Pix 515e -> dynamic 851w

Discussion in 'Cisco' started by theaberdog, Apr 4, 2007.

  1. theaberdog

    theaberdog

    Joined:
    Apr 4, 2007
    Messages:
    1
    Greeting folks,

    I am running into a tough issue (at least for me) here, allow me to
    describe:

    I currently have a WAN between a few PIX 515Es in data centers and a
    static 851W at a remote office. I am trying to hook up another 851W,
    running Version 12.4(4)T7, with a dynamic IP into this WAN. I have
    targeted one of the 515Es, running Version 7.0(1), as the first point
    of entry into the WAN. All the devices are in a mesh (connecting to
    all the other nodes).

    Anyways, I have read through and attempted to make the changes
    recommended by http://www.cisco.com/warp/public/471...outer_dyn.html
    which seemed perfect, alas I am still not seeing any results.
    Additionally I have read through many newsgroup postings however none
    seem to be on topic or correct.

    So let me include some of my config based on the Cisco article and
    maybe a fresh set of eyes can figure out where I am going wrong.
    Understand that the PIX is working fine so there is no issue with
    internet connection, natting (though maybe on this connection)

    Thanks for your help!

    Dave


    PIX 515E Version 7.0:

    access-list inside_outbound_nat0_acl extended permit ip 192.168.10.0
    255.255.255.0 192.168.2.0 255.255.255.240

    access-list outside_cryptomap_100 extended permit ip 192.168.10.0
    255.255.255.0 192.168.2.0 255.255.255.240
    access-list outside_cryptomap_100 extended permit ip 192.168.110.0
    255.255.255.0 192.168.2.0 255.255.255.240

    crypto dynamic-map dynmap 10 set transform-set ESP-DES-MD5
    crypto map dyn-map 100 ipsec-isakmp dynamic dynmap
    crypto map dyn-map interface outside

    isakmp key ***** address 0.0.0.0 netmask 0.0.0.0
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 28800


    851W Version 12.4:

    crypto isakmp policy 1
    hash md5
    authentication pre-share
    lifetime 28800

    crypto isakmp key ***** address xxx.xxx.xxx.xxx

    crypto ipsec transform-set SF_Transform_Set esp-des esp-md5-hmac

    crypto map SF_iC 3 ipsec-isakmp
    description Tunnel LA
    set peer xxx.xxx.xxx.xxx
    set transform-set SF_Transform_Set
    match address 102

    interface FastEthernet4
    ip nat outside
    crypto map SF_iC

    interface Dialer1
    ip nat outside

    interface Vlan1
    no ip address
    ip nat inside

    interface BVI1
    ip address 192.168.2.1 255.255.255.240
    ip nat inside

    ip nat inside source route-map SF_RMAP interface Dialer1 overload

    access-list 102 remark ACL to LA
    access-list 102 permit ip 192.168.2.0 0.0.0.15 192.168.10.0 0.0.0.255
    access-list 102 permit ip 192.168.2.0 0.0.0.15 192.168.110.0 0.0.0.255

    access-list 105 deny ip 192.168.2.0 0.0.0.15 192.168.10.0 0.0.0.255
    access-list 105 permit ip 192.168.2.0 0.0.0.15 any

    route-map SF_RMAP permit 1
    match ip address 105
     
    Last edited: Apr 5, 2007
    theaberdog, Apr 4, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. c
    Replies:
    2
    Views:
    835
  2. BinSur
    Replies:
    4
    Views:
    5,843
    BinSur
    Jan 13, 2006
  3. ponga
    Replies:
    4
    Views:
    17,001
    Aaron Leonard
    May 4, 2006
  4. ponga
    Replies:
    2
    Views:
    5,749
    ponga
    May 10, 2006
  5. dmgeller@gmail.com

    Pix 515e -> dynamic 851w

    dmgeller@gmail.com, Apr 4, 2007, in forum: Cisco
    Replies:
    0
    Views:
    1,752
    dmgeller@gmail.com
    Apr 4, 2007
Loading...

Share This Page