Pix VPN, I need you to tell me it will be ok

Discussion in 'Cisco' started by Freddy, May 27, 2005.

  1. Freddy

    Freddy Guest

    Good day expert guys!

    I need you to confirm points in there. I have to setup a VPN from a PIX 506
    to a PIX 515.

    I need you to confirm it looks ok in order to achieve:

    1. access-list traffic-2-remote will "take over" the access-list
    internet-access
    2. internet-access ACL will be fine,
    3. my access-group are ok.

    I am in trouble with the access-group since only on is in there. I believe I
    should have 2, no?

    Is there something missing from the show conf?

    Thank you very much

    The config in a text file can get downloaded at
    http://cjoint.com/?fBpkqdeWjf also

    : Saved
    : Written by enable_15 at 05:23:29.126 UTC Fri May 27 2005
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 external security0
    nameif ethernet1 inside security100
    enable password xxxxxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxxxxxx encrypted
    hostname pix1
    domain-name mycompany.net
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list traffic-2-remote permit ip 192.168.10.0 255.255.255.128 10.1.0.0
    255.255.255.240
    access-list traffic-2-remote permit ip 192.168.10.0 255.255.255.128
    10.1.48.0 255.255.255.240
    access-list traffic-2-remote permit ip 192.168.10.0 255.255.255.128
    10.1.96.0 255.255.255.240
    access-list traffic-2-remote permit ip 192.168.10.0 255.255.255.128 10.6.0.0
    255.255.255.240
    access-list traffic-2-remote permit ip 192.168.10.0 255.255.255.128 10.8.0.0
    255.255.255.240
    access-list traffic-2-remote permit ip 192.168.10.0 255.255.255.128
    10.100.96.0 255.255.255.240
    access-list traffic-2-remote permit ip 192.168.10.0 255.255.255.128
    10.100.112.0 255.255.255.240
    access-list no-nat permit ip 192.168.10.0 255.255.255.128 10.1.0.0
    255.255.255.240
    access-list no-nat permit ip 192.168.10.0 255.255.255.128 10.1.48.0
    255.255.255.240
    access-list no-nat permit ip 192.168.10.0 255.255.255.128 10.1.96.0
    255.255.255.240
    access-list no-nat permit ip 192.168.10.0 255.255.255.128 10.6.0.0
    255.255.255.240
    access-list no-nat permit ip 192.168.10.0 255.255.255.128 10.8.0.0
    255.255.255.240
    access-list no-nat permit ip 192.168.10.0 255.255.255.128 10.100.96.0
    255.255.255.240
    access-list no-nat permit ip 192.168.10.0 255.255.255.128 10.100.112.0
    255.255.255.240
    access-list internet-access permit tcp 192.168.10.0 255.255.255.128 any eq
    www
    access-list internet-access permit tcp 192.168.10.0 255.255.255.128 any eq
    https
    access-list internet-access permit tcp 192.168.10.0 255.255.255.128 any eq
    5223
    access-list internet-access permit tcp 192.168.10.0 255.255.255.128 any eq
    ssh
    access-list internet-access permit tcp 192.168.10.0 255.255.255.128 any eq
    ftp
    access-list internet-access permit udp 192.168.10.0 255.255.255.128 any eq
    domain
    pager lines 24
    logging on
    logging timestamp
    logging buffered informational
    logging trap informational
    logging host external 195.238.14.56
    no logging message 302010
    mtu external 1500
    mtu inside 1500
    ip address external 195.238.98.34 255.255.255.252
    ip address inside 192.168.10.125 255.255.255.128
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (external) 1 interface
    nat (inside) 0 access-list no-nat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group internet-access in interface inside
    route external 0.0.0.0 0.0.0.0 195.238.98.35 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    ntp server 195.238.14.56 source external
    snmp-server host external 195.238.14.56 poll
    no snmp-server location
    no snmp-server contact
    snmp-server community 373v4ih8
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set trans-aes-md5 esp-aes esp-md5-hmac
    crypto map cmap-vpn 10 ipsec-isakmp
    crypto map cmap-vpn 10 match address traffic-2-remote
    crypto map cmap-vpn 10 set peer 212.217.98.167
    crypto map cmap-vpn 10 set transform-set trans-aes-md5
    crypto map cmap-vpn interface external
    isakmp enable external
    isakmp key ******** address 212.217.98.167 netmask 255.255.255.255
    isakmp identity address
    isakmp keepalive 10
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    telnet timeout 5
    ssh 195.238.98.0 255.255.255.0 external
    ssh timeout 60
    console timeout 0
    terminal width 80
    Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxx
    pix1(config)#
     
    Freddy, May 27, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,913
    Martin Bilgrav
    Feb 6, 2004
  2. Blot
    Replies:
    8
    Views:
    6,778
    billyw
    Jul 2, 2004
  3. Svenn
    Replies:
    3
    Views:
    775
    Svenn
    Mar 13, 2006
  4. Pat
    Replies:
    5
    Views:
    469
    ellis_jay
    Nov 14, 2005
  5. Replies:
    7
    Views:
    837
    Flunkett Clogwheel
    Feb 5, 2006
Loading...

Share This Page