03-18-2005 07:03 AM - edited 02-21-2020 01:40 PM
Hi all,
I want to make a simple VPN with the IPSec Protocol between a router Cisco SOHO97 and a firewall Cisco PIX501 over the internet.
Router#sh conf
Using 1877 out of 131072 bytes
!
version 12.3
!
hostname Router
!
enable password xxx
!
ip subnet-zero
!
!
no aaa new-model
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
lifetime 120
crypto isakmp key 0 vpn address IPPIX
!
!
crypto ipsec transform-set normal esp-des esp-md5-hmac
!
crypto map 3tech 10 ipsec-isakmp
set peer IPPIX
set security-association lifetime seconds 86400
set transform-set normal
match address 120
!
!
!
!
interface Ethernet0
ip address 10.0.0.254 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
ip nat outside
no ip route-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address IPSOHO 255.255.255.0
ip nat outside
no ip route-cache
pvc 8/35
!
crypto map 3tech
!
ip nat inside source list 110 interface ATM0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip http server
ip http secure-server
!
access-list 110 remark traffic to NAT
access-list 110 deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
access-list 120 remark traffic to crypt
access-list 120 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
!
scheduler max-task-time 5000
!
end
pixfirewall(config)# sh conf
: Saved
: Written by enable_15 at 06:03:34.627 UTC Thu Mar 17 2005
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list outside_access_in permit icmp any any echo-reply
access-list inside_access_in permit ip any any
access-list ipsec permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside IPPIX 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 85.37.91.25 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto map MYMAP 21 ipsec-isakmp
crypto map MYMAP 21 match address ipsec
crypto map MYMAP 21 set peer IPSOHO
crypto map MYMAP 21 set transform-set avalanche
crypto map MYMAP interface outside
isakmp enable outside
isakmp key ******** address IPSOHO netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 120
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 60
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
pixfirewall(config)#
The VPN doesn't work!
03-24-2005 08:12 AM
The document Configuring IPSec - Router to PIX has more information on the configuration you looking for.
03-29-2005 03:48 AM
the command:
route map
is not recognized from my SOHO 97, I don't now why, this is the result of the sh version command:
soho97#sh version
Cisco Internetwork Operating System Software
IOS (tm) SOHO97 Software (SOHO97-K9OY1-M), Version 12.3(2)XC, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 25-Sep-03 11:28 by ealyon
Image text-base: 0x800131C0, data-base: 0x80965578
ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: SOHO97 Software (SOHO97-K9OY1-M), Version 12.3(2)XC, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
soho97 uptime is 6 days, 21 hours, 46 minutes
System returned to ROM by reload
System image file is "flash:soho97-k9oy1-mz.123-2.XC.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
CISCO SOHO97 (MPC857DSL) processor (revision 0x400) with 29492K/3276K bytes of memory.
Processor board ID AMB08030CRV (674812477), with hardware revision 0000
CPU rev number 7
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)
Configuration register is 0x2102
soho97#
Is my IOS old?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide