[VPN] Pix to Cisco 831 Router

Hello.

I need help. My network diagram looks list tis one below.
|
10.0.1.2 FTP/ WEB/DB Server -----|
|
| inside 10.0.1.1 /
16
|
--------------
| PIX | -- dmz
172.16.1.1 /16 ---------------------
--------------
|
|
|
|
DNS Server
|
172.16.1.2
| outside 20.20.20.3
/ 28
|
|
My perm. router
20.20.20.2

And pix config:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet1 dmz security90
access-list ipsec permit ip 10.0.0.0 255.255.0.0 10.2.2.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.2.2.0 255.255.255.0
ip address outside 20.20.20.3 255.255.255.240
ip address inside 10.0.1.1 255.255.0.0
ip address dmz 172.16.1.1 255.255.0.0
global (outside) 1 20.20.20.1
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.1.0 255.255.0.0 0 0
nat (dmz) 1 172.16.0.0 255.255.0.0 0 0
static (inside,outside) 20.20.20.5 10.0.1.2 netmask 255.255.255.255 0 0
static (dmz, outside) 20.20.20.6 172.16.1.2 netmask 255.255.255.255 0 0
conduit permit ip 20.20.20.5 host any
conduit permit ip 20.20.20.6 host any
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 20.20.20.2 1
sysopt connection permit-ipsec
crypto ipsec transform-set lanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map forg 21 ipsec-isakmp
crypto map forg 21 match address ipsec
crypto map forg 21 set peer 30.30.30.1
crypto map forg 21 set transform-set lanche
crypto map forg interface outside
isakmp enable outside
isakmp key fin2000 address 30.30.30.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1

So. I have two problems, questions.
First question: Is this configuration good, because my banch router from the
other side doesn't response. How to set up more the one
VPN tunnel to another Cisco router?

Secound, main question: I did static address translation, but with ip
address outside 20.20.20.3 255.255.255.240
hosts from protected networks inside are invisible for themselves. For
example: I can't not ping, or telnet to 20.20.20.5 from
20.20.20.6 using IP or hostsnames. Where I did a mistakes? Please help. With
ip address outside 20.20.20.3 255.255.255.255 everything goes
fine. But for me is a bad netmask? I can't ping (no response) to outside
interface from any host in inside and dmz? Is it correct?

Please help.
Best regards
Mirek

 

I do wish people would learn how to post ascii diagrams to usenet.

 

Upsss. My fault. Diagram once again.


|
| -- inside 10.0.1.1 /16 WEB Server 10.0.1.2
|
-------------
| PIX | -- dmz 172.16.1.1 /16 --DNS Server 172.16.1.2
-------------
|
|
| outside 20.20.20.3 /28
|
|
My perm. router
20.20.20.2

Sorry for ...
Mirek

 

Still doesn't make much sense. Hint - keep line lengths to
under 78 chars and use a mono-spaced font.

 

:I need help. My network diagram looks list tis one below.

:And pix config:

: access-list ipsec permit ip 10.0.0.0 255.255.0.0 10.2.2.0 255.255.255.0
: access-list nonat permit ip 10.0.0.0 255.255.0.0 10.2.2.0 255.255.255.0

: conduit permit ip 20.20.20.5 host any
: conduit permit ip 20.20.20.6 host any
: conduit permit icmp any any

:So. I have two problems, questions.
:First question: Is this configuration good,

Do you have a Cisco support contract? If so, then go to the software
download area for PIX and download one of the tools that convert
'conduit' into equivilent access-lists .

Once you have completely eliminated conduits from your configuration,
re-test, and if it still doesn't work, post the new, conduit-less
configuration.

You cannot use conduits and access-lists together without encountering
problems. Conduits haven't been necessary since PIX 5.0(1), and were
declared deprecated in PIX 5.2, but you are trying to use them with
a PIX 6.2 or later configuration (the access-list form of nat 0 wasn't
supported in PIX 5.) Cisco outright says that using the two together
gives broken results.

And if you need more convincing: PIX 7.0 will not support conduits at all.


Personally, I refuse to even -try- to debug any configuration that has
conduits in it. I don't see any point in spending a lot of time trying
to track down something that might well be due to software that is known
to be broken and will not be fixed. If you convert your configuration
to eliminate the conduits, then I will at least read your question
(no point even finding out what you want to know as long as the conduits
are there.)