pix to pix dhcp to static vpn

Discussion in 'Cisco' started by jspr, Jul 22, 2005.

  1. jspr

    jspr Guest

    I am trying to create a lan-to-lan ipsec-isakmp vpn tunnel pix to pix
    on end is dhcp. I can't seem to bring up the tunnel not sure what is
    wrong. PPPOE is working and I got internet on the one end any
    suggestions? two configs posted below

    dhcpd pix
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password rYa/GJxn8xRiuReW encrypted
    passwd rYa/GJxn8xRiuReW encrypted
    hostname pix
    domain-name cisco.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list ocmap permit ip 10.1.3.0 255.255.255.0 10.1.1.0
    255.255.255.0
    access-list nonat permit ip 10.1.3.0 255.255.255.0 10.1.1.0
    255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside pppoe setroute
    ip address inside 10.1.3.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address ocmap
    crypto map outside_map 20 set peer 28.4.8.1
    crypto map outside_map 20 set transform-set esp-aes-sha
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 28.4.8.1 netmask 255.255.255.255
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption aes
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    vpdn group pppoe-sbc request dialout pppoe
    vpdn group pppoe-sbc localname
    vpdn group pppoe-sbc ppp authentication pap
    vpdn username password *********
    dhcpd address 10.1.3.2-10.1.3.11 inside
    dhcpd lease 6999
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:c2eeab192092fda1820bcf75b439c557
    : end

    static pix
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security4
    enable password rYa/GJxn8xRiuReW encrypted
    passwd rYa/GJxn8xRiuReW encrypted
    hostname dyn
    domain-name cisco.com
    fixup protocol dns maximum-length 512
    fixup protocol domain 53
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    access-list dynmap permit ip 10.1.1.0 255.255.255.0 10.1.3.0
    255.255.255.0
    pager lines 24
    logging on
    logging timestamp
    logging trap warnings
    logging host inside 192.168.203.50
    no logging message 106021
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip address outside 28.4.8.1 255.255.255.240
    ip address inside 10.1.1.5 255.255.255.0
    no ip address intf2
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit info action alarm
    ip audit attack action alarm
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list dynmap
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 28.4.8.1 1
    route inside 192.1.2.0 255.255.255.0 10.1.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    snmp-server host inside 192.1.2.50
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
    crypto dynamic-map dynvpn 1 set transform-set esp-aes-sha
    crypto map dyn-map 20 ipsec-isakmp dynamic dynvpn
    crypto map dyn-map interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption aes
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    terminal width 80
    Cryptochecksum:102a6374cbae8a5d29c7a09e6598ad34
    : end
     
    jspr, Jul 22, 2005
    #1
    1. Advertising

  2. "jspr" <> wrote:

    > I am trying to create a lan-to-lan ipsec-isakmp vpn tunnel
    > pix to pix on end is dhcp. I can't seem to bring up the
    > tunnel not sure what is wrong. PPPOE is working and I got
    > internet on the one end any suggestions?


    I have a vague recollection that you can't do both PPPoE
    and IPSec VPN with the same interface. Do you have a
    working PPPoE-VPN site?
     
    Jyri Korhonen, Jul 22, 2005
    #2
    1. Advertising

  3. "Jyri Korhonen" <> wrote:

    > I have a vague recollection that you can't do both PPPoE
    > and IPSec VPN with the same interface.


    Bah, I was wrong. The issue was with PPPoE and PPTP-VPN.
     
    Jyri Korhonen, Jul 23, 2005
    #3
  4. In article <>,
    jspr <> wrote:
    :I am trying to create a lan-to-lan ipsec-isakmp vpn tunnel pix to pix
    :eek:n end is dhcp. I can't seem to bring up the tunnel not sure what is
    :wrong. PPPOE is working and I got internet on the one end any
    :suggestions? two configs posted below

    I don't see anything obviously wrong with your configurations.

    The only thing I do notice at the moment is that for AES, group 5
    is recommended instead of group 2.


    :isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

    You might want to specifically add no-xauth no-config-mode
    to your isakmp key lines.
    --
    "I want to make sure [a user] can't get through ... an online
    experience without hitting a Microsoft ad"
    -- Steve Ballmer [Microsoft Chief Executive]
     
    Walter Roberson, Jul 28, 2005
    #4
  5. jspr

    jspr Guest

    What does no xauth and no-config-mode do? Also is group 2 unsecure?
     
    jspr, Jul 29, 2005
    #5
  6. jspr

    jspr Guest

    What does no xauth and no-config-mode do? Also is group 2 unsecure?
     
    jspr, Jul 29, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. hk
    Replies:
    0
    Views:
    1,992
  2. Nieuws Xs4all
    Replies:
    0
    Views:
    655
    Nieuws Xs4all
    May 26, 2005
  3. Nieuws Xs4all
    Replies:
    2
    Views:
    1,660
    Jan-Willem
    May 26, 2005
  4. Replies:
    3
    Views:
    4,058
  5. Replies:
    1
    Views:
    366
    Tilman Schmidt
    Apr 8, 2008
Loading...

Share This Page