Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
0
Helpful
3
Replies

1711 IPSec to PIX

drumrb0y
Level 1
Level 1

‎12-22-2004 12:14 PM - edited ‎02-21-2020 01:30 PM

I'm trying to duplicate the configuration of an existing 1710 that has an IPSec tunnel to a PIX 535, over to a 1711; the only difference between them is the addressing of the two routers and their internal subnetworks.

I've duplicated everything as closely as I could, yet I have no tunnel; I lack the PIX knowledge to properly verify if there is negotiation taking place, so I'm sort of working in the dark here.

I'm not using PPPoE or DHCP to the 1711 and I got as far as establishing Internet connectivity; it shouldn't be difficult (the 1711 and the PIX can ping each other...) - but I'm missing something!

I'd like to know if there are any differences between the 1710 and 1711 that might affect the IPSec configuration; any other assistance in setting up an IPSec tunnel from the 1711 to the PIX would be appreciated.

Marc

Labels:
0 Helpful
3 Replies 3

ehirsel
Level 6
Level 6

‎12-22-2004 12:43 PM

Some handy commands that you should be able to run on the 1710 and 1711 are:

debug crypto isakmp and debug crypto ipsec

I would start with phase 1 (isakmp) first - as you cannot get phase 2 (ipsec) to work until phase 1 is done. Some questions: Are you using EZVPN? What is the version of code on the 1710 and 1711?

I would run the debug commands on both endpoints.

If phase 1 is okay, but phase 2 is the issue, just run the debug crypto ipsec command. Reexamine the acls that define interesting traffic and insure that they are mirror images of each other - if one acl uses port and protocols, the other should as well.

Let me know what the result of the debug commands are.

0 Helpful

drumrb0y
Level 1
Level 1
In response to ehirsel

‎12-22-2004 05:32 PM

Thanks for the commands;

The thing that's slowing down troubleshooting right now is that my aptitude with the PIX535 commands is minimal, and the PIX Command Reference is very lacking on "show" commands pertaining to ipsec and isakmp.

I know it can be done, because my former supervisor has done it, but I'd like to learn the commands used to show current active IPSec sessions and IKE proposals entering the box; that way I can debug from both the PIX535 and the 1711.

I don't have the version of the 1711 code on me, but the router is less than 3 months old, so the version should be at or near current; the PIX code version is 6.3(4).

I've expended a lot of time just figuring out the integrated 4-port switch in the 1711 and getting it onto the Internet, so I'm not left with a lot of research time to learn the IPSec configuration. This is the first 1711 I've stood up and connected to the PIX535 (until now I've only set up 1710's to a 3030 Concentrator) and all I have to work with are the archived configs of older 1710's to use as templates.

I wish the Cisco documentation was more summarized and concise...then again, I wish they had a universal IOS for all devices...

Marc

0 Helpful

drumrb0y
Level 1
Level 1
In response to ehirsel

‎12-28-2004 08:57 AM

The image version on the 1711 is 12.3(7)XR;

I've resolved the connectivity issues and can ping and telnet to the 1711 from the outside - it can also ping the PIX and vice versa.

I have connectivity, but the debugs are pulling no log messages despite both being enabled.

I'm going to be researching the Cisco documentation all day, until I find the solution or someone posts a config example... here's what I have so far:

1711:

crypto isakmp policy 20

hash md5

authentication pre-share

lifetime 36000

crypto isakmp key ##### address xxx.xxx.xxx.xxx

!

crypto map hostsitemap 20 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set security-association lifetime seconds 36000

set pfs group2

match address 100

PIX535:

access-list remote1711 permit ip 10.yy.yy.0 255.255.255.0 10.zz.zz.0 255.255.255.0

access-list remote1711 permit ip 10.xx.xx.0 255.255.255.0 10.zz.zz.0 255.255.255.0

access-list remote1711 permit ip 192.168.nn.0 255.255.255.0 10.zz.zz.0 255.255.255.0

!

crypto map remote1711 ipsec-isakmp

crypto map remote1711 match address remotemap4

crypto map remote1711 set pfs group2

crypto map remote1711 set peer xx.xx.xx.xx

crypto map remote1711 set transform-set #####

crypto map remote1711 set security-association lifetime seconds 36000 kilobytes 4608000

!

isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255

!

[All global isakmp config lines are OK - there are tunnels up and running with these settings; the 1711 needs to match...]

Marc

0 Helpful
Customers Also Viewed These Support Documents