Re: Router (827) to PIX (515)

julio.vega.telephonetlc.com · ‎12-26-2002

I tried to make a conecction between a Router CISCO 827 and a PIX 515 but it dosen´t work.

Could someone help me, I posted both configuration

Thanks a lot

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security10

enable password fho06o.qMxJMEpo6 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixcoslada

domain-name local.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 90 permit ip 192.168.0.0 255.255.0.0 10.34.3.0 255.255.255.0

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside 80.37.118.81 255.255.255.0

ip address inside 192.168.2.202 255.255.255.0

ip address DMZ 127.0.0.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface DMZ

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.2.0 255.255.255.0 inside

pdm logging errors 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 90

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 80.37.118.82 1

timeout xlate 3:00:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

end

CISCO827

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname RTADSL

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip domain-lookup

!

crypto isakmp policy 1

encr 3des

authentication pre-share

crypto isakmp key ****** address 80.37.118.81

!

crypto ipsec transform-set mytrans ah-sha-hmac esp-3des

!

crypto map mymap local-address ATM0

crypto map mymap 1 ipsec-isakmp

set peer 80.37.118.81

set transform-set mytrans

match address 103

!

interface Ethernet0

description connected to Eth - Rozas

ip address 10.34.3.201 255.255.255.0

ip nat inside

hold-queue 100 out

!

interface ATM0

ip address 213.98.12.213 255.255.255.0

ip nat outside

no atm ilmi-keepalive

pvc 8/32

protocol ip 213.98.12.212

encapsulation aal5snap

!

dsl operating-mode auto

crypto map mymap

!

ip nat pool test 213.98.12.213 213.98.12.213 netmask 255.255.255.0

ip nat inside source list 103 pool test overload

ip nat inside source static tcp 10.34.3.201 21 212.98.12.213 21 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 213.98.12.212

no ip http server

ip pim bidir-enable

!

access-list 103 deny ip 10.34.3.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 103 permit ip 10.34.3.0 0.0.0.255 any

!

line con 0

exec-timeout 0 0

password 7 06575D72021A5C4F

login

stopbits 1

line vty 0 4

password 7 06575D72021A5C4F

login

!

scheduler max-task-time 5000

end

ajagadee · ‎12-26-2002

Hi,

Take a look at below URL, you need to configure isakmp and ipsec policies on the Pix and this should match the policies configured on the router.

http://www.cisco.com/warp/public/110/39.html

And also use a different access-list for the match address and carefully follow the NAT configurations.

You can make the changes and post the configs.

Regards,

Arul