Re: PIX501 to VPN3005 connection

ccoombs · ‎11-21-2002

Are there any good documents on the best way to setup a site-site VPN connection between and a PIX501 and VPN3005.

I have a small site where I will need to connect about 3 users to a pix501 and create a VPN tunnel back to our HQ(vpn3005).

I see a few options for doing this but I am looking for the best scenerio. I do want the pix501 to initiate the tunnel.

Thanks!

kdurrett · ‎11-21-2002

Here's a link on how to set this up.

http://www.cisco.com/warp/public/471/ALTIGA_pix.html

Kurtis Durrett

sslokey · ‎11-23-2002

All the good documents on the VPN3000 are at

http://www.cisco.com/cgi-bin/Support/PSP/psp_view.pl?p=Hardware:Cisco_VPN_3000_Concentrator

One thing you will not find mentioned is how you will accesst the 501 from HQ. In a nut shell you need to build a second tunnel to the outside interface of the 501. On the PIX your ACL to define VPN traffic will have two lines one for the HQ LAN to the Remote site LAN and one for the HQ LAN to the outside interface ot the PIX. On the VPN3000 you make a network list that says the same thing. This will essentially build two tunnels between the devices. Oh and don't forget to all the appropriate "telnet <> outside" command so the PIX will allow the connection on the outside interface.

ccoombs · ‎11-25-2002

Thanks for the post back.

I am also experimenting with using the Easy VPN but can't seem to get it to work. On my concentrator I get a message saying

51087 11/25/2002 14:09:11.340 SEV=5 IKE/0 RPT=611 207.252.113.60

All IKE SA proposals found unacceptable!

51088 11/25/2002 14:09:11.340 SEV=4 IKEDBG/65 RPT=630 207.252.113.60

Group [kinder]

IKE AM Responder FSM error history (struct &0x1dc43a0)

, :

AM_DONE, EV_ERROR

AM_BLD_MSG2, EV_PROCESS_SA

AM_BLD_MSG2, EV_GET_PFS

AM_BLD_MSG2, EV_GROUP_OK

My PIX501 doesn't have 3des enabled and I don't plan on using it. Is there something I am missing here?

I have made sure that all my group and user info is correct.

Here is what I have on my PIx box..

PIX Version 6.2(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

vpnclient vpngroup kinder password ********

vpnclient username test password ********

vpnclient server 207.252.113.7

vpnclient mode client-mode

vpnclient enable

terminal width 80

Cryptochecksum:54589c10f447c9ec926729df49445c5e

: end

pixfirewall#

Thanks!