07-19-2006 02:52 PM - edited 02-21-2020 01:03 AM
Im having issues connecting my PIX 501 through another company's 3030 to reach their FTP server. The specifics are:
remote company outside (peer ip adx) 192.x.3.10
local host : 164.72.181.24
ipsec settings:
3des
group 2
esp
sha1-hmac
IPSEC SA Forced key exp 28800 secs 28800 secs
ike settings:
pre-shared secret
3des
sha1-hmac
group 2
Perfect Forward Secrecy
My config at this time:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
passwd xxx
hostname testpix
domain-name mydomain.com
names
access-list inside_outbound_nat0_acl permit ip 172.29.30.0 255.255.255.0 host 164.72.181.24
access-list outside_cryptomap_20 permit ip 172.29.30.0 255.255.255.0 host 164.72.181.24
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 199.253.x.x.255.252.0
ip address inside 172.29.x.x.255.255.0
pdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 199.253.202.1 1
http server enable
http 172.29.30.251 255.255.255.255 inside
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer 192.254.3.10
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 192.254.3.10 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
What am I doing wrong? All I want is my host 172.29.30.251 to ping their host 164.72.181.24
07-20-2006 04:52 AM
At a quick glance your config looks ok. Traffic from your site on 172.29.30.x is not NATed over the VPN, so the remote end must have filters (rules) to allow it, and must have routes to it via the 3030.
Does the VPN come up? ("show cry is sa", "show cry ips sa") Do you see packets encrypted but not decrypted?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide