Pix-to-Pix and Client-to-Pix VPN

Discussion in 'Cisco' started by AlanP, Apr 6, 2004.

  1. AlanP

    AlanP Guest

    Have got two working configs for a Pix that allow either a Pix-to-Pix
    VPN, or remote users to connecting into a Pix using the Cisco client
    (created these using two excellent documents on Cisco.com - #6211 and
    #14091). Am trying to combine the two but am having a few problems.

    Ideally, would like to find equiv document from Cisco but have had no
    joy (is it just me or is Cisco web-site diabolical for searching?).
    Current non-working config is as follows:

    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password utXGGJbasURbvYXQ encrypted
    passwd utXGGJbasURbvYXQ encrypted
    hostname hosthost
    domain-name host.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    name x.x.x.x router
    name y.y.y.y WAN
    name Boardroom
    name remoteoffice-nw
    name z.z.z.z remoteoffice
    access-list 102 permit tcp any host a.a.a.a eq smtp
    access-list 102 permit tcp any host a.a.a.a eq www
    access-list 102 permit tcp any host a.a.a.a eq 3389
    access-list 102 permit tcp any host b.b.b.b eq pcanywhere-data
    access-list 102 permit udp any host b.b.b.b eq pcanywhere-status
    access-list 102 permit tcp any host c.c.c.c eq 3389
    access-list 101 permit ip remoteoffice-nw
    access-list 101 permit ip
    pager lines 24
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside WAN
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool
    no pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 0 0
    static (inside,outside) a.a.a.a netmask 0 0
    static (inside,outside) b.b.b.b Boardroom netmask 0 0
    static (inside,outside) c.c.c.c netmask 0 0
    access-group 102 in interface outside
    route outside router 1
    route outside router router 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    no sysopt route dnat
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn 30 match address 101
    crypto dynamic-map outside_dyn 30 set transform-set myset
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address 101
    crypto map outside_map 20 set peer remoteoffice
    crypto map outside_map 20 set transform-set ESP-DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address remoteoffice netmask
    no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup dialin address-pool ippool
    vpngroup dialin dns-server
    vpngroup dialin idle-time 1800
    vpngroup dialin password ********
    telnet timeout 5
    ssh timeout 5
    terminal width 80
    : end
    AlanP, Apr 6, 2004
    1. Advertisements

  2. upgrade to 6.3.3
    and add command isakmp nat-t

    This will do it for you.

    Martin Bilgrav
    Martin Bilgrav, Apr 6, 2004
    1. Advertisements

  3. AlanP

    Dominic Guest

    Everything's looking fine... but, I guess that you should remove:

    PIX(config)#no crypto dynamic-map outside_dyn 30 match address 101

    Also, I'm NOT sure whether you can setup the seq num 65535 or not. Can
    you try 30 instead?

    Be aware that you will only have access to your network
    and NOT to network.

    Dominic Longpre, CCNA & CSPFA (PIX Certified)
    IT Specialist
    Dominic, Apr 6, 2004
  4. AlanP

    Mirek Guest


    Could uou help me. I see that you are real professional.
    My probem is:

    | -- inside /16 WEB Server
    | PIX | -- dmz /16 --DNS Server
    | outside /28
    My perm. router

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet1 dmz security90
    access-list ipsec permit ip
    access-list nonat permit ip
    ip address outside
    ip address inside
    ip address dmz
    global (outside) 1
    nat (inside) 0 access-list nonat
    nat (inside) 1 0 0
    nat (dmz) 1 0 0
    static (inside,outside) netmask 0 0
    static (dmz, outside) netmask 0 0
    conduit permit ip host any
    conduit permit ip host any
    conduit permit icmp any any
    route outside 1
    sysopt connection permit-ipsec
    crypto ipsec transform-set lanche esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto map forg 21 ipsec-isakmp
    crypto map forg 21 match address ipsec
    crypto map forg 21 set peer
    crypto map forg 21 set transform-set lanche
    crypto map forg interface outside
    isakmp enable outside
    isakmp key fin2000 address netmask
    isakmp identity address
    isakmp policy 21 authentication pre-share
    isakmp policy 21 encryption des
    isakmp policy 21 hash md5
    isakmp policy 21 group 1

    So. I have 3 problems, questions.
    1st question: Is this configuration good, because my banch router from the
    other side doesn't response. How to set up more the one
    VPN tunnel to another Cisco router?

    2nd, main question: I did static address translation, but with ip
    address outside
    hosts from protected networks inside are invisible for themselves. For
    example: I can't not ping, or telnet to from using IP or hostsnames. Where I did a mistakes? Please help. With
    ip address outside everything goes
    fine. But for me is a bad netmask? I can't ping (no response) to outside
    interface from any host in inside and dmz? Is it correct?

    3rd: Why my VPN doesn't work. What I did wrong?

    Best regards
    Mirek, Apr 7, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.