topic Re: VPN Issue in Network Security

VPN Issue

neilwheatcroft — Fri, 21 Feb 2020 08:53:19 GMT

Hi,

I'm very new to cisco equipment and was hoping someone could help me with this issue I have. I am trying to set up a VPN from a cisco 837 router that I have to another company, which I think is using a PIX. After some tweaking I managed to set the same VPN up from another site we have, which uses a 3000 concentator. However after using cisco SDM and using as many commands as I know how I cannot get the VPN tunnel to come up. Essentailly I want <server1> and <server2> (as shown in the attached show run) to be able to access 192.168.0.100 that is off of my 837 router. Any help would be very gratefully received.

Re: VPN Issue

spremkumar — Wed, 10 May 2006 10:40:24 GMT

Can you revert whether you are seeing any error logs in your Cisco 837 router related to this VPN establishment ?

regds

Re: VPN Issue

neilwheatcroft — Wed, 10 May 2006 15:01:27 GMT

I'm not sure what logs I need to turn on - can you help me to turn the correct ones on please?

Thanks

Re: VPN Issue

spremkumar — Thu, 11 May 2006 06:23:31 GMT

do refer this link ...

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a008030c760.html#wp1001168

regds

Re: VPN Issue

m-haddad — Fri, 04 Aug 2006 22:08:17 GMT

I feel your problem is here

ip access-list extended Mick

permit ip host 192.168.0.100 host

Try to make sure your peer (The PIX) has the same IPSEC SAs.

Also, you can issue the command debug crypto isakmp and debug crypto ipsec

Try to send us the log or trace it to know where is the problem.

Re: VPN Issue

Richard Burts — Sun, 13 Aug 2006 23:50:39 GMT

Neil

I do not know if you have this sorted out yet or not. But assuming that it is not (since there is no update to the forum about it) I will make a guess at the problem and possible solutions.

I am guessing that the VPN that you set up from the other site had fixed IP addresses on both ends. In what you are trying to set up here the dialer interface has address negotiated. And since you do not specify the source address for IPSec it will default to using the address of the outbound interface which is dialer 0 which gets assigned dynamically. I am guessing that the PIX is not set up for a dynamic address on its peer.

One way to make this work would be to have the PIX configured with a dynamic crypto map which will allow the PIX to establish IPSec with devices whose addresses it does not know ahead of time. If the administrators of the PIX are willing to do this it could be a solution to your problem.

Another possible solution to the problem would be to specify the source address using an interface that the PIX can get to. Since the traffic should be reaching 192.168.0.100 can we assume that interface Ethernet 0 is reachable from the PIX? If so then try adding this to the config:

crypto map SDM_CMAP_1 local-address Ethernet0

This will get IPSec to use the Ethernet 0 as the source address and the PIX would have a fixed address to use as its peer address.

Do you know how they have configured the PIX for this IPSec connection? Knowing this might make it easier to pick the best solution.

HTH

Rick