Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


Cisco 1700 series router VPN passthrough to PIX

I have a 1700 series router and for some reason cannot get IPSec VPN information to forward onto a PIX 501.  I am not quite sure where the config is going wrong. The router has a ADSL connection and a single IP address.  I have a 4-port switch installed in this router so that I can use VLANs.  Everything works fine with the DSL (i.e. browsing websites, email, etc...).  Does anyone know what might be the issue?

Router Config

! Last configuration change at 19:58:13 UTC Mon Aug 2 2010
! NVRAM config last updated at 19:47:45 UTC Mon Aug 2 2010
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no logging console
no logging monitor
enable secret 5 ****************************************
memory-size iomem 20
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip dhcp pool ddidsl
   lease 7
ip cef
no ip domain lookup
vpdn enable
vpdn-group 1
  protocol pppoe
interface ATM0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0/0.1 point-to-point
pvc 0/35
  pppoe-client dial-pool-number 1
interface FastEthernet0/0
ip address
ip nat inside
ip virtual-reassembly
speed auto
no cdp enable
interface FastEthernet1/1
switchport access vlan 19
no cdp enable
spanning-tree portfast
interface FastEthernet1/2
switchport access vlan 19
no cdp enable
spanning-tree portfast
interface FastEthernet1/3
switchport access vlan 19
no cdp enable
spanning-tree portfast
interface FastEthernet1/4
switchport access vlan 19
no cdp enable
spanning-tree portfast
interface Vlan1
no ip address
interface Vlan19
ip address
ip nat inside
ip virtual-reassembly
interface Dialer1
ip address negotiated
ip access-group 101 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username *********** password 7 ******************
ip classless
ip route Dialer1
no ip http server
ip nat translation timeout 3600
ip nat inside source list NAT-INET interface Dialer1 overload
ip nat inside source static esp interface Dialer1
ip nat inside source static udp 500 interface Dialer1 500
ip access-list extended NAT-INET
permit ip any any
access-list 1 permit log
access-list 101 permit ip any any
snmp-server community ********* RO 1
no cdp run
line con 0
password 7 **********
line aux 0
password 7 **********
line vty 0 4
access-class 1 in
password 7 **********
sntp server

PIX Config

: Saved
: Written by enable_15 at 16:16:06.138 UTC Mon Aug 2 2010
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *********************** encrypted
passwd ***********************  encrypted
hostname TESTPIX
domain-name test.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list pixTOsw permit ip
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list pixTOsw
nat (inside) 1 0 0
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside \pixbackup
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set colofw esp-aes-256 esp-sha-hmac
crypto map mapTOsw 67 ipsec-isakmp
crypto map mapTOsw 67 match address pixTOsw
crypto map mapTOsw 67 set peer
crypto map mapTOsw 67 set transform-set colofw
crypto map mapTOsw interface outside
crypto map maptosw 67 ipsec-isakmp
crypto map maptosw 67 match address pixTOsw
! Incomplete
isakmp enable outside
isakmp key ********************* address netmask
isakmp identity address
isakmp policy 13 authentication pre-share
isakmp policy 13 encryption aes-256
isakmp policy 13 hash sha
isakmp policy 13 group 2
isakmp policy 13 lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end

Everyone's tags (7)

Re: Cisco 1700 series router VPN passthrough to PIX

looks like you need to enable nat-traversal on your pix.

just enter

isakmp nat-traversal  20

on your pix

hopefully that should resolve your problem

please let me know if it does or doesn't


CreatePlease to create content
Content for Community-Ad
FusionCharts will render here