > isakmp policy 9 lifetime 86400
    > > vpngroup STORE address-pool storepool
    > > vpngroup STORE idle-time 1800
    > > vpngroup STORE password ********
    > > telnet 192.168.75.0 255.255.255.0 outside
    > > telnet h-03-in 255.255.255.255 inside
    > > telnet 10.0.0.0 255.0.0.0 inside
    > > telnet 192.168.75.0 255.255.255.0 inside
    > > telnet h-03-in 255.255.255.255 dmz
    > > telnet timeout 10
    > > ssh 0.0.0.0 0.0.0.0 outside
    > > ssh 10.0.0.0 255.255.255.0 inside
    > > ssh timeout 45
    > > management-access inside
    > > console timeout 0
    > > vpdn group clientpptp accept dialin pptp
    > > vpdn group clientpptp ppp authentication pap
    > > vpdn group clientpptp ppp authentication chap
    > > vpdn group clientpptp ppp authentication mschap
    > > vpdn group clientpptp ppp encryption mppe 128 required
    > > vpdn group clientpptp client configuration address local ptpvpnpool
    > > vpdn group clientpptp client configuration dns h-03-in
    > > vpdn group clientpptp pptp echo 60
    > > vpdn group clientpptp client authentication local
    > > vpdn group test accept dialin pptp
    > > vpdn group test ppp authentication pap
    > > vpdn group test ppp authentication chap
    > > vpdn group test ppp authentication mschap
    > > vpdn group test ppp encryption mppe 128 required
    > > vpdn group test client configuration address local storepool
    > > vpdn group test client configuration dns h-03-in
    > > vpdn group test client configuration wins h-03-in
    > > vpdn group test pptp echo 60
    > > vpdn group test client authentication local
    > > vpdn enable outside
    > > privilege show level 0 command version
    > > privilege show level 0 command curpriv
    > > privilege show level 3 command pdm
    > > privilege show level 3 command blocks
    > > privilege show level 3 command ssh
    > > privilege configure level 3 command who
    > > privilege show level 3 command isakmp
    > > privilege show level 3 command ipsec
    > > privilege show level 3 command vpdn
    > > privilege show level 3 command local-host
    > > privilege show level 3 command interface
    > > privilege show level 3 command ip
    > > privilege configure level 3 command ping
    > > privilege configure level 5 mode enable command configure
    > > privilege show level 5 command running-config
    > > privilege show level 5 command privilege
    > > privilege show level 5 command clock
    > > privilege show level 5 command ntp
    > > terminal width 60
    > > Cryptochecksum:ca3c3c87971665b6eaecfcfd5d1b0a2f
    > >
    > > hmkr-pix515e(config)# show ver
    > >
    > > Cisco PIX Firewall Version 6.3(1)
    > > Cisco PIX Device Manager Version 2.0(2)
    > >
    > > Compiled on Wed 19-Mar-03 11:49 by morlee
    > >
    > > hmkr-pix515e up 5 days 10 hours
    > >
    > > Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
    > > Flash E28F128J3 @ 0x300, 16MB
    > > BIOS Flash AM29F400B @ 0xfffd8000, 32KB
    > >
    > > 0: ethernet0: address is 0009.e89d.032e, irq 10
    > > 1: ethernet1: address is 0009.e89d.032f, irq 11
    > > 2: ethernet2: address is 0002.b336.3214, irq 5
    > > Licensed Features:
    > > Failover: Disabled
    > > VPN-DES: Enabled
    > > VPN-3DES-AES: Enabled
    > > Maximum Interfaces: 3
    > > Cut-through Proxy: Enabled
    > > Guards: Enabled
    > > URL-filtering: Enabled
    > > Inside Hosts: Unlimited
    > > Throughput: Unlimited
    > > IKE peers: Unlimited
    > >
    > > This PIX has a Restricted (R) license.
    > >
    > > Serial Number: 806233226 (0x300e248a)
    > > Running Activation Key: 0x78693c37 0x9d9480fd 0x8786de1b 0xd02dfe70
    > > Configuration last modified by enable_15 at 09:17:27.978 CST Mon Nov
    > > 22 2004
    > >
    > > hmkr-pix515e(config)#
    > >
    > >
    > > STORE PIX :
    > >
    > > pixfirewall(config)# show conf
    > > : Saved
    > > : Written by enable_15 at 11:01:16.877 UTC Mon Nov 22 2004
    > > PIX Version 6.3(3)
    > > interface ethernet0 auto
    > > interface ethernet1 100full
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > hostname pixfirewall
    > > domain-name jewishsource.com
    > > fixup protocol dns maximum-length 512
    > > fixup protocol ftp 21
    > > fixup protocol h323 h225 1720
    > > fixup protocol h323 ras 1718-1719
    > > fixup protocol http 80
    > > fixup protocol rsh 514
    > > fixup protocol rtsp 554
    > > fixup protocol sip 5060
    > > fixup protocol sip udp 5060
    > > fixup protocol skinny 2000
    > > fixup protocol smtp 25
    > > fixup protocol sqlnet 1521
    > > fixup protocol tftp 69
    > > names
    > > access-list 80 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
    > > pager lines 22
    > > mtu outside 1500
    > > mtu inside 1500
    > > ip address outside 216.146.67.126 255.255.255.252
    > > ip address inside 10.0.1.253 255.0.0.0
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > ip local pool remotevpn 10.0.1.50-10.0.1.75
    > > pdm location 10.0.0.0 255.0.0.0 outside
    > > pdm location 216.146.94.76 255.255.255.252 outside
    > > pdm location 10.0.1.0 255.255.255.128 outside
    > > pdm group warehouse-net outside
    > > pdm logging informational 100
    > > pdm history enable
    > > arp timeout 14400
    > > global (outside) 1 interface
    > > nat (inside) 0 access-list 80
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > route outside 0.0.0.0 0.0.0.0 216.146.67.125 1
    > > timeout xlate 0:05:00
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > > 1:00:00
    > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server RADIUS protocol radius
    > > aaa-server LOCAL protocol local
    > > http server enable
    > > http 10.0.0.0 255.0.0.0 inside
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > no snmp-server enable traps
    > > floodguard enable
    > > sysopt connection permit-ipsec
    > > sysopt connection permit-pptp
    > > crypto ipsec transform-set strong esp-3des esp-sha-hmac
    > > crypto map toWhouse 10 ipsec-isakmp
    > > crypto map toWhouse 10 match address 80
    > > crypto map toWhouse 10 set peer 216.146.94.77
    > > crypto map toWhouse 10 set transform-set strong
    > > crypto map toWhouse interface outside
    > > isakmp enable outside
    > > isakmp key ******** address 216.146.94.77 netmask 255.255.255.255
    > > isakmp policy 8 authentication pre-share
    > > isakmp policy 8 encryption 3des
    > > isakmp policy 8 hash sha
    > > isakmp policy 8 group 1
    > > isakmp policy 8 lifetime 86400
    > > telnet 10.0.0.0 255.0.0.0 outside
    > > telnet 216.146.94.76 255.255.255.252 outside
    > > telnet 10.0.1.0 255.255.255.0 outside
    > > telnet 10.0.0.0 255.0.0.0 inside
    > > telnet 10.0.1.0 255.255.255.0 inside
    > > telnet timeout 5
    > > ssh timeout 5
    > > management-access inside
    > > console timeout 0
    > > vpdn group remote accept dialin pptp
    > > vpdn group remote ppp authentication pap
    > > vpdn group remote ppp authentication chap
    > > vpdn group remote ppp authentication mschap
    > > vpdn group remote ppp encryption mppe 128 required
    > > vpdn group remote client configuration address local remotevpn
    > > vpdn group remote client configuration dns 10.0.0.6
    > > vpdn group remote pptp echo 60
    > > vpdn group remote client authentication local
    > > vpdn enable outside
    > > terminal width 80
    > > Cryptochecksum:24941c9dc4746595338453bfe3d9ffeb
    > >
    > > pixfirewall(config)# show ver
    > >
    > > Cisco PIX Firewall Version 6.3(3)
    > > Cisco PIX Device Manager Version 3.0(1)
    > >
    > > Compiled on Wed 13-Aug-03 13:55 by morlee
    > >
    > > pixfirewall up 2 days 19 hours
    > >
    > > Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
    > > Flash E28F640J3 @ 0x3000000, 8MB
    > > BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
    > >
    > > 0: ethernet0: address is 0011.bb3d.bcea, irq 9
    > > 1: ethernet1: address is 0011.bb3d.bceb, irq 10
    > > Licensed Features:
    > > Failover: Disabled
    > > VPN-DES: Enabled
    > > VPN-3DES-AES: Enabled
    > > Maximum Physical Interfaces: 2
    > > Maximum Interfaces: 2
    > > Cut-through Proxy: Enabled
    > > Guards: Enabled
    > > URL-filtering: Enabled
    > > Inside Hosts: 10
    > > Throughput: Unlimited
    > > IKE peers: 10
    > >
    > > This PIX has a Restricted (R) license.
    > >
    > > Serial Number: 808321753 (0x302e02d9)
    > > Running Activation Key: 0x209b6840 0x01b54239 0x2b3f9100 0xe6cc4495
    > > Configuration last modified by enable_15 at 11:03:21.261 UTC Mon Nov
    > > 22 2004
    > >
    > > pixfirewall(config)#
     
    Steve, Nov 23, 2004
    #6
  7. Steve

    PES Guest

    Steve wrote:
    > PES - This may be part of it, (it is there currently beacuse there is
    > a leased line connection to the store currently that I am replacing),
    > but how does this explain why the STORE Pix does not even SEND any
    > packets out to try to establish the Crypto SA?


    The pix must first have a route that matches the packet. In most cases
    it is the default gateway or 0 route. As a packet is handled by the
    interface (in most cases the outside), the paramaters are applied based
    on the crypto map. At that point, an established tunnel will be used.
    If no tunnel is in place, but the packet matches a crypto policy, an
    attempt for establishment will be made. If one cannot be made the
    transmission will be lost and the next packet will restart the operation.

    > I guess my basic
    > quesation is - what is it that actually causes the PIX to try to
    > establish the SAs?


    A packet matching a crypto policy leaving an interface with that
    associated crypto policy.

    > And which PIX will start it - or do they both try?
    >


    The pix with the first packet going through it. Neither will try on
    their own. Either will try if they have a packet flowing through the
    correct interface that matches a crypto acl.

    <SNIP>




    --
    -------------------------
    Paul Stewart
    Lexnet Inc.
    Email address is in ROT13
     
    PES, Nov 23, 2004
    #7
  8. In article <41a3398f$>, PES <> wrote:
    :Steve wrote:
    :> And which PIX will start it - or do they both try?


    :The pix with the first packet going through it. Neither will try on
    :their own. Either will try if they have a packet flowing through the
    :correct interface that matches a crypto acl.

    Given the context, it might be worth mentioning crypto dynamic maps.

    A PIX which has been set up with a pure [and complete] crypto map
    entry will attempt to contact it's peer when there is traffic matching
    the 'match address' acl (default if there is no "match address" is
    to try to send *all* traffic over the VPN.)

    A PIX can also be set up with a "dynamic" crypto map configuration,
    which consists of a at least one 'crypto dynamic-map' entry that
    is imported into a normal 'crypto map'. When a dynamic map is
    configured, typically no 'set peer' clause would appear, and often
    no 'match address' clause appears either. dynamic map entries never
    attempt to start a new connection when there is "interesting" traffic,
    but they will use an existing SA if it has already been built. The SA
    would be built by the other side contacting the device that has
    been configured for a dynamic map.

    For example, I want a site-to-site VPN between my house and my
    workplace. I cannot configure a 'set peer' on the PIX at my
    workplace because my IP at home changes at least once a week,
    at times that are basically unpredictable (the provider doesn't
    even seem to wait for a pppoe lease to expire.) I can, though,
    configure a 'set peer' on the PIX at home, because the IP address
    of my workplace is static. To handle this situation, I configure
    a regular "crypto map" setup at home, but at work I create a
    crypto dynamic-map, which sets out the transforms for the connection
    and leaves the endpoint address unspecified. Work cannot start a new
    connection to my home because it wouldn't know the current IP, but
    work will happily talk to the device at home for days once the device
    at my home has connected to work upon the device at home detecting
    that it had interesting traffic to send in.


    If you are in a situation where you don't know the IP address of
    the remote end ahead of time, and you must be able to initiate
    connections towards that remote device, then either "Don't DO that!" ;-)
    or else find some out-of-band method of signalling the remote end
    to start a connection back.

    [Back when I used dialup from home, I set the idle time fairly short,
    about 2 minutes, but I had a cron job that fired about every 1/2 hour
    that would trigger a dialup to work by requesting a ping with 10
    packets. If I was at work and I needed to fetch something from home,
    I would start a continuous ping at work targetting the host at
    home; when the regular crontab firing at home caused home to
    connect to work, the continuous ping going on from work would be
    enough traffic to keep the dialup connection going until I got around
    to doing whatever I needed to over the link and killing the ping.]
    --
    Come to think of it, there are already a million monkeys on a million
    typewriters, and Usenet is NOTHING like Shakespeare. -- Blair Houghton.
     
    Walter Roberson, Nov 23, 2004
    #8
  9. Steve

    Steve Guest

    Peter/Walter - everything that the 2 of you said makes perfect sense, but I
    am still stuck. Here is what I did. I changed the STORE pix to be on
    subnet 10.0.2.x (inside accress 10.0.2.253), and hooked up a pc to it at
    10.0.2.10. I then changed the relavant access-list entries and still no go.
    I configuerd the PC to use 10.0.2.253 as its gateway. It has 10.0.0.6 as
    its DNS, so any net access should cause it to do a DNS lookup, which is on
    the warehouse side, so my assumption is that this should start up the
    tunnel - but it does not appear to do so. Also, I have tried to access the
    10.0.2.10 PC from the warehouse Here are the relavant lines from the
    Warehouse PIX:
    <snip>
    name 10.0.2.0 store-net2
    <snip>
    access-list 90 permit ip 10.0.0.0 255.255.255.0 store-net2 255.255.255.0

    <snip>
    global (outside) 1 interface
    nat (inside) 0 access-list pptp-vpn
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) h-02-out h-02-in netmask 255.255.255.255 1000 700
    static (inside,outside) h-03-out h-03-in netmask 255.255.255.255 3000 2100
    static (inside,outside) h-01-out h-01-in netmask 255.255.255.255 3000 2100
    static (inside,outside) h-test-out h-test-in netmask 255.255.255.255 1000
    700
    access-group acl-inbound in interface outside
    access-group acl-outbound in interface inside
    route outside 0.0.0.0 0.0.0.0 216.146.94.73 1
    route inside store-net 255.255.255.0 10.0.0.254 2
    route inside 10.0.100.0 255.255.255.252 10.0.0.254 1
    route inside 192.168.75.0 255.255.255.0 10.0.0.254 1

    <snip>
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto map toStore 20 ipsec-isakmp
    crypto map toStore 20 match address 90
    crypto map toStore 20 set peer 216.146.67.126
    crypto map toStore 20 set transform-set strong
    crypto map toStore interface outside
    isakmp enable outside
    isakmp key ******** address 216.146.67.126 netmask 255.255.255.255
    isakmp nat-traversal 20
    isakmp policy 9 authentication pre-share
    isakmp policy 9 encryption 3des
    isakmp policy 9 hash sha
    isakmp policy 9 group 1
    isakmp policy 9 lifetime 86400

    <snip>

    and here is the output from a show crypto ipsec sa:
    interface: outside
    Crypto map tag: toStore, local addr. 216.146.94.77

    local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (store-net2/255.255.255.0/0/0)
    current_peer: 216.146.67.126:0
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
    failed: 0
    #send errors 0, #recv errors 0

    local crypto endpt.: 216.146.94.77, remote crypto endpt.:
    216.146.67.126
    path mtu 1500, ipsec overhead 0, media mtu 1500
    current outbound spi: 0

    inbound esp sas:


    inbound ah sas:


    inbound pcp sas:


    outbound esp sas:


    outbound ah sas:


    outbound pcp sas:


    What do I look for next???

    Thanks,
    Steve



    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:cnvfmi$iml$...
    > In article <41a3398f$>, PES <>

    wrote:
    > :Steve wrote:
    > :> And which PIX will start it - or do they both try?
    >
    >
    > :The pix with the first packet going through it. Neither will try on
    > :their own. Either will try if they have a packet flowing through the
    > :correct interface that matches a crypto acl.
    >
    > Given the context, it might be worth mentioning crypto dynamic maps.


    <snip>
    I know the IPs and they are fixed.
     
    Steve, Nov 23, 2004
    #9
  10. Steve

    PES Guest

    Steve wrote:
    > Peter/Walter - everything that the 2 of you said makes perfect sense, but I
    > am still stuck. Here is what I did. I changed the STORE pix to be on
    > subnet 10.0.2.x (inside accress 10.0.2.253), and hooked up a pc to it at
    > 10.0.2.10. I then changed the relavant access-list entries and still no go.
    > I configuerd the PC to use 10.0.2.253 as its gateway. It has 10.0.0.6 as
    > its DNS, so any net access should cause it to do a DNS lookup, which is on
    > the warehouse side, so my assumption is that this should start up the
    > tunnel - but it does not appear to do so. Also, I have tried to access the
    > 10.0.2.10 PC from the warehouse Here are the relavant lines from the
    > Warehouse PIX:
    > <snip>
    > name 10.0.2.0 store-net2
    > <snip>
    > access-list 90 permit ip 10.0.0.0 255.255.255.0 store-net2 255.255.255.0
    >
    > <snip>
    > global (outside) 1 interface
    > nat (inside) 0 access-list pptp-vpn
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) h-02-out h-02-in netmask 255.255.255.255 1000 700
    > static (inside,outside) h-03-out h-03-in netmask 255.255.255.255 3000 2100
    > static (inside,outside) h-01-out h-01-in netmask 255.255.255.255 3000 2100
    > static (inside,outside) h-test-out h-test-in netmask 255.255.255.255 1000
    > 700
    > access-group acl-inbound in interface outside
    > access-group acl-outbound in interface inside
    > route outside 0.0.0.0 0.0.0.0 216.146.94.73 1
    > route inside store-net 255.255.255.0 10.0.0.254 2
    > route inside 10.0.100.0 255.255.255.252 10.0.0.254 1
    > route inside 192.168.75.0 255.255.255.0 10.0.0.254 1
    >
    > <snip>
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > crypto ipsec transform-set strong esp-3des esp-sha-hmac
    > crypto map toStore 20 ipsec-isakmp
    > crypto map toStore 20 match address 90
    > crypto map toStore 20 set peer 216.146.67.126
    > crypto map toStore 20 set transform-set strong
    > crypto map toStore interface outside
    > isakmp enable outside
    > isakmp key ******** address 216.146.67.126 netmask 255.255.255.255
    > isakmp nat-traversal 20
    > isakmp policy 9 authentication pre-share
    > isakmp policy 9 encryption 3des
    > isakmp policy 9 hash sha
    > isakmp policy 9 group 1
    > isakmp policy 9 lifetime 86400
    >
    > <snip>
    >
    > and here is the output from a show crypto ipsec sa:
    > interface: outside
    > Crypto map tag: toStore, local addr. 216.146.94.77
    >
    > local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
    > remote ident (addr/mask/prot/port): (store-net2/255.255.255.0/0/0)
    > current_peer: 216.146.67.126:0
    > PERMIT, flags={origin_is_acl,}
    > #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    > #pkts compressed: 0, #pkts decompressed: 0
    > #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
    > failed: 0
    > #send errors 0, #recv errors 0
    >
    > local crypto endpt.: 216.146.94.77, remote crypto endpt.:
    > 216.146.67.126
    > path mtu 1500, ipsec overhead 0, media mtu 1500
    > current outbound spi: 0
    >
    > inbound esp sas:
    >
    >
    > inbound ah sas:
    >
    >
    > inbound pcp sas:
    >
    >
    > outbound esp sas:
    >
    >
    > outbound ah sas:
    >
    >
    > outbound pcp sas:
    >
    >
    > What do I look for next???
    >
    > Thanks,
    > Steve
    >
    >
    >
    > "Walter Roberson" <-cnrc.gc.ca> wrote in message
    > news:cnvfmi$iml$...
    >
    >>In article <41a3398f$>, PES <>

    >
    > wrote:
    >
    >>:Steve wrote:
    >>:> And which PIX will start it - or do they both try?
    >>
    >>
    >>:The pix with the first packet going through it. Neither will try on
    >>:their own. Either will try if they have a packet flowing through the
    >>:correct interface that matches a crypto acl.
    >>
    >>Given the context, it might be worth mentioning crypto dynamic maps.

    >
    >
    > <snip>
    > I know the IPs and they are fixed.


    At this point, the line "route inside store-net 255.255.255.0 10.0.0.254
    2" is preventing your packets to 10.0.2.x from getting to the crypto
    process running and bound on the outside. If you remove it and it uses
    the default gateway, we shold get packtes on the sa or at least errors.

    --
    -------------------------
    Paul Stewart
    Lexnet Inc.
    Email address is in ROT13
     
    PES, Nov 23, 2004
    #10
  11. Steve

    Steve Guest

    Paul -
    I think you overlooked a change I made - I have 10.0.2.x tide to
    STORE-NET2 not STORE-NET, so it should got o the deault route.

    Steve

    PES wrote:
    Paul> Steve wrote:
    >
    >> Peter/Walter - everything that the 2 of you said makes perfect

    sense,
    >> but I
    >> am still stuck. Here is what I did. I changed the STORE pix to be

    on
    >> subnet 10.0.2.x (inside accress 10.0.2.253), and hooked up a pc to

    it at
    >> 10.0.2.10. I then changed the relavant access-list entries and

    still
    >> no go.
    >> I configuerd the PC to use 10.0.2.253 as its gateway. It has

    10.0.0.6 as
    >> its DNS, so any net access should cause it to do a DNS lookup,

    which
    >> is on
    >> the warehouse side, so my assumption is that this should start up

    the
    >> tunnel - but it does not appear to do so. Also, I have tried to

    access
    >> the
    >> 10.0.2.10 PC from the warehouse Here are the relavant lines from

    the
    >> Warehouse PIX:
    >> <snip>
    >> name 10.0.2.0 store-net2
    >> <snip>
    >> access-list 90 permit ip 10.0.0.0 255.255.255.0 store-net2

    255.255.255.0
    >>
    >> <snip>
    >> global (outside) 1 interface
    >> nat (inside) 0 access-list pptp-vpn
    >> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >> static (inside,outside) h-02-out h-02-in netmask 255.255.255.255

    1000 700
    >> static (inside,outside) h-03-out h-03-in netmask 255.255.255.255

    3000
    >> 2100
    >> static (inside,outside) h-01-out h-01-in netmask 255.255.255.255

    3000
    >> 2100
    >> static (inside,outside) h-test-out h-test-in netmask

    255.255.255.255 1000
    >> 700
    >> access-group acl-inbound in interface outside
    >> access-group acl-outbound in interface inside
    >> route outside 0.0.0.0 0.0.0.0 216.146.94.73 1
    >> route inside store-net 255.255.255.0 10.0.0.254 2
    >> route inside 10.0.100.0 255.255.255.252 10.0.0.254 1
    >> route inside 192.168.75.0 255.255.255.0 10.0.0.254 1
    >>
    >> <snip>
    >> sysopt connection permit-ipsec
    >> sysopt connection permit-pptp
    >> crypto ipsec transform-set strong esp-3des esp-sha-hmac
    >> crypto map toStore 20 ipsec-isakmp
    >> crypto map toStore 20 match address 90
    >> crypto map toStore 20 set peer 216.146.67.126
    >> crypto map toStore 20 set transform-set strong
    >> crypto map toStore interface outside
    >> isakmp enable outside
    >> isakmp key ******** address 216.146.67.126 netmask 255.255.255.255
    >> isakmp nat-traversal 20
    >> isakmp policy 9 authentication pre-share
    >> isakmp policy 9 encryption 3des
    >> isakmp policy 9 hash sha
    >> isakmp policy 9 group 1
    >> isakmp policy 9 lifetime 86400
    >>
    >> <snip>
    >>
    >> and here is the output from a show crypto ipsec sa:
    >> interface: outside
    >> Crypto map tag: toStore, local addr. 216.146.94.77
    >>
    >> local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
    >> remote ident (addr/mask/prot/port):

    (store-net2/255.255.255.0/0/0)
    >> current_peer: 216.146.67.126:0
    >> PERMIT, flags={origin_is_acl,}
    >> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    >> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    >> #pkts compressed: 0, #pkts decompressed: 0
    >> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts

    decompress
    >> failed: 0
    >> #send errors 0, #recv errors 0
    >>
    >> local crypto endpt.: 216.146.94.77, remote crypto endpt.:
    >> 216.146.67.126
    >> path mtu 1500, ipsec overhead 0, media mtu 1500
    >> current outbound spi: 0
    >>
    >> inbound esp sas:
    >>
    >>
    >> inbound ah sas:
    >>
    >>
    >> inbound pcp sas:
    >>
    >>
    >> outbound esp sas:
    >>
    >>
    >> outbound ah sas:
    >>
    >>
    >> outbound pcp sas:
    >>
    >>
    >> What do I look for next???
    >>
    >> Thanks,
    >> Steve
    >>
    >>
    >>
    >> "Walter Roberson" <-cnrc.gc.ca> wrote in message
    >> news:cnvfmi$iml$...
    >>
    >>> In article <41a3398f$>, PES

    <>
    >>
    >>
    >> wrote:
    >>
    >>> :Steve wrote:
    >>> :> And which PIX will start it - or do they both try?
    >>>
    >>>
    >>> :The pix with the first packet going through it. Neither will

    try on
    >>> :their own. Either will try if they have a packet flowing through

    the
    >>> :correct interface that matches a crypto acl.
    >>>
    >>> Given the context, it might be worth mentioning crypto dynamic

    maps.
    >>
    >>
    >>
    >> <snip>
    >> I know the IPs and they are fixed.

    >
    >
    > At this point, the line "route inside store-net 255.255.255.0 10.0.0.254
    > 2" is preventing your packets to 10.0.2.x from getting to the crypto
    > process running and bound on the outside. If you remove it and it uses
    > the default gateway, we shold get packtes on the sa or at least errors.
    >
     
    Steve, Nov 23, 2004
    #11
  12. Steve

    PES Guest

    Steve wrote:
    > Paul -
    > I think you overlooked a change I made - I have 10.0.2.x tide to
    > STORE-NET2 not STORE-NET, so it should got o the deault route.


    So What is STORE-NET now? There is still a route statement for it.

    >
    > Steve
    >
    > PES wrote:
    > Paul> Steve wrote:
    >
    >>>Peter/Walter - everything that the 2 of you said makes perfect

    >
    > sense,
    >
    >>>but I
    >>>am still stuck. Here is what I did. I changed the STORE pix to be

    >
    > on
    >
    >>>subnet 10.0.2.x (inside accress 10.0.2.253), and hooked up a pc to

    >
    > it at
    >
    >>>10.0.2.10. I then changed the relavant access-list entries and

    >
    > still
    >
    >>>no go.
    >>>I configuerd the PC to use 10.0.2.253 as its gateway. It has

    >
    > 10.0.0.6 as
    >
    >>>its DNS, so any net access should cause it to do a DNS lookup,

    >
    > which
    >
    >>>is on
    >>>the warehouse side, so my assumption is that this should start up

    >
    > the
    >
    >>>tunnel - but it does not appear to do so. Also, I have tried to

    >
    > access
    >
    >>>the
    >>>10.0.2.10 PC from the warehouse Here are the relavant lines from

    >
    > the
    >
    >>>Warehouse PIX:
    >>><snip>
    >>>name 10.0.2.0 store-net2
    >>><snip>
    >>>access-list 90 permit ip 10.0.0.0 255.255.255.0 store-net2

    >
    > 255.255.255.0
    >
    >>><snip>
    >>>global (outside) 1 interface
    >>>nat (inside) 0 access-list pptp-vpn
    >>>nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >>>static (inside,outside) h-02-out h-02-in netmask 255.255.255.255

    >
    > 1000 700
    >
    >>>static (inside,outside) h-03-out h-03-in netmask 255.255.255.255

    >
    > 3000
    >
    >>>2100
    >>>static (inside,outside) h-01-out h-01-in netmask 255.255.255.255

    >
    > 3000
    >
    >>>2100
    >>>static (inside,outside) h-test-out h-test-in netmask

    >
    > 255.255.255.255 1000
    >
    >>>700
    >>>access-group acl-inbound in interface outside
    >>>access-group acl-outbound in interface inside
    >>>route outside 0.0.0.0 0.0.0.0 216.146.94.73 1
    >>>route inside store-net 255.255.255.0 10.0.0.254 2
    >>>route inside 10.0.100.0 255.255.255.252 10.0.0.254 1
    >>>route inside 192.168.75.0 255.255.255.0 10.0.0.254 1
    >>>
    >>><snip>
    >>>sysopt connection permit-ipsec
    >>>sysopt connection permit-pptp
    >>>crypto ipsec transform-set strong esp-3des esp-sha-hmac
    >>>crypto map toStore 20 ipsec-isakmp
    >>>crypto map toStore 20 match address 90
    >>>crypto map toStore 20 set peer 216.146.67.126
    >>>crypto map toStore 20 set transform-set strong
    >>>crypto map toStore interface outside
    >>>isakmp enable outside
    >>>isakmp key ******** address 216.146.67.126 netmask 255.255.255.255
    >>>isakmp nat-traversal 20
    >>>isakmp policy 9 authentication pre-share
    >>>isakmp policy 9 encryption 3des
    >>>isakmp policy 9 hash sha
    >>>isakmp policy 9 group 1
    >>>isakmp policy 9 lifetime 86400
    >>>
    >>><snip>
    >>>
    >>>and here is the output from a show crypto ipsec sa:
    >>>interface: outside
    >>> Crypto map tag: toStore, local addr. 216.146.94.77
    >>>
    >>> local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
    >>> remote ident (addr/mask/prot/port):

    >
    > (store-net2/255.255.255.0/0/0)
    >
    >>> current_peer: 216.146.67.126:0
    >>> PERMIT, flags={origin_is_acl,}
    >>> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    >>> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    >>> #pkts compressed: 0, #pkts decompressed: 0
    >>> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts

    >
    > decompress
    >
    >>>failed: 0
    >>> #send errors 0, #recv errors 0
    >>>
    >>> local crypto endpt.: 216.146.94.77, remote crypto endpt.:
    >>>216.146.67.126
    >>> path mtu 1500, ipsec overhead 0, media mtu 1500
    >>> current outbound spi: 0
    >>>
    >>> inbound esp sas:
    >>>
    >>>
    >>> inbound ah sas:
    >>>
    >>>
    >>> inbound pcp sas:
    >>>
    >>>
    >>> outbound esp sas:
    >>>
    >>>
    >>> outbound ah sas:
    >>>
    >>>
    >>> outbound pcp sas:
    >>>
    >>>
    >>>What do I look for next???
    >>>
    >>>Thanks,
    >>>Steve
    >>>
    >>>
    >>>
    >>>"Walter Roberson" <-cnrc.gc.ca> wrote in message
    >>>news:cnvfmi$iml$...
    >>>
    >>>
    >>>>In article <41a3398f$>, PES

    >
    > <>
    >
    >>>
    >>>wrote:
    >>>
    >>>
    >>>>:Steve wrote:
    >>>>:> And which PIX will start it - or do they both try?
    >>>>
    >>>>
    >>>>:The pix with the first packet going through it. Neither will

    >
    > try on
    >
    >>>>:their own. Either will try if they have a packet flowing through

    >
    > the
    >
    >>>>:correct interface that matches a crypto acl.
    >>>>
    >>>>Given the context, it might be worth mentioning crypto dynamic

    >
    > maps.
    >
    >>>
    >>>
    >>><snip>
    >>>I know the IPs and they are fixed.

    >>
    >>
    >>At this point, the line "route inside store-net 255.255.255.0 10.0.0.254
    >>2" is preventing your packets to 10.0.2.x from getting to the crypto
    >>process running and bound on the outside. If you remove it and it uses
    >>the default gateway, we shold get packtes on the sa or at least errors.
    >>



    --
    -------------------------
    Paul Stewart
    Lexnet Inc.
    Email address is in ROT13
     
    PES, Nov 23, 2004
    #12
  13. Steve

    Steve Guest

    Paul -
    STORE-NET is still 10.0.1.0 - I need to leave this for the existing
    link, until I get the new one working. But now the VPN I am trying to
    work with is all from 10.0.0.0 <-> 10.0.2.0, so I don't think the old
    STORE-NET has any impact.
    Steve

    PES wrote:
    > Steve wrote:
    >
    >> Paul -
    >> I think you overlooked a change I made - I have 10.0.2.x tide to
    >> STORE-NET2 not STORE-NET, so it should got o the deault route.

    >
    >
    > So What is STORE-NET now? There is still a route statement for it.
    >
    >>
     
    Steve, Nov 23, 2004
    #13
  14. Steve

    PES Guest

    Steve wrote:
    > Paul -
    > STORE-NET is still 10.0.1.0 - I need to leave this for the existing
    > link, until I get the new one working. But now the VPN I am trying to
    > work with is all from 10.0.0.0 <-> 10.0.2.0, so I don't think the old
    > STORE-NET has any impact.
    > Steve
    >
    > PES wrote:
    >
    >>Steve wrote:
    >>
    >>
    >>>Paul -
    >>>I think you overlooked a change I made - I have 10.0.2.x tide to
    >>>STORE-NET2 not STORE-NET, so it should got o the deault route.

    >>
    >>
    >>So What is STORE-NET now? There is still a route statement for it.
    >>
    >>


    So now does your nat bypass acl reflect 10.0.0.0 <> 10.0.2.0? I think
    you called it pptp-vpn. If not, nat will happen then the crypt acl
    won't match.

    --
    -------------------------
    Paul Stewart
    Lexnet Inc.
    Email address is in ROT13
     
    PES, Nov 24, 2004
    #14
  15. Steve

    Steve Guest

    Paul-
    Bingo ! That was it - now everything works great. I want to publicly
    thank you and Walter for your unselfish assistance.

    Steve Cohn

    PES <> wrote in message news:<41a3dd59$>...
    > Steve wrote:
    > > Paul -
    > > STORE-NET is still 10.0.1.0 - I need to leave this for the existing
    > > link, until I get the new one working. But now the VPN I am trying to
    > > work with is all from 10.0.0.0 <-> 10.0.2.0, so I don't think the old
    > > STORE-NET has any impact.
    > > Steve
    > >
    > > PES wrote:
    > >
    > >>Steve wrote:
    > >>
    > >>
    > >>>Paul -
    > >>>I think you overlooked a change I made - I have 10.0.2.x tide to
    > >>>STORE-NET2 not STORE-NET, so it should got o the deault route.
    > >>
    > >>
    > >>So What is STORE-NET now? There is still a route statement for it.
    > >>
    > >>

    >
    > So now does your nat bypass acl reflect 10.0.0.0 <> 10.0.2.0? I think
    > you called it pptp-vpn. If not, nat will happen then the crypt acl
    > won't match.
     
    Steve, Nov 24, 2004
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rob Franetovich
    Replies:
    1
    Views:
    1,878
    Chris
    Jul 9, 2003
  2. Greg Gibson

    PIX 501 newbie aaa servers for pix

    Greg Gibson, May 6, 2004, in forum: Cisco
    Replies:
    3
    Views:
    593
    Adrian Grigorof
    May 9, 2004
  3. Andre
    Replies:
    7
    Views:
    814
    Andre
    Feb 20, 2005
  4. Buck Rogers

    Cisco Pix 501 Newbie Problem

    Buck Rogers, May 24, 2005, in forum: Cisco
    Replies:
    3
    Views:
    7,765
    Buck Rogers
    May 25, 2005
  5. cdoc

    Cisco pix 501 vs 501-50

    cdoc, May 19, 2006, in forum: Cisco
    Replies:
    6
    Views:
    702
    Walter Roberson
    May 20, 2006
Loading...

Share This Page