Pix 515e -> dynamic 851w

Discussion in 'Cisco' started by dmgeller, Apr 4, 2007.

  1. dmgeller

    dmgeller Guest

    Greeting folks,

    I am running into a tough issue (at least for me) here, allow me to

    I currently have a WAN between a few PIX 515Es in data centers and a
    static 851W at a remote office. I am trying to hook up another 851W,
    running Version 12.4(4)T7, with a dynamic IP into this WAN. I have
    targeted one of the 515Es, running Version 7.0(1), as the first point
    of entry into the WAN. All the devices are in a mesh (connecting to
    all the other nodes).

    Anyways, I have read through and attempted to make the changes
    recommended by http://www.cisco.com/warp/public/471/pix_router_dyn.html
    which seemed perfect, alas I am still not seeing any results.
    Additionally I have read through many newsgroup postings however none
    seem to be on topic or correct.

    So let me include some of my config based on the Cisco article and
    maybe a fresh set of eyes can figure out where I am going wrong.
    Understand that the PIX is working fine so there is no issue with
    internet connection, natting (though maybe on this connection)

    Thanks for your help!


    PIX 515E Version 7.0:

    access-list inside_outbound_nat0_acl extended permit ip

    access-list outside_cryptomap_100 extended permit ip
    access-list outside_cryptomap_100 extended permit ip

    crypto dynamic-map dynmap 10 set transform-set ESP-DES-MD5
    crypto map dyn-map 100 ipsec-isakmp dynamic dynmap
    crypto map dyn-map interface outside

    isakmp key ***** address netmask
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 28800

    851W Version 12.4:

    crypto isakmp policy 1
    hash md5
    authentication pre-share
    lifetime 28800

    crypto isakmp key ***** address xxx.xxx.xxx.xxx

    crypto ipsec transform-set SF_Transform_Set esp-des esp-md5-hmac

    crypto map SF_iC 3 ipsec-isakmp
    description Tunnel LA
    set peer xxx.xxx.xxx.xxx
    set transform-set SF_Transform_Set
    match address 102

    interface FastEthernet4
    ip nat outside
    crypto map SF_iC

    interface Dialer1
    ip nat outside

    interface Vlan1
    no ip address
    ip nat inside

    interface BVI1
    ip address
    ip nat inside

    ip nat inside source route-map SF_RMAP interface Dialer1 overload

    access-list 102 remark ACL to LA
    access-list 102 permit ip
    access-list 102 permit ip

    access-list 105 deny ip
    access-list 105 permit ip any

    route-map SF_RMAP permit 1
    match ip address 105
    dmgeller, Apr 4, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.