cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1906
Views
8
Helpful
13
Replies

VPN problem - "C1712 behind Linksys router" connecting to PIX515e

Matej G
Level 1
Level 1

Hi all,

I have a question regarding VPN (lan-to-lan).

My setup is following:

10.1.20.x------[PIX515e_central site VPN concetrator]---------(( ISP ))---------[LINKSYS router BEFSX41]----------[Cisco1712_branch]-------192.168.14.x

I would like to create VPN tunnel between C1712 and PIX515 (lan-to-lan), so the users from 192.168.14.x would be able to connect to servers located on central site in 10.1.20.x network.

NAT-T is manualy enabled on PIX and "IPsec passtrough" is enabled on Linksys router. So what should I do now to create a VPN tunnel?

What would be the basic configuration on C1712 and PIX515e to make this work?

All other (8) branches work, but they are directly connected to internet via C1712, so without Linksys router infront of it. So, PIX is already properly configured for such setup.

I assume the setup with Linksys router does not work because of PAT.

PIX Version 6.3(4)

C1712 Version 12.4

Please advise!

Thank a lot in advance!

1 Accepted Solution

Accepted Solutions

This line is incorrect on the router configuration:

ip nat inside source list 6 interface FastEthernet0 overload

Please remove it and change it to:

ip nat inside source list 101 interface FastEthernet0 overload

Hope that resolves the issue.

View solution in original post

13 Replies 13

Jennifer Halim
Cisco Employee
Cisco Employee

Here is a sample configuration for LAN-to-LAN VPN tunnel between PIX and IOS router for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

Hope that helps.

Thank you for reply.

I will look into that document.

But can Linksys router be a problem for my setup?

The problem is, that I cannot connect onto it, because it is administered by another company, so I cannot check debug info.

How can I check debuging on C1712?

I tried debug crypto ipsec, debug crypto isakmp + term mon, but nothing comes up. I also tried on console cable.

If I chech show crpyto session it says DOWN.

Assuming that you have configured the VPN portion on both the C1712 and PIX firewall, you would need to initiate the tunnel by sending interesting traffic between subnet configured (your crypto ACL subnets) as the router will not automatically initiate the traffic without any interesting traffic through it.

What does the output of the following shows:

show cry isa sa

show cry ipsec sa

If both are blank, that means you haven't initiated/sent traffic between the 2 subnets yet.

They are both blank which is strange, because I tried to ping hosts on network 10.1.20.x

I have also tried to connect to 10.1.20.12:80

/edit Update

Can you share the configuration from both C1712 and PIX?

C1712 conf:

=================

Current configuration : 3176 bytes

!

! Last configuration change at 11:24:44 UTC Wed Oct 6 2010

! NVRAM config last updated at 11:34:10 UTC Wed Oct 6 2010

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname xx

!

boot-start-marker

boot-end-marker

!

logging buffered 512000 informational

enable password 7 071B201F1B5F5D

!

no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.14.1 192.168.14.220

!

ip dhcp pool ip_pool

   network 192.168.14.0 255.255.255.0

   domain-name xx

   dns-server 1xxxx

   default-router 192.168.91.3

!

!

!

!

!

!

username ta_2651xm_gkv password 7 111D185642444F

username ibm privilege 15 password 7 044F0E151B2D4D4C

!

!

ip ssh rsa keypair-name C1712

!

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key taljpdc14 address xxxxx

!

!

crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac

crypto ipsec nat-transparency spi-matching

!

crypto map cmap_lj 1 ipsec-isakmp

description tunnel to ljubljana

set peer xxxxx

set security-association lifetime seconds 28800

set transform-set esp-3des-md5

set pfs group2

match address 100

!

!

!

interface Loopback0

ip address 172.31.0.30 255.255.255.255

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

description to ADSL modem

ip address 192.168.91.3 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map cmap_lj

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface Vlan1

ip address 192.168.14.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer0

no ip address

!

interface Dialer1

no ip address

!

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.91.2

!

ip http server

no ip http secure-server

ip nat inside source list 6 interface FastEthernet0 overload

!

ip access-list extended adsl_in

permit ip host xxxxxx any

permit ip any any

!

access-list 1 remark ta_lj_pdc_lan

access-list 1 permit 192.168.14.0 0.0.0.255

access-list 6 permit 192.168.14.0 0.0.0.255

access-list 50 permit 10.1.20.0 0.0.0.255

access-list 50 permit 192.168.91.0 0.0.0.255

access-list 100 remark IPSec rule - crypto map

access-list 100 permit ip 192.168.14.0 0.0.0.255 10.1.20.0 0.0.0.255

access-list 100 permit ip 192.168.14.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 remark NAT rule - exempted

access-list 101 deny   ip 192.168.14.0 0.0.0.255 10.1.20.0 0.0.0.255

access-list 101 deny   ip 192.168.14.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny   ip 192.168.14.0 0.0.0.255 172.29.1.0 0.0.0.255

access-list 101 permit ip 192.168.14.0 0.0.0.255 any

route-map nat_rmap permit 1

match ip address 101

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

access-class 50 in

exec-timeout 60 0

password 7 051F075C741A0A

login

!

ntp clock-period 17180093

ntp server xxxxxx source FastEthernet0

end

=====================================================
PIX conf
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password FVjuxiYEziCwZIvh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname ta-pix515e-ur-gkv
domain-name trxxxxxx
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.30.1.0 vpn_test_172_30_1_0
name 2xxxxx4 vpn_term_test_xxxxx34
name 86xxxxx vpn_term_ta_kp_pdc_8xxxx85
name 192.168.10.0 vpn_ta_kp_pdc_192_168_10_0
name 192.168.1.0 ta_lan_mp_192_168_1_0
name 10.1.20.0 ta_lan_vp_10_1_20_0
name 192.168.18.0 vpn_ta_nm_pdc_192_168_18_0
name 19xxxxxx.11 vpn_term_ta_nm_pdc_1xxxxx2_11
name 192.168.14.0 vpn_ta_lj_pdc_192_168_14_0
name 19xxxxx48 vpn_term_ta_lj_pdc_19xxxx_248
name 192.168.15.0 vpn_ta_iz_pdc_192_168_15_0
name 19xxxx7 vpn_term_ta_iz_pdc_19xxxxxx7
name 192.168.40.0 vpn_ta_mb_pdc_192_168_40_0
name 19xxxx09 vpn_term_ta_mb_pdc_1xxxx_111
name 192.168.20.0 vpn_ta_sb_pdc_192_168_20_0
name 192.168.30.0 vpn_ta_sl_pdc_192_168_30_0
name 19xxxx5 vpn_term_ta_sl_pdc_19xxxxx_145
name xxx rk8_1xxxx
name xxxx vpn_term_ta_kz_pdc_1xxxx60
name xxxxx ta_kz
object-group network rdc
  description rdc access allowed
  network-object rk8_1xxxx1x8_170 255.255.255.255
  network-object vpn_term_test_2xxxxx34 255.255.255.255
object-group service csg tcp-udp
  port-object range 5500 5500
  port-object range 443 443
  port-object range www www
  port-object range 1494 1494
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in remark citrix ica
access-list outside_access_in permit tcp any host xxxx eq citrix-ica log 5
access-list outside_access_in remark ms win rdp
access-list outside_access_in permit tcp object-group rdc host xxxxxx eq 3389 log 5
access-list outside_access_in remark citrix ica
access-list outside_access_in remark ms win rdp
access-list outside_access_in remark citrix ica
access-list outside_access_in remark ms win rdp
access-list outside_access_in permit tcp any host xxxxxxx object-group csg
access-list inside_outbound_nat0_acl permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_test_172_30_1_0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.1.21.16 255.255.255.240
access-list inside_outbound_nat0_acl permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_ta_lj_pdc_192_168_14_0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_ta_kp_pdc_192_168_10_0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_ta_kp_pdc_192_168_10_0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_ta_nm_pdc_192_168_18_0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_ta_nm_pdc_192_168_18_0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_ta_lj_pdc_192_168_14_0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_ta_iz_pdc_192_168_15_0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_ta_iz_pdc_192_168_15_0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_ta_mb_pdc_192_168_40_0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_ta_mb_pdc_192_168_40_0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_ta_sb_pdc_192_168_20_0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_ta_sb_pdc_192_168_20_0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_ta_sl_pdc_192_168_30_0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_ta_sl_pdc_192_168_30_0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_test_172_30_1_0 255.255.255.0
access-list outside_map_20 permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_test_172_30_1_0 255.255.255.0
access-list outside_cryptomap_20 permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_test_172_30_1_0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.1.21.16 255.255.255.240
access-list outside_cryptomap_40 permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_ta_lj_pdc_192_168_14_0 255.255.255.0
access-list outside_cryptomap_40 permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_ta_lj_pdc_192_168_14_0 255.255.255.0
access-list outside_cryptomap_60 permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_ta_kp_pdc_192_168_10_0 255.255.255.0
access-list outside_cryptomap_60 permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_ta_kp_pdc_192_168_10_0 255.255.255.0
access-list outside_cryptomap_80 permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_ta_nm_pdc_192_168_18_0 255.255.255.0
access-list outside_cryptomap_80 permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_ta_nm_pdc_192_168_18_0 255.255.255.0
access-list outside_cryptomap_100 permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_ta_iz_pdc_192_168_15_0 255.255.255.0
access-list outside_cryptomap_100 permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_ta_iz_pdc_192_168_15_0 255.255.255.0
access-list outside_cryptomap_120 permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_ta_mb_pdc_192_168_40_0 255.255.255.0
access-list outside_cryptomap_120 permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_ta_mb_pdc_192_168_40_0 255.255.255.0
access-list outside_cryptomap_140 permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_ta_sb_pdc_192_168_20_0 255.255.255.0
access-list outside_cryptomap_140 permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_ta_sb_pdc_192_168_20_0 255.255.255.0
access-list outside_cryptomap_160 permit ip ta_lan_vp_10_1_20_0 255.255.255.0 vpn_ta_sl_pdc_192_168_30_0 255.255.255.0
access-list outside_cryptomap_160 permit ip ta_lan_mp_192_168_1_0 255.255.255.0 vpn_ta_sl_pdc_192_168_30_0 255.255.255.0
access-list dmz_access_in permit ip any any
access-list splittunnel permit ip host 192.168.1.24 any
access-list splittunnel permit ip host 10.1.20.10 any
pager lines 24
logging on
logging timestamp
logging standby
logging monitor informational
logging buffered notifications
logging trap notifications
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside xxxxx 255.255.255.224
ip address inside 172.16.1.1 255.255.255.0
ip address dmz 172.16.10.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool ncsibm 10.1.21.16-10.1.21.31
failover
failover timeout 0:00:00
failover poll 15
failover replication http
failover ip address outside x
failover ip address dmz 172.16.10.2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
failover link inside
failover lan unit primary
pdm location ta_lan_vp_10_1_20_0 255.255.255.0 inside
pdm location 10.1.20.12 255.255.255.255 inside
pdm location 10.1.20.10 255.255.255.255 inside
pdm location vpn_test_172_30_1_0 255.255.255.0 outside
pdm location vpn_term_test_xxxxxx 255.255.255.255 outside
pdm location rk8_xxxxxx 255.255.255.255 outside
pdm location vpn_ta_lj_pdc_192_168_14_0 255.255.255.0 outside
pdm location ta_lan_mp_192_168_1_0 255.255.255.0 inside
pdm location vpn_ta_kp_pdc_192_168_10_0 255.255.255.0 inside
pdm location vpn_ta_kp_pdc_192_168_10_0 255.255.255.0 outside
pdm location vpn_ta_nm_pdc_192_168_18_0 255.255.255.0 outside
pdm location vpn_ta_iz_pdc_192_168_15_0 255.255.255.0 outside
pdm location vpn_ta_sb_pdc_192_168_20_0 255.255.255.0 outside
pdm location vpn_ta_sl_pdc_192_168_30_0 255.255.255.0 outside
pdm location vpn_ta_mb_pdc_192_168_40_0 255.255.255.0 outside
pdm group rdc outside
pdm logging notifications 512
pdm history enable
arp timeout 14400
global (outside) 10 xxxxx
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxxxx citrix-ica 10.1.20.12 citrix-ica netmask 255.255.255.255 0 0
static (inside,outside) tcp xxxxx 3389 10.1.20.10 3389 netmask 255.255.255.255 0 0
static (dmz,outside) xxxxxx 172.16.10.50 netmask 255.255.255.255 0 0
static (inside,dmz) ta_lan_vp_10_1_20_0 ta_lan_vp_10_1_20_0 netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xxxxxx 1
route inside ta_lan_vp_10_1_20_0 255.255.255.0 172.16.1.3 1
route inside ta_lan_mp_192_168_1_0 255.255.255.0 172.16.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
ntp server xxxxx source outside prefer
http server enable
http vpn_term_test_xxxx 255.255.255.255 outside
http rk8_xxxxx_170 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http ta_lan_vp_10_1_20_0 255.255.255.0 inside
snmp-server host inside 10.1.20.20 poll
no snmp-server location
no snmp-server contact
snmp-server community tasnmp
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer rk8_xxxxxx
crypto map outside_map 20 set peer vpn_term_test_xxxxx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set pfs group2
crypto map outside_map 40 set peer vpn_term_ta_lj_pdc_xxxxx
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set pfs group2
crypto map outside_map 60 set peer vpn_term_ta_kp_pdc_xxxxx
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 80 ipsec-isakmp
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set pfs group2
crypto map outside_map 80 set peer ta_kz
crypto map outside_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set pfs group2
crypto map outside_map 100 set peer vpn_term_ta_iz_pdc_xxxxxxx
crypto map outside_map 100 set transform-set ESP-3DES-MD5
crypto map outside_map 120 ipsec-isakmp
crypto map outside_map 120 match address outside_cryptomap_120
crypto map outside_map 120 set pfs group2
crypto map outside_map 120 set peer vpn_term_ta_mb_pdc_xxxx
crypto map outside_map 120 set peer vpn_term_ta_kz_pdc_xxxx
crypto map outside_map 120 set transform-set ESP-3DES-MD5
crypto map outside_map 140 ipsec-isakmp
crypto map outside_map 140 match address outside_cryptomap_140
crypto map outside_map 140 set pfs group2
crypto map outside_map 140 set peer vpn_term_ta_sb_pdc_xxxxx
crypto map outside_map 140 set transform-set ESP-3DES-MD5
crypto map outside_map 160 ipsec-isakmp
crypto map outside_map 160 match address outside_cryptomap_160
crypto map outside_map 160 set pfs group2
crypto map outside_map 160 set peer vpn_term_ta_sl_pdc_xxxxxxxx
crypto map outside_map 160 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address vpn_term_test_xxxxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address vpn_term_ta_kp_pdc_xxxxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address vpn_term_ta_nm_pdc_xxxxxxxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address rk8_xxxxxxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address vpn_term_ta_lj_pdc_xxxxxxxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address vpn_term_ta_iz_pdc_xxxxxxxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address vpn_term_ta_mb_pdc_xxxxxxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address vpn_term_ta_sb_pdc_xxxxxxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address vpn_term_ta_sl_pdc_xxxxxxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address vpn_term_ta_kz_pdc_xxxxxxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address ta_kz netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup ncsibm address-pool ncsibm
vpngroup ncsibm dns-server 10.1.20.10
vpngroup ncsibm default-domain xxxx
vpngroup ncsibm idle-time 1800
vpngroup ncsibm password ********
vpngroup tamob address-pool ncsibm
vpngroup tamob dns-server 10.1.20.10
vpngroup tamob xxxxx
vpngroup tamob split-tunnel splittunnel
vpngroup tamob idle-time 1800
vpngroup tamob password ********
telnet ta_lan_vp_10_1_20_0 255.255.255.0 inside
telnet timeout 5
ssh vpn_term_test_21xxxx4 255.255.255.255 outside
ssh rk8_xx_170 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh ta_lan_vp_10_1_20_0 255.255.255.0 inside
ssh vpn_ta_kp_pdc_192_168_10_0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
username rbukovec password PMtnJ7HiX27yzGRe encrypted privilege 0
username sbrudar password yposvsZ5E5ch4YEG encrypted privilege 0
username fberce password ucu3P9sH2hk8v70R encrypted privilege 0
username mhlevnjak password iwzPIVkaemmuPXV9 encrypted privilege 0
username mkocevar password r0uRVyb/M4m8RZyg encrypted privilege 0
username zbaros password yS4bXgiKIEjYqyXI encrypted privilege 0
username zrejec password XLaFA7DNhuHbXZEY encrypted privilege 0
username rk8i password KDi/vCaD5LSvZPcv encrypted privilege 3
username sidzig password WTM.krJw6JDNWAfI encrypted privilege 3
username pkarlovic password KAKRJcHBfKKosqZ/ encrypted privilege 0
username root password KQrvxkCdXbuae4Fh encrypted privilege 15
username blepenik password fFS5lnn2IH3ogUf0 encrypted privilege 3
terminal width 80
banner login *
Cryptochecksum:61e7632e81244f4d635fac8cdce13ace
: end
I hope I covered all private info :-P

This line is incorrect on the router configuration:

ip nat inside source list 6 interface FastEthernet0 overload

Please remove it and change it to:

ip nat inside source list 101 interface FastEthernet0 overload

Hope that resolves the issue.

Hi,

I tried your solution, but did not work...

Any onther suggestions?

Thank you!

How did you test it? Can you please try to ping the router vlan 1 ip address from a host behind PIX? Please advise what ip address you are trying to ping to and from.

Also share the output of:

show cry isa sa

show cry ipsec sa

from the router.

I am trying to ping 10.1.20.12. This is the web server behind pix. I tried to connect to port 80 via browser.

I will share those files as soon as I get them.

/edit

Also, I cannot ping from router behind PIX, because I do not have access.

Hi,

here is the output:

ta_lj_pdc#show crypto ipsec sa

interface: FastEthernet0

    Crypto map tag: cmap_lj, local addr 192.168.91.3

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.14.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.1.20.0/255.255.255.0/0/0)

   current_peer 1xx.1xx.xxx.xx8 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.91.3, remote crypto endpt.: 1xx.189.xxx.x8

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.14.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   current_peer 1xx.xxx.xxx.xx8 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.91.3, remote crypto endpt.: 19x.1xx.1xx.x8

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

=====================================

ta_lj_pdc#show crypto isakmp sa

dst             src             state          conn-id slot status

Nothing seems to be happening....

Got it working now!! :-)

I forgot to ping to remote server from VLAN1 interface to initiate tunnel.

Tunnel is now up and running.

Only one more question - why are there 2 same tunnels?

ta_lj_pdc#show crypto isakmp sa

dst             src             state          conn-id slot status

193.xxx.xxx.xx8 192.168.91.3    QM_IDLE              5    0 ACTIVE

193.xxx.xxx.xx8 192.168.91.3    QM_IDLE              4    0 ACTIVE

Excellent news.

The 2 connections for ISAKMP might be there during rekey. I won't worry about that as it doesn't really matter.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: