Pix-to-Pix and Client-to-Pix VPN

Discussion in 'Cisco' started by AlanP, Apr 6, 2004.

  1. AlanP

    AlanP Guest

    Have got two working configs for a Pix that allow either a Pix-to-Pix
    VPN, or remote users to connecting into a Pix using the Cisco client
    (created these using two excellent documents on Cisco.com - #6211 and
    #14091). Am trying to combine the two but am having a few problems.

    Ideally, would like to find equiv document from Cisco but have had no
    joy (is it just me or is Cisco web-site diabolical for searching?).
    Current non-working config is as follows:

    :
    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password utXGGJbasURbvYXQ encrypted
    passwd utXGGJbasURbvYXQ encrypted
    hostname hosthost
    domain-name host.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    name x.x.x.x router
    name y.y.y.y WAN
    name 10.0.0.4 Boardroom
    name 192.168.0.0 remoteoffice-nw
    name z.z.z.z remoteoffice
    access-list 102 permit tcp any host a.a.a.a eq smtp
    access-list 102 permit tcp any host a.a.a.a eq www
    access-list 102 permit tcp any host a.a.a.a eq 3389
    access-list 102 permit tcp any host b.b.b.b eq pcanywhere-data
    access-list 102 permit udp any host b.b.b.b eq pcanywhere-status
    access-list 102 permit tcp any host c.c.c.c eq 3389
    access-list 101 permit ip 10.0.0.0 255.255.255.0 remoteoffice-nw
    255.255.255.0
    access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.1.0
    255.255.255.0
    pager lines 24
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside WAN 255.255.255.248
    ip address inside 10.0.0.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 10.0.1.1-10.0.1.254
    no pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) a.a.a.a 10.0.0.3 netmask 255.255.255.255 0 0
    static (inside,outside) b.b.b.b Boardroom netmask 255.255.255.255 0 0
    static (inside,outside) c.c.c.c 10.0.0.2 netmask 255.255.255.255 0 0
    access-group 102 in interface outside
    route outside 0.0.0.0 0.0.0.0 router 1
    route outside router 255.255.255.255 router 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 10.0.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    no sysopt route dnat
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn 30 match address 101
    crypto dynamic-map outside_dyn 30 set transform-set myset
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address 101
    crypto map outside_map 20 set peer remoteoffice
    crypto map outside_map 20 set transform-set ESP-DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address remoteoffice netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup dialin address-pool ippool
    vpngroup dialin dns-server 10.0.0.3 195.10.102.11
    vpngroup dialin idle-time 1800
    vpngroup dialin password ********
    telnet timeout 5
    ssh timeout 5
    terminal width 80
    : end
    #
    AlanP, Apr 6, 2004
    #1
    1. Advertising

  2. upgrade to 6.3.3
    and add command isakmp nat-t

    This will do it for you.

    Regards
    Martin Bilgrav

    "AlanP" <> wrote in message
    news:...
    > Have got two working configs for a Pix that allow either a Pix-to-Pix
    > VPN, or remote users to connecting into a Pix using the Cisco client
    > (created these using two excellent documents on Cisco.com - #6211 and
    > #14091). Am trying to combine the two but am having a few problems.
    >
    > Ideally, would like to find equiv document from Cisco but have had no
    > joy (is it just me or is Cisco web-site diabolical for searching?).
    > Current non-working config is as follows:
    >
    > :
    > PIX Version 6.2(2)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password utXGGJbasURbvYXQ encrypted
    > passwd utXGGJbasURbvYXQ encrypted
    > hostname hosthost
    > domain-name host.com
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol sip 5060
    > fixup protocol skinny 2000
    > names
    > name x.x.x.x router
    > name y.y.y.y WAN
    > name 10.0.0.4 Boardroom
    > name 192.168.0.0 remoteoffice-nw
    > name z.z.z.z remoteoffice
    > access-list 102 permit tcp any host a.a.a.a eq smtp
    > access-list 102 permit tcp any host a.a.a.a eq www
    > access-list 102 permit tcp any host a.a.a.a eq 3389
    > access-list 102 permit tcp any host b.b.b.b eq pcanywhere-data
    > access-list 102 permit udp any host b.b.b.b eq pcanywhere-status
    > access-list 102 permit tcp any host c.c.c.c eq 3389
    > access-list 101 permit ip 10.0.0.0 255.255.255.0 remoteoffice-nw
    > 255.255.255.0
    > access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.1.0
    > 255.255.255.0
    > pager lines 24
    > interface ethernet0 10baset
    > interface ethernet1 10full
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside WAN 255.255.255.248
    > ip address inside 10.0.0.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool ippool 10.0.1.1-10.0.1.254
    > no pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 101
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) a.a.a.a 10.0.0.3 netmask 255.255.255.255 0 0
    > static (inside,outside) b.b.b.b Boardroom netmask 255.255.255.255 0 0
    > static (inside,outside) c.c.c.c 10.0.0.2 netmask 255.255.255.255 0 0
    > access-group 102 in interface outside
    > route outside 0.0.0.0 0.0.0.0 router 1
    > route outside router 255.255.255.255 router 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > http 10.0.0.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > no sysopt route dnat
    > crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    > crypto ipsec transform-set myset esp-3des esp-sha-hmac
    > crypto dynamic-map outside_dyn 30 match address 101
    > crypto dynamic-map outside_dyn 30 set transform-set myset
    > crypto map outside_map 20 ipsec-isakmp
    > crypto map outside_map 20 match address 101
    > crypto map outside_map 20 set peer remoteoffice
    > crypto map outside_map 20 set transform-set ESP-DES-SHA
    > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key ******** address remoteoffice netmask 255.255.255.255
    > no-xauth no-config-mode
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption 3des
    > isakmp policy 20 hash sha
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > vpngroup dialin address-pool ippool
    > vpngroup dialin dns-server 10.0.0.3 195.10.102.11
    > vpngroup dialin idle-time 1800
    > vpngroup dialin password ********
    > telnet timeout 5
    > ssh timeout 5
    > terminal width 80
    > : end
    > #
    Martin Bilgrav, Apr 6, 2004
    #2
    1. Advertising

  3. AlanP

    Dominic Guest

    (AlanP) wrote in message news:<>...
    > Have got two working configs for a Pix that allow either a Pix-to-Pix
    > VPN, or remote users to connecting into a Pix using the Cisco client
    > (created these using two excellent documents on Cisco.com - #6211 and
    > #14091). Am trying to combine the two but am having a few problems.
    >
    > Ideally, would like to find equiv document from Cisco but have had no
    > joy (is it just me or is Cisco web-site diabolical for searching?).
    > Current non-working config is as follows:
    >
    > :
    > PIX Version 6.2(2)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password utXGGJbasURbvYXQ encrypted
    > passwd utXGGJbasURbvYXQ encrypted
    > hostname hosthost
    > domain-name host.com
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol sip 5060
    > fixup protocol skinny 2000
    > names
    > name x.x.x.x router
    > name y.y.y.y WAN
    > name 10.0.0.4 Boardroom
    > name 192.168.0.0 remoteoffice-nw
    > name z.z.z.z remoteoffice
    > access-list 102 permit tcp any host a.a.a.a eq smtp
    > access-list 102 permit tcp any host a.a.a.a eq www
    > access-list 102 permit tcp any host a.a.a.a eq 3389
    > access-list 102 permit tcp any host b.b.b.b eq pcanywhere-data
    > access-list 102 permit udp any host b.b.b.b eq pcanywhere-status
    > access-list 102 permit tcp any host c.c.c.c eq 3389
    > access-list 101 permit ip 10.0.0.0 255.255.255.0 remoteoffice-nw
    > 255.255.255.0
    > access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.1.0
    > 255.255.255.0
    > pager lines 24
    > interface ethernet0 10baset
    > interface ethernet1 10full
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside WAN 255.255.255.248
    > ip address inside 10.0.0.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool ippool 10.0.1.1-10.0.1.254
    > no pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 101
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) a.a.a.a 10.0.0.3 netmask 255.255.255.255 0 0
    > static (inside,outside) b.b.b.b Boardroom netmask 255.255.255.255 0 0
    > static (inside,outside) c.c.c.c 10.0.0.2 netmask 255.255.255.255 0 0
    > access-group 102 in interface outside
    > route outside 0.0.0.0 0.0.0.0 router 1
    > route outside router 255.255.255.255 router 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > http 10.0.0.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > no sysopt route dnat
    > crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    > crypto ipsec transform-set myset esp-3des esp-sha-hmac
    > crypto dynamic-map outside_dyn 30 match address 101
    > crypto dynamic-map outside_dyn 30 set transform-set myset
    > crypto map outside_map 20 ipsec-isakmp
    > crypto map outside_map 20 match address 101
    > crypto map outside_map 20 set peer remoteoffice
    > crypto map outside_map 20 set transform-set ESP-DES-SHA
    > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key ******** address remoteoffice netmask 255.255.255.255
    > no-xauth no-config-mode
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption 3des
    > isakmp policy 20 hash sha
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > vpngroup dialin address-pool ippool
    > vpngroup dialin dns-server 10.0.0.3 195.10.102.11
    > vpngroup dialin idle-time 1800
    > vpngroup dialin password ********
    > telnet timeout 5
    > ssh timeout 5
    > terminal width 80
    > : end
    > #



    Everything's looking fine... but, I guess that you should remove:

    PIX(config)#no crypto dynamic-map outside_dyn 30 match address 101

    Also, I'm NOT sure whether you can setup the seq num 65535 or not. Can
    you try 30 instead?

    Be aware that you will only have access to your 10.0.0.0/24 network
    and NOT to 192.168.0.0/24 network.

    Thanks!
    ________________________________________________
    Dominic Longpre, CCNA & CSPFA (PIX Certified)
    IT Specialist
    Dominic, Apr 6, 2004
    #3
  4. AlanP

    Mirek Guest

    Uzytkownik "Dominic" <> wrote
    ________________________________________________
    > Dominic Longpre, CCNA & CSPFA (PIX Certified)
    > IT Specialist


    Hello

    Could uou help me. I see that you are real professional.
    My probem is:

    |
    | -- inside 10.0.1.1 /16 WEB Server 10.0.1.2
    |
    -------------
    | PIX | -- dmz 172.16.1.1 /16 --DNS Server 172.16.1.2
    -------------
    |
    |
    | outside 20.20.20.3 /28
    |
    |
    My perm. router
    20.20.20.2

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet1 dmz security90
    access-list ipsec permit ip 10.0.0.0 255.255.0.0 10.2.2.0 255.255.255.0
    access-list nonat permit ip 10.0.0.0 255.255.0.0 10.2.2.0 255.255.255.0
    ip address outside 20.20.20.3 255.255.255.240
    ip address inside 10.0.1.1 255.255.0.0
    ip address dmz 172.16.1.1 255.255.0.0
    global (outside) 1 20.20.20.1
    nat (inside) 0 access-list nonat
    nat (inside) 1 10.0.1.0 255.255.0.0 0 0
    nat (dmz) 1 172.16.0.0 255.255.0.0 0 0
    static (inside,outside) 20.20.20.5 10.0.1.2 netmask 255.255.255.255 0 0
    static (dmz, outside) 20.20.20.6 172.16.1.2 netmask 255.255.255.255 0 0
    conduit permit ip 20.20.20.5 host any
    conduit permit ip 20.20.20.6 host any
    conduit permit icmp any any
    route outside 0.0.0.0 0.0.0.0 20.20.20.2 1
    sysopt connection permit-ipsec
    crypto ipsec transform-set lanche esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto map forg 21 ipsec-isakmp
    crypto map forg 21 match address ipsec
    crypto map forg 21 set peer 30.30.30.1
    crypto map forg 21 set transform-set lanche
    crypto map forg interface outside
    isakmp enable outside
    isakmp key fin2000 address 30.30.30.1 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 21 authentication pre-share
    isakmp policy 21 encryption des
    isakmp policy 21 hash md5
    isakmp policy 21 group 1

    So. I have 3 problems, questions.
    1st question: Is this configuration good, because my banch router from the
    other side doesn't response. How to set up more the one
    VPN tunnel to another Cisco router?

    2nd, main question: I did static address translation, but with ip
    address outside 20.20.20.3 255.255.255.240
    hosts from protected networks inside are invisible for themselves. For
    example: I can't not ping, or telnet to 20.20.20.5 from
    20.20.20.6 using IP or hostsnames. Where I did a mistakes? Please help. With
    ip address outside 20.20.20.3 255.255.255.255 everything goes
    fine. But for me is a bad netmask? I can't ping (no response) to outside
    interface from any host in inside and dmz? Is it correct?

    3rd: Why my VPN doesn't work. What I did wrong?

    Best regards
    Mirek
    Mirek, Apr 7, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MP
    Replies:
    2
    Views:
    12,270
  2. GVB
    Replies:
    1
    Views:
    2,805
    Martin Bilgrav
    Feb 6, 2004
  3. jarcar
    Replies:
    0
    Views:
    594
    jarcar
    Feb 12, 2004
  4. Nick
    Replies:
    2
    Views:
    2,402
  5. Svenn
    Replies:
    3
    Views:
    725
    Svenn
    Mar 13, 2006
Loading...

Share This Page