[pix] desperatly need help with PIX-to-PIX config

Discussion in 'Cisco' started by Remco Bressers, Nov 21, 2003.

  1. Hi,

    I have a network setup :

    192.168.9.0/24---PIX1(217.21.243.91)---internet---(217.21.241.89)PIX2---192.168.10.0/24


    I configured the two pix's as Cisco says.
    This is the configuration (only the interesting part):

    for PIX 1 (Version 6.3(1))
    ----------------------------------------------------------------
    access-list 90 permit ip 192.168.9.0 255.255.255.0 192.168.10.0
    255.255.255.0
    ip address outside 217.21.243.91 255.255.255.0
    ip address inside 192.168.9.254 255.255.255.0
    global (outside) 1 interface
    nat (inside) 0 access-list 90
    nat (inside) 1 192.168.9.0 255.255.255.0 0 0
    route outside 0.0.0.0 0.0.0.0 217.21.243.254 1
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto map towijnen 10 ipsec-isakmp
    crypto map towijnen 10 match address 90
    crypto map towijnen 10 set peer 217.21.241.89
    crypto map towijnen 10 set transform-set strong
    crypto map towijnen interface outside
    isakmp enable outside
    isakmp key ******** address 217.21.241.89 netmask 255.255.255.255
    isakmp policy 9 authentication pre-share
    isakmp policy 9 encryption 3des
    isakmp policy 9 hash sha
    isakmp policy 9 group 1
    isakmp policy 9 lifetime 86400



    for PIX 2 (Version 6.3(1))
    ----------------------------------------------------------------
    access-list 90 permit ip 192.168.10.0 255.255.255.0 192.168.9.0
    255.255.255.0
    ip address outside 217.21.241.89 255.255.255.0
    ip address inside 192.168.10.254 255.255.255.0
    global (outside) 1 interface
    nat (inside) 0 access-list 90
    nat (inside) 1 192.168.10.0 255.255.255.0 0 0
    route outside 0.0.0.0 0.0.0.0 217.21.241.254 1
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto map toclabbers 20 ipsec-isakmp
    crypto map toclabbers 20 match address 90
    crypto map toclabbers 20 set peer 217.21.243.91
    crypto map toclabbers 20 set transform-set strong
    crypto map toclabbers interface outside
    isakmp enable outside
    isakmp key ******** address 217.21.243.91 netmask 255.255.255.255
    isakmp policy 9 authentication pre-share
    isakmp policy 9 encryption 3des
    isakmp policy 9 hash md5
    isakmp policy 9 group 2
    isakmp policy 9 lifetime 86400


    The problem is, that there's really NOTHING happening.. i have a network
    connection between the two pix's (ping) and everything works as it
    should be, but isakmp and ipsec aren't working.
    I try 'debug crypto ipsec' Nothing happens
    I try 'debug crypto isakmp' Nothing happens

    on PIX1 :

    clabbers# show crypt ips sa
    interface: outside
    Crypto map tag: towijnen, local addr. 217.21.243.91
    local ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
    current_peer: 217.21.241.89:0
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
    failed: 0
    #send errors 0, #recv errors 0
    local crypto endpt.: 217.21.243.91, remote crypto endpt.:
    217.21.241.89
    path mtu 1500, ipsec overhead 0, media mtu 1500
    current outbound spi: 0

    Am i missing any commands overhere?
    Can someone please help me with this, because i don't understand this ;(


    Thanks.
    Remco Bressers, Nov 21, 2003
    #1
    1. Advertising

  2. "Remco Bressers" <> wrote:

    > for PIX 1 (Version 6.3(1))
    >
    > isakmp policy 9 hash sha
    > isakmp policy 9 group 1
    >
    > for PIX 2 (Version 6.3(1))
    >
    > isakmp policy 9 hash md5
    > isakmp policy 9 group 2


    Uh, I'm sure that you understand that these should
    be identical. However in your posting they are not.
    Jyri Korhonen, Nov 21, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steve Marshall

    Default Config Files or Basic Config

    Steve Marshall, Nov 5, 2003, in forum: Cisco
    Replies:
    2
    Views:
    499
    Chris
    Nov 5, 2003
  2. T-Mak
    Replies:
    1
    Views:
    1,872
    T-Mak
    Oct 27, 2006
  3. pierce911
    Replies:
    8
    Views:
    453
    pierce911
    Mar 21, 2007
  4. Trebor

    Desperatly need help with Windows XP

    Trebor, May 26, 2007, in forum: Computer Support
    Replies:
    13
    Views:
    603
    Walter Mautner
    May 27, 2007
  5. xvpnx
    Replies:
    0
    Views:
    438
    xvpnx
    Jan 25, 2009
Loading...

Share This Page