PIX to PIX VPN?

Discussion in 'Cisco' started by jonsey1222@yahoo.com, Nov 18, 2007.

  1. Guest

    I am having an issue connecting a PIX to PIX VPN. The remote site
    config is listed below. I am new to this and have been reading for a
    few days to get a better understanding but I still cannot figure out
    what the problem is. At the remote office, I cannot get out to www
    using port 80 when the firewall is connected at the remote site. I
    know one issue is that there is not a radius server at 192.168.22.7,
    so I don;t know if the line "crypto map outside_map client
    authentication partnerauth" is part of the problem. Also, the MDZ is
    not in use. Any help is greatly appreciated. Thank you.

    PIX Version 6.3(1)
    interface ethernet0 10baset
    interface ethernet1 100full
    interface ethernet2 100full shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security50
    enable password p123p12OfusCacuK encrypted
    passwd 95vQbsXM9lH6Yu3w encrypted
    hostname Company-PIX
    domain-name comapny.local
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    access-list inside_outbound_nat0_acl permit ip 192.168.22.0
    255.255.255.0 192.16
    8.20.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.22.0 255.255.255.0
    192.168.20.
    0 255.255.255.0
    pager lines 24
    logging on
    logging buffered warnings
    icmp permit any unreachable outside
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside 1.2.2.2 255.255.255.224
    ip address inside 192.168.22.1 255.255.255.0
    ip address DMZ 192.168.101.1 255.255.255.0
    ip verify reverse-path interface outside
    ip audit name info-alarm info action alarm
    ip audit name Attack-Alarm attack action alarm drop
    ip audit interface outside info-alarm
    ip audit interface outside Attack-Alarm
    ip audit interface inside info-alarm
    ip audit interface DMZ info-alarm
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging warnings 500
    pdm history enable
    arp timeout 14400
    global (outside) 10 1.2.2.3
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 1.2.2.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server partnerauth protocol radius
    aaa-server partnerauth (inside) host 192.168.22.7 companyvpn timeout
    10
    http server enable
    http 192.168.22.103 255.255.255.255 inside
    http 192.168.22.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 64.179.19.234
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication partnerauth
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth
    no-co
    nfig-mode
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    , Nov 18, 2007
    #1
    1. Advertising

  2. Guest

    Here is the main office config...



    PIX Version 6.3(4)
    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password KyBwpD2r5usBhnuK encrypted
    passwd T6rXlubxvTBs83122 encrypted
    hostname Company-Pix2
    domain-name company.local
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.20.10 companymain
    name 2.2.2.2 InetRtr
    name 192.168.20.5 Cisco3560G
    name 192.168.20.11 companyserver
    name 192.168.20.12 companysvr
    name 192.168.20.13 companyweb
    name 192.168.20.14 company-zone
    name 2.2.2.3 Mail
    access-list outside_access_in remark Inbound mail
    access-list outside_access_in permit tcp any host outsideMail eq smtp
    access-list outside_access_in remark Inbound Web
    access-list outside_access_in permit tcp any host outsideMail eq www
    access-list outside_access_in remark Allow SSL to OWA
    access-list outside_access_in permit tcp any host outsideMail eq
    https
    access-list outside_access_in remark Inside sharepoint
    access-list outside_access_in permit tcp any host 64.179.19.237 eq
    www
    access-list outside_access_in permit tcp any host 64.179.19.237 eq
    https
    access-list inside_outbound_nat0_acl permit ip 192.168.20.0
    255.255.255.0 192.168
    ..1.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 192.168.20.0
    255.255.255.0 192.168
    ..22.0 255.255.255.0
    access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.0
    255.255.255.0
    access-list outside_map_20 permit ip 192.168.20.0 255.255.255.0
    192.168.22.0 255.
    255.255.0
    pager lines 24
    logging on
    icmp permit any unreachable outside
    mtu outside 1500
    mtu inside 1500
    ip address outside 1.1.1.1 255.255.255.248
    ip address inside 192.168.20.1 255.255.255.0
    ip verify reverse-path interface outside
    ip audit name InfoPolicy info action alarm
    ip audit name AttackPolicy attack action alarm
    ip audit interface outside AttackPolicy
    ip audit interface inside InfoPolicy
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPNPool 192.168.1.1-192.168.1.254
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    pdm location companymain 255.255.255.255 inside
    pdm location InetRtr 255.255.255.255 outside
    pdm location Cisco3560G 255.255.255.255 inside
    pdm location 192.168.16.0 255.255.255.0 inside
    pdm location companyserver 255.255.255.255 inside
    pdm location companysvr 255.255.255.255 inside
    pdm location companyweb 255.255.255.255 inside
    pdm location company-zone 255.255.255.255 inside
    pdm location 192.168.1.0 255.255.255.248 outside
    pdm location Mail 255.255.255.255 outside
    pdm logging informational 500
    pdm history enable
    arp timeout 14400
    global (outside) 10 1.1.1.4
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 192.168.20.0 255.255.255.0 0 0
    static (inside,outside) 1.1.1.5 company-zone netmask 255.255.255.255 0
    0
    static (inside,outside) Mail companyserver netmask 255.255.255.255 0
    0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 InetRtr 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa-server partnerauth protocol radius
    aaa-server partnerauth max-failed-attempts 3
    aaa-server partnerauth deadtime 10
    aaa-server partnerauth (inside) host companysvr companyvpn timeout 10
    http server enable
    http 192.168.20.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address
    outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_map_20
    crypto map outside_map 20 set peer 12.50.51.194
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication partnerauth
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth
    no-co
    nfig-mode
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup company address-pool VPNPool
    vpngroup company dns-server companyserver companysvr
    vpngroup company wins-server companyserver companysvr
    vpngroup company default-domain company.local
    vpngroup company idle-time 1800
    vpngroup company password ********
    telnet 192.168.20.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    management-access inside
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    , Nov 18, 2007
    #2
    1. Advertising

  3. CeykoVer Guest

    I'll need to understand the topology a little more...your first post said
    something about another firewall? Can the two sites ping each other's
    internal IP addresses? Which site has the internet connection?
    <> wrote in message
    news:...
    >
    > Here is the main office config...
    >
    >
    >
    > PIX Version 6.3(4)
    > interface ethernet0 100full
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password KyBwpD2r5usBhnuK encrypted
    > passwd T6rXlubxvTBs83122 encrypted
    > hostname Company-Pix2
    > domain-name company.local
    > clock timezone EST -5
    > clock summer-time EDT recurring
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > name 192.168.20.10 companymain
    > name 2.2.2.2 InetRtr
    > name 192.168.20.5 Cisco3560G
    > name 192.168.20.11 companyserver
    > name 192.168.20.12 companysvr
    > name 192.168.20.13 companyweb
    > name 192.168.20.14 company-zone
    > name 2.2.2.3 Mail
    > access-list outside_access_in remark Inbound mail
    > access-list outside_access_in permit tcp any host outsideMail eq smtp
    > access-list outside_access_in remark Inbound Web
    > access-list outside_access_in permit tcp any host outsideMail eq www
    > access-list outside_access_in remark Allow SSL to OWA
    > access-list outside_access_in permit tcp any host outsideMail eq
    > https
    > access-list outside_access_in remark Inside sharepoint
    > access-list outside_access_in permit tcp any host 64.179.19.237 eq
    > www
    > access-list outside_access_in permit tcp any host 64.179.19.237 eq
    > https
    > access-list inside_outbound_nat0_acl permit ip 192.168.20.0
    > 255.255.255.0 192.168
    > .1.0 255.255.255.0
    > access-list inside_outbound_nat0_acl permit ip 192.168.20.0
    > 255.255.255.0 192.168
    > .22.0 255.255.255.0
    > access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.0
    > 255.255.255.0
    > access-list outside_map_20 permit ip 192.168.20.0 255.255.255.0
    > 192.168.22.0 255.
    > 255.255.0
    > pager lines 24
    > logging on
    > icmp permit any unreachable outside
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 1.1.1.1 255.255.255.248
    > ip address inside 192.168.20.1 255.255.255.0
    > ip verify reverse-path interface outside
    > ip audit name InfoPolicy info action alarm
    > ip audit name AttackPolicy attack action alarm
    > ip audit interface outside AttackPolicy
    > ip audit interface inside InfoPolicy
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool VPNPool 192.168.1.1-192.168.1.254
    > no failover
    > failover timeout 0:00:00
    > failover poll 15
    > no failover ip address outside
    > no failover ip address inside
    > pdm location companymain 255.255.255.255 inside
    > pdm location InetRtr 255.255.255.255 outside
    > pdm location Cisco3560G 255.255.255.255 inside
    > pdm location 192.168.16.0 255.255.255.0 inside
    > pdm location companyserver 255.255.255.255 inside
    > pdm location companysvr 255.255.255.255 inside
    > pdm location companyweb 255.255.255.255 inside
    > pdm location company-zone 255.255.255.255 inside
    > pdm location 192.168.1.0 255.255.255.248 outside
    > pdm location Mail 255.255.255.255 outside
    > pdm logging informational 500
    > pdm history enable
    > arp timeout 14400
    > global (outside) 10 1.1.1.4
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    > nat (inside) 10 192.168.20.0 255.255.255.0 0 0
    > static (inside,outside) 1.1.1.5 company-zone netmask 255.255.255.255 0
    > 0
    > static (inside,outside) Mail companyserver netmask 255.255.255.255 0
    > 0
    > access-group outside_access_in in interface outside
    > route outside 0.0.0.0 0.0.0.0 InetRtr 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > aaa-server partnerauth protocol radius
    > aaa-server partnerauth max-failed-attempts 3
    > aaa-server partnerauth deadtime 10
    > aaa-server partnerauth (inside) host companysvr companyvpn timeout 10
    > http server enable
    > http 192.168.20.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > crypto dynamic-map outside_dyn_map 20 match address
    > outside_cryptomap_dyn_20
    > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    > crypto map outside_map 20 ipsec-isakmp
    > crypto map outside_map 20 match address outside_map_20
    > crypto map outside_map 20 set peer 12.50.51.194
    > crypto map outside_map 20 set transform-set ESP-3DES-MD5
    > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    > crypto map outside_map client authentication partnerauth
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth
    > no-co
    > nfig-mode
    > isakmp identity address
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption 3des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > vpngroup company address-pool VPNPool
    > vpngroup company dns-server companyserver companysvr
    > vpngroup company wins-server companyserver companysvr
    > vpngroup company default-domain company.local
    > vpngroup company idle-time 1800
    > vpngroup company password ********
    > telnet 192.168.20.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh timeout 5
    > management-access inside
    > console timeout 0
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > terminal width 80
    CeykoVer, Nov 21, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,804
    Martin Bilgrav
    Feb 6, 2004
  2. Elise
    Replies:
    6
    Views:
    814
    John Rennie
    May 22, 2004
  3. Tom
    Replies:
    4
    Views:
    669
  4. Marko Uusitalo
    Replies:
    1
    Views:
    1,502
    Frank Durham
    Apr 11, 2005
  5. Svenn
    Replies:
    3
    Views:
    725
    Svenn
    Mar 13, 2006
Loading...

Share This Page