Cisco PIX 501 Problem reaching internal networks

Discussion in 'Cisco' started by Andre, Feb 20, 2005.

  1. Andre

    Andre Guest

    Hi,

    First off i can tell you that i have no experience with setting up vpn
    connections. Now that i got that out... Im trying to configure 2 x
    Cisco PIX 501
    firewalls to create a vpn-tunnel from 2 seperate locations. So that i
    can access both internal networks from either location. So far i have
    managed to setup a tunnel wich kinda works. Both the IKE and IPSEC
    tunnels are up and working.. but i cannot reach the internal networks
    on the inside of either pix.

    This is getting very frustrating.. so if someone can lend me a hand i
    would jump for joy! :)

    Added a stripped dump of configuration on PIX number 2. Since both
    PIX's use the same config except changes in IP addresses i only
    included config for one of them.

    CISCO PIX 501 - %NAME USED BELOW% == PIX2
    ---------------------------------------------------------------
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol icmp error
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_outbound_nat0_acl permit ip
    <PRIVATE-IP-ADDRESS-PIX2> 255.255.255.0 <PRIVATE-IP-ADDRESS-PIX1>
    255.255.255.0
    access-list outside_cryptomap_20 permit ip <PRIVATE-IP-ADDRESS-PIX2>
    255.255.255.0 <PRIVATE-IP-ADDRESS-PIX1> 255.255.255.0
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside <PRIVATE-IP-ADDRESS-PIX1> 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer <PUBLIC-IP-ADDRESS-PIX1>
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp enable inside
    isakmp key ******** address <PUBLIC-IP-ADDRESS-PIX1> netmask
    255.255.255.255 no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400


    Any help appreciated! :)
    Andre
     
    Andre, Feb 20, 2005
    #1
    1. Advertisements

  2. Andre

    Jack Taugher Guest

    remove the:

    isakmp enable inside

    You only enable it on the OUTSIDE interface.
     
    Jack Taugher, Feb 25, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.