VPN Server ans Site to site doesn't work

Discussion in 'Cisco' started by Robert, Dec 19, 2005.

  1. Robert

    Robert Guest

    Hello
    I have 2 pix firewalls

    I have PIX 1 and pix 2 - works as VPN server (i can connect via Cisco VPN
    client - but i created VPN-SITE-TO-SITE and does'nt work
    show crypto ipsec sa
    show crypto isakmp sa
    works on remote site not in office - there is nothing
    i do not know where is error

    Couls you have look and help me please

    Robert

    OFFICE - CONFIG
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    names
    object-group service tcp_19 tcp
    port-object eq www
    port-object eq https
    access-list outside_access_in permit icmp any any log
    access-list outside_access_in permit tcp any host 80.80.82.19 object-group
    tcp_19
    access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 101 permit ip 192.168.1.0 255.255.255.0 90.90.97.112
    255.255.255.240
    access-list RemoteOfficeACL permit ip 192.168.1.0 255.255.255.0 90.90.97.112
    255.255.255.240
    ip address outside 80.80.82.18 255.255.255.240
    ip address inside 192.168.1.1 255.255.255.0
    ip local pool ippool 192.168.2.14-192.168.2.20
    global (outside) 10 interface
    nat (inside) 0 access-list 101
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 80.80.82.19 192.168.1.28 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 80.80.82.17 1
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map inside_map interface inside
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside
    crypto map mymap 5 ipsec-isakmp
    crypto map mymap 5 set transform-set myset
    crypto map mymap 5 match address RemoteOfficeACL
    crypto map mymap 5 set peer 90.90.96.239
    isakmp key ********** address 90.90.96.239 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp enable outside
    isakmp nat-traversal 10
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup VPMGRP address-pool ippool
    vpngroup VPMGRP dns-server 192.168.1.2
    vpngroup VPMGRP wins-server 192.168.1.2
    vpngroup VPMGRP default-domain thoughtwebfinancial.com
    vpngroup VPMGRP split-tunnel 101
    vpngroup VPMGRP idle-time 1800
    vpngroup VPMGRP password ********
    vpdn enable outside
    dhcpd address 192.168.1.30-192.168.1.120 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside

    REMOTE SITE CONFIG

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    object-group service tcp_114 tcp
    port-object eq www
    port-object eq https
    object-group service tcp_117 tcp
    port-object eq www
    port-object eq 8080
    access-list outside_access_in permit icmp any any log
    access-list outside_access_in permit tcp any host 90.90.97.114 object-group
    tcp_114
    access-list outside_access_in permit tcp any host 90.90.97.117 object-group
    tcp_117
    access-list outside_access_in permit tcp any host 90.90.97.118 object-group
    tcp_118
    access-list 101 permit ip 90.90.97.112 255.255.255.248 192.168.2.0
    255.255.255.0
    access-list 101 permit ip 90.90.97.112 255.255.255.240 192.168.1.0
    255.255.255.0
    access-list RemoteOfficeACL permit ip 90.90.97.112 255.255.255.240
    192.168.1.0 255.255.255.0
    ip address outside 90.90.96.239 255.255.254.0
    ip address inside 90.90.97.113 255.255.255.248
    global (outside) 100 interface
    nat (inside) 0 access-list 101
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 90.90.97.114 90.90.97.114 netmask 255.255.255.255 0
    0
    static (inside,outside) 90.90.97.117 90.90.97.117 netmask 255.255.255.255 0
    0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 90.90.96.1 1
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map inside_map interface inside
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside
    crypto map mymap 5 ipsec-isakmp
    crypto map mymap 5 set transform-set myset
    crypto map mymap 5 match address RemoteOfficeACL
    crypto map mymap 5 set peer 80.80.82.18
    isakmp enable outside
    isakmp nat-traversal 10
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    isakmp key ********** address 80.80.82.18 netmask 255.255.255.255 no-xauth
    no-config-mode
    vpngroup VPNGRP address-pool ippool
    vpngroup VPNGRP dns-server 90.90.97.115
    vpngroup VPNGRP wins-server 90.90.97.115
    vpngroup VPNGRP default-domain thoughtwebfinancial.com
    vpngroup VPNGRP split-tunnel 101
    vpngroup VPNGRP idle-time 1800
    vpngroup VPNGRP password ********
    vpdn enable outside
     
    Robert, Dec 19, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. chuck
    Replies:
    0
    Views:
    665
    chuck
    Nov 15, 2005
  2. =?Utf-8?B?VG9tIFA=?=

    WPA requires ans XP Pro Admin acct??

    =?Utf-8?B?VG9tIFA=?=, Dec 6, 2005, in forum: Wireless Networking
    Replies:
    4
    Views:
    672
    =?Utf-8?B?Z2xy?=
    Jan 2, 2006
  3. Replies:
    5
    Views:
    441
  4. nemo
    Replies:
    5
    Views:
    711
  5. kent42c
    Replies:
    4
    Views:
    358
    kent42c
    Nov 21, 2005
Loading...

Share This Page