Help creating a VPN Tunnel - Pix 501 1710 Router

Discussion in 'Cisco' started by B. Gray, Aug 10, 2005.

  1. B. Gray

    B. Gray Guest

    Hi Everyone,

    Can anyone help me out here with a config I'm pulling my hair out with?

    I am trying to create the following tunnel:
    *Note that the dynamic outside addresses never change (beauty of cable

    1710 Router (E0 DHCP)-------Internet------(Outside DHCP)Pix 501

    I have used configurations from the Cisco Press textbooks and from the Cisco
    site with no luck.

    I have verified crypto maps on both sides, transform sets and so on.

    Is there any pointers anyone can give for this? All of my configs appear
    fine but the tunnel does not appear. As well I can never seem to ping from
    inside address to inside addreess on the peer - do I need to add in other

    Thanks in advance!
    B. Gray, Aug 10, 2005
    1. Advertisements

  2. B. Gray

    None Guest

    How about posting the configs that you have so far and we'll help you debug
    them. Naturally you will need to strip out your IP's and passwords.
    None, Aug 10, 2005
    1. Advertisements

  3. B. Gray

    B. Gray Guest

    It's big but....

    Here's My current config on the Pix:

    Building configuration...
    : Saved
    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password VdNQtSmyp5pSIPcY encrypted
    passwd VdNQtSmyp5pSIPcY encrypted
    hostname superwall
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    object-group service RemoteAssistance tcp
    description Remote Assistance Port
    port-object range 3389 3389
    object-group service UPnP tcp
    port-object range 5000 5000
    object-group network pos
    description POS Stations
    network-object host
    network-object host
    network-object host
    access-list inside_outbound_nat0_acl permit ip any
    access-list noweb deny tcp object-group pos any eq www
    access-list noweb permit ip any any
    pager lines 24
    logging on
    logging timestamp
    logging trap informational
    logging host inside
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPNPool
    pdm location inside
    pdm logging warnings 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 dns 0 0
    access-group noweb in interface inside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    no sysopt route dnat
    telnet inside
    telnet timeout 5
    ssh timeout 5
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe 128
    vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    vpdn username bsmith password *********
    vpdn username bsmitty password *********
    vpdn enable outside
    dhcpd address inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    : end

    Here's what I am attempting to use to create the tunnel; on both sides...

    Dallas Router

    ***Creating IKE Policy
    Crypto isakmp policy 100
    Authentication pre-share
    Encryption 3des
    Hash md5
    Group 2
    Lifetime 86400

    ***Defining the Pre-shared Key & Peer

    crypto isakmp key mrpix1 address

    ***Create the Transform-set

    Crypto ipsec transform-set 20 esp-3des esp-md5-hmac

    ***Configure IPSec SA Lifetimes

    Crypto ipsec security-association lifetime seconds 3600

    ***Create the Crypto ACL *Must match at both ends

    Access-list 105 permit ip

    ***Create the Crypto Map

    Crypto map Houston 120 ipsec-isakmp
    Match address 105
    Set peer
    Set pfs group2
    Set transform-set 20
    Set security-association lifetime seconds 3600

    ***Apply the Crypto Map to Interface
    Int e0
    Crypto map Houston
    Houston PIX

    ***Enable IKE

    Isakmp enable outside

    ***Create IKE Policy

    Isakmp policy 100 authentication pre-share
    Isakmp policy 100 encryption 3des
    Isakmp policy 100 group 2
    Isakmp policy 100 hash md5
    Isakmp policy 100 lifetime 3600
    Isakmp identity address
    Isakmp enable outside

    ***Configure Pre-Shared Key

    Isakmp key mrpix1 address netmask

    ***Do not nat traffic across tunnel
    nat (inside) 0 access-list 105

    ***Create A Crypto Access List

    Access-list 105 permit ip

    ***Configure a Transform-Set

    Crypto ipsec transform-set 20 esp-3des esp-md5-hmac

    ***Configure IPSec SA Lifetime

    Crypto ipesc security-association lifetime seconds 3600

    ***Create Crypto Map

    Crypto map Dallas 10 ipsec-isakmp
    Crypto map Dallas 10 match address 105
    Crypto map Dallas 10 set transform-set 20
    Crypto map Dallas 10 set peer
    Crypto map Dallas 10 interface outside

    ***Bypass traffic checking through tunnel

    Sysopt connection permit-ipsec

    Phew. I noted it all out before I began, but obviously I'm missing
    something. I never see the tunnel establish at all. Is it that I'm not
    defining traffic? Is it that I need to permit esp, ah and udp in access
    lists? Help, Help, Help!!!

    There is only so many times I can look at the same configs. I have checked
    out the cisco site and reread my Cisco Press book, but their examples do not
    seem to work as easily as they are laid out...or I am doing it wrong. :)

    Thanks Everyone!

    *I currenlty have nothing configured other than basic access to the internet
    on the 1710 router, but the pix is already going. In my next reply here I
    will post what I am putting in. Perhaps someone can see the err of my ways;
    personally I'm pulling my hair out...
    B. Gray, Aug 10, 2005
  4. :pIX Version 6.2(2)

    That version has known security problems. You should upgrade
    to 6.2(5) -- it's free even if you don't have a support contract.

    :access-list inside_outbound_nat0_acl permit ip any

    :ip address outside dhcp setroute
    :ip address inside

    :ip local pool VPNPool

    :global (outside) 1 interface
    :nat (inside) 0 access-list inside_outbound_nat0_acl
    :nat (inside) 1 dns 0 0

    :vpdn group PPTP-VPDN-GROUP accept dialin pptp

    :vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool

    :dhcpd address inside

    Your dhcpd address range (to be assigned to inside IPs)
    overlaps with your VPNPool address range (to be assigned to outside
    PPTP dialins).

    It is not common to use "dialin" to a dynamic IP address: you would
    normally want to "dialout" from a device with a dynamic IP.

    :Here's what I am attempting to use to create the tunnel; on both sides...

    :***Create the Crypto ACL *Must match at both ends

    :Access-list 105 permit ip

    But it doesn't. You don't have a specific crypto ACL assigned
    on the PIX, so for each VPN group dialin, it is going to create
    a new temporary ACL with a host netmask, not a /24 netmask. That
    will mess up your tunnels.

    :Crypto map Houston 120 ipsec-isakmp
    :Match address 105
    :Set peer
    :Set pfs group2
    :Set transform-set 20
    :Set security-association lifetime seconds 3600

    You've defined an IPSec tunnel out of the 1710, but on the PIX
    end, you've defined PPTP instead of IPSec.

    If you thought you were using EzVPN between the devices, then you
    need to configure 'vpnclient' or 'vpngroup' on the 501 rather than
    Walter Roberson, Aug 16, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.