Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
0
Helpful
2
Replies

IPSEC VPN Between SOHO97 and PIX501

th3_p03t
Level 1
Level 1

‎03-18-2005 07:03 AM - edited ‎02-21-2020 01:40 PM

Hi all,

I want to make a simple VPN with the IPSec Protocol between a router Cisco SOHO97 and a firewall Cisco PIX501 over the internet.

Router#sh conf

Using 1877 out of 131072 bytes

!

version 12.3

!

hostname Router

!

enable password xxx

!

ip subnet-zero

!

!

no aaa new-model

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

lifetime 120

crypto isakmp key 0 vpn address IPPIX

!

!

crypto ipsec transform-set normal esp-des esp-md5-hmac

!

crypto map 3tech 10 ipsec-isakmp

set peer IPPIX

set security-association lifetime seconds 86400

set transform-set normal

match address 120

!

!

!

!

interface Ethernet0

ip address 10.0.0.254 255.255.255.0

ip nat inside

hold-queue 100 out

!

interface ATM0

no ip address

ip nat outside

no ip route-cache

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip address IPSOHO 255.255.255.0

ip nat outside

no ip route-cache

pvc 8/35

!

crypto map 3tech

!

ip nat inside source list 110 interface ATM0.1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 ATM0.1

ip http server

ip http secure-server

!

access-list 110 remark traffic to NAT

access-list 110 deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 permit ip 10.0.0.0 0.0.0.255 any

access-list 120 remark traffic to crypt

access-list 120 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

!

scheduler max-task-time 5000

!

end

pixfirewall(config)# sh conf

: Saved

: Written by enable_15 at 06:03:34.627 UTC Thu Mar 17 2005

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list outside_access_in permit icmp any any echo-reply

access-list inside_access_in permit ip any any

access-list ipsec permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside IPPIX 255.255.255.248

ip address inside 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.0 inside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 85.37.91.25 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set avalanche esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto map MYMAP 21 ipsec-isakmp

crypto map MYMAP 21 match address ipsec

crypto map MYMAP 21 set peer IPSOHO

crypto map MYMAP 21 set transform-set avalanche

crypto map MYMAP interface outside

isakmp enable outside

isakmp key ******** address IPSOHO netmask 255.255.255.255

isakmp identity address

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption des

isakmp policy 21 hash md5

isakmp policy 21 group 2

isakmp policy 21 lifetime 120

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 60

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

terminal width 80

pixfirewall(config)#

The VPN doesn't work!

Labels:
0 Helpful
2 Replies 2

owillins
Level 6
Level 6

‎03-24-2005 08:12 AM

The document Configuring IPSec - Router to PIX has more information on the configuration you looking for.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

0 Helpful

th3_p03t
Level 1
Level 1
In response to owillins

‎03-29-2005 03:48 AM

the command:

route map

is not recognized from my SOHO 97, I don't now why, this is the result of the sh version command:

soho97#sh version

Cisco Internetwork Operating System Software

IOS (tm) SOHO97 Software (SOHO97-K9OY1-M), Version 12.3(2)XC, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Synched to technology version 12.3(1.6)T

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Thu 25-Sep-03 11:28 by ealyon

Image text-base: 0x800131C0, data-base: 0x80965578

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)

ROM: SOHO97 Software (SOHO97-K9OY1-M), Version 12.3(2)XC, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

soho97 uptime is 6 days, 21 hours, 46 minutes

System returned to ROM by reload

System image file is "flash:soho97-k9oy1-mz.123-2.XC.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

CISCO SOHO97 (MPC857DSL) processor (revision 0x400) with 29492K/3276K bytes of memory.

Processor board ID AMB08030CRV (674812477), with hardware revision 0000

CPU rev number 7

Bridging software.

1 Ethernet/IEEE 802.3 interface(s)

1 ATM network interface(s)

128K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write)

2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

soho97#

Is my IOS old?

0 Helpful
Customers Also Viewed These Support Documents