11-17-2004 06:37 AM - edited 02-21-2020 01:27 PM
Dear all,
I don't suppose anyone has configured a VPN between a Symantec Firewall/VPN 200r and a PIX 501 firewall before?
If so could anyone tell me how i would do it?
I have tryed to set it up with the VPN Wizard and i got an error message saying that the PIX was on the wrong domain on the Symantec.
Thanks for the help
Cheers
James
11-17-2004 01:11 PM
No, I have never configured that, but your error message sounds like that the Symatec uses names instead of an ADDRESS to identify his VPN peer. Check if you can change that. On the pix this called "Isakmp identity address".
Things to verify on both sites:
a.) Isakmp lifetime 86400
b.) With some vendors DH group 2 does not work, try with DH group1
c.) Enable debugging for isakmp and ipsec and post your messages.
Check also this document - IP Security Troubleshooting - Understanding and Using debug Commands:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
d.) Verify that the VPN domain is the same, in my example called VPN access-list.
Here is VPN site 2 site example:
PIX(config)# access-list acs-outside permit udp host VPNPeer host MyPublicIP eq isakmp
PIX(config)# access-list acs-outside permit esp host VPNPeer host MyPublicIP
PIX(config)# access-list acs-outside permit ah host VPNPeer host MyPublicIP
PIX(config)# access-group acs-outside in interface outside
STEP 1 - Configure IKE
PIX(config)# isakmp enable outside
PIX(config)# isakmp policy 10 authentication pre-share
PIX(config)# isakmp policy 10 encryption 3des
PIX(config)# isakmp policy 10 hash md5
PIX(config)# isakmp policy 10 group 2
PIX(config)# isakmp policy 10 lifetime 86400
PIX(config)# Isakmp identity address
PIX(config)# isakmp key your-vpn-password address PEER-IP netmask 255.255.255.255
STEP 2 - Configure IPSEC
PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet
PIX(config)# nat (inside) 0 access-list NONAT
PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet
PIX(config)# crypto ipsec transform-set TRANS esp-des esp-md5-hmac
PIX(config)# crypto map REMOTE 10 ipsec-isakmp
PIX(config)# crypto map REMOTE 10 match address VPN
PIX(config)# crypto map REMOTE 10 set peer PEER-IP
PIX(config)# crypto map REMOTE 10 set transform-set TRANS
PIX(config)# crypto map REMOTE interface outside
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide