Help With 1710 to Pix 501 VPN Tunnel

Discussion in 'Cisco' started by B. Gray, Jul 25, 2005.

  1. B. Gray

    B. Gray Guest

    I am having trouble establishing a tunnel between two sites. I'm not sure
    what I'm missing here. The first part is my Pix config, the second part is
    what I'm putting into both sides for the tunnel.

    Here's My current config on the Pix:

    Building configuration...
    : Saved
    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password VdNQtSmyp5pSIPcY encrypted
    passwd VdNQtSmyp5pSIPcY encrypted
    hostname superwall
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    object-group service RemoteAssistance tcp
    description Remote Assistance Port
    port-object range 3389 3389
    object-group service UPnP tcp
    port-object range 5000 5000
    object-group network pos
    description POS Stations
    network-object host
    network-object host
    network-object host
    access-list inside_outbound_nat0_acl permit ip any
    access-list noweb deny tcp object-group pos any eq www
    access-list noweb permit ip any any
    pager lines 24
    logging on
    logging timestamp
    logging trap informational
    logging host inside
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPNPool
    pdm location inside
    pdm logging warnings 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 dns 0 0
    access-group noweb in interface inside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    no sysopt route dnat
    telnet inside
    telnet timeout 5
    ssh timeout 5
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe 128
    vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    vpdn username bsmith password *********
    vpdn username bsmitty password *********
    vpdn enable outside
    dhcpd address inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    : end

    Here's what I am attempting to use to create the tunnel; on both sides...

    Dallas Router

    ***Creating IKE Policy
    Crypto isakmp policy 100
    Authentication pre-share
    Encryption 3des
    Hash md5
    Group 2
    Lifetime 86400

    ***Defining the Pre-shared Key & Peer

    crypto isakmp key mrpix1 address

    ***Create the Transform-set

    Crypto ipsec transform-set 20 esp-3des esp-md5-hmac

    ***Configure IPSec SA Lifetimes

    Crypto ipsec security-association lifetime seconds 3600

    ***Create the Crypto ACL *Must match at both ends

    Access-list 105 permit ip

    ***Create the Crypto Map

    Crypto map Houston 120 ipsec-isakmp
    Match address 105
    Set peer
    Set pfs group2
    Set transform-set 20
    Set security-association lifetime seconds 3600

    ***Apply the Crypto Map to Interface
    Int e0
    Crypto map Houston
    Houston PIX

    ***Enable IKE

    Isakmp enable outside

    ***Create IKE Policy

    Isakmp policy 100 authentication pre-share
    Isakmp policy 100 encryption 3des
    Isakmp policy 100 group 2
    Isakmp policy 100 hash md5
    Isakmp policy 100 lifetime 3600
    Isakmp identity address
    Isakmp enable outside

    ***Configure Pre-Shared Key

    Isakmp key mrpix1 address netmask

    ***Do not nat traffic across tunnel
    nat (inside) 0 access-list 105

    ***Create A Crypto Access List

    Access-list 105 permit ip

    ***Configure a Transform-Set

    Crypto ipsec transform-set 20 esp-3des esp-md5-hmac

    ***Configure IPSec SA Lifetime

    Crypto ipesc security-association lifetime seconds 3600

    ***Create Crypto Map

    Crypto map Dallas 10 ipsec-isakmp
    Crypto map Dallas 10 match address 105
    Crypto map Dallas 10 set transform-set 20
    Crypto map Dallas 10 set peer
    Crypto map Dallas 10 interface outside

    ***Bypass traffic checking through tunnel

    Sysopt connection permit-ipsec

    Phew. I noted it all out before I began, but obviously I'm missing
    something. I never see the tunnel establish at all. Is it that I'm not
    defining traffic? Is it that I need to permit esp, ah and udp in access
    lists? Help, Help, Help!!!

    There is only so many times I can look at the same configs. I have checked
    out the cisco site and reread my Cisco Press book, but their examples do not
    seem to work as easily as they are laid out...or I am doing it wrong. :)

    Thanks Everyone!

    *I currenlty have nothing configured other than basic access to the internet
    on the 1710 router, but the pix is already going. In my next reply here I
    will post what I am putting in. Perhaps someone can see the err of my ways;
    personally I'm pulling my hair out...
    B. Gray, Jul 25, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.