Pix to Pix VPN Help

Discussion in 'Cisco' started by tdors, Jun 17, 2007.

  1. tdors

    tdors

    Joined:
    Jun 17, 2007
    Messages:
    3
    Hi,

    Any help is greatly appreciated. I'm setting up a pix to pix VPN. I've gone through some tutorials and studied up on the pix code and I can't seem to figure what I'm missing. I think I should be able to do what I'm trying to, and I think my routes look fine, but here's how it's setup:

    172.18.2.0/24 (Location B) <-Pix 501 Remote-> Dynamic IP ---- Internet ---- Static IP <-Pix 501 'host'-> 172.18.1.0/24 (Location A)

    ====== Here's the code in Location A (Host/Server Side)
    Code:
    pixmen# show config
    : Saved
    : Written by enable_15 at 19:39:29.620 UTC Sat Jun 16 2007
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ********
    passwd ********
    hostname pixmen
    domain-name mydomain.net
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 172.18.1.102 citron
    name 172.18.1.103 desaronno
    access-list 101 permit ip 172.18.1.0 255.255.255.0 any 
    access-list inbound permit icmp any any 
    access-list inbound permit tcp any host 63.168.11.30 eq www 
    access-list inbound permit tcp any host 63.168.11.30 eq domain 
    access-list inbound permit udp any host 63.168.11.30 eq domain 
    access-list inbound permit icmp any host 63.168.11.30 
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 63.168.11.26 255.255.255.0
    ip address inside 172.18.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 172.18.2.1-172.18.2.254
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 63.168.11.30 citron netmask 255.255.255.255 0 0 
    access-group inbound in interface outside
    route outside 0.0.0.0 0.0.0.0 63.168.11.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+ 
    aaa-server RADIUS protocol radius 
    aaa-server LOCAL protocol local 
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-aes esp-md5-hmac 
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 1 authentication rsa-sig
    isakmp policy 1 encryption des
    isakmp policy 1 hash sha
    isakmp policy 1 group 1
    isakmp policy 1 lifetime 86400
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup mygroup address-pool ippool
    vpngroup mygroup dns-server citron 4.2.2.1
    vpngroup mygroup wins-server citron
    vpngroup mygroup default-domain mydomain.net
    vpngroup mygroup split-tunnel 101
    vpngroup mygroup idle-time 1800
    vpngroup idle-time idle-time 1800
    vpngroup mybroup idle-time 1800
    vpngroup mybroup password ********
    telnet 172.18.1.0 255.255.255.0 inside
    telnet 172.18.2.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:13c4dd0007c811e4ebde7c25ead3767d
    ====== And here's the code for the Location B remote side pix:
    Code:
    : Saved
    : Written by enable_15 at 19:35:57.475 UTC Sat Jun 16 2007
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ********
    passwd ********
    hostname pixman
    domain-name mydomain.net
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 172.18.2.5 DC01
    name 172.18.2.52 tadlaptop
    name 172.18.2.51 taddesktop
    access-list inbound permit icmp any any
    access-list inbound permit tcp any any eq www
    access-list inbound permit tcp any any eq 4662
    access-list inbound permit udp any any eq 4672
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 172.18.2.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 4662 172.18.2.204 4662 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface www DC01 www netmask 255.255.255.255 0 0
    static (inside,outside) udp interface 4672 172.18.2.204 4672 netmask 255.255.255.255 0 0
    access-group inbound in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 172.18.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 172.18.2.0 255.255.255.0 inside
    telnet timeout 5
    ssh 172.18.2.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd address 172.18.2.101-172.18.2.132 inside
    dhcpd dns 4.2.2.1 4.2.2.2
    dhcpd lease 3600
    dhcpd ping_timeout 750
    vpnclient server 63.168.11.26
    vpnclient mode network-extension-mode
    vpnclient vpngroup mygroup password ********
    terminal width 80
    Cryptochecksum:8807289a34de29ef66daca496af81216
    ======

    If I've left anything out or you have further questions, plese let me know. I've found a lot of great information on this forum, so I think someone should be able to help me. Thanks!!!!
     
    tdors, Jun 17, 2007
    #1
    1. Advertising

  2. tdors

    tdors

    Joined:
    Jun 17, 2007
    Messages:
    3
    Oh, and here's the version information, I'm running the same on both:

    Code:
    Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
    Flash E28F640J3 @ 0x3000000, 8MB
    BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
    
    0: ethernet0: address is 000d.bd72.2e22, irq 9
    1: ethernet1: address is 000d.bd72.2e23, irq 10
    Licensed Features:
    Failover:                    Disabled
    VPN-DES:                     Enabled
    VPN-3DES-AES:                Enabled
    Maximum Physical Interfaces: 2
    Maximum Interfaces:          2
    Cut-through Proxy:           Enabled
    Guards:                      Enabled
    URL-filtering:               Enabled
    Inside Hosts:                10
    Throughput:                  Unlimited
    IKE peers:                   10
    
    This PIX has a Restricted (R) license.
    
     
    tdors, Jun 17, 2007
    #2
    1. Advertising

  3. tdors

    tdors

    Joined:
    Jun 17, 2007
    Messages:
    3
    oh, I just remembered that I should add. When I'm at location B and I type "vpnclient enable", I lose the ability to do DNS resolutions anywhere on the network at location B. I can still connect to the internet and telnet/connect to anything via an IP address, but DNS quits working. Thanks!
     
    tdors, Jun 17, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,835
    Martin Bilgrav
    Feb 6, 2004
  2. Elise
    Replies:
    6
    Views:
    827
    John Rennie
    May 22, 2004
  3. Tom
    Replies:
    4
    Views:
    677
  4. Marko Uusitalo
    Replies:
    1
    Views:
    1,516
    Frank Durham
    Apr 11, 2005
  5. Svenn
    Replies:
    3
    Views:
    740
    Svenn
    Mar 13, 2006
Loading...

Share This Page