Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
0
Helpful
3
Replies

PIX - PIX VPN problems

ndanyluk1
Level 1
Level 1

‎10-06-2005 10:55 AM - edited ‎02-21-2020 02:01 PM

Hi All,

I have 2 PIXen 6.3(4) and am trying to setup a VPN. I have used PDM to set it up.

One side 172.23.x.x, The other 192.168.1.x.

I’m not doing NAT Traversal.

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

access-list inside_outbound_nat0_acl permit ip 172.23.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 172.23.0.0 255.255.0.0 192.168.1.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 192.168.1.1

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 172.23.1.1 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

Access to the Internet is ok. When I try to ping across the VPN the log shows

No route to 192.168.1.2 from 172.23.1.1. – I’m pinging from the PIX to a box on the other side.

At times IKE and IPSec tunnels are started, but no data is being encrypted.

Right now I have an IKE tunnel and no IPSec tunnel.

All the doc’s I found don’t lead me to believe that I should put in a route. I don’t have RIP or any other routing protocol going.

I feel I’m way off base here. Can anybody give me a direction?

Thanks

Nick

Labels:
0 Helpful
3 Replies 3

revangelista
Level 1
Level 1

‎10-06-2005 12:56 PM

You most likely forgot to apply the 'nat 0' acl to the inside interface.

Try this, 'nat (inside) 0 access-list inside_outbound_nat0_acl'.

You really should paste the entire config of both firewalls. Your problem could also be on the other side.

0 Helpful

ndanyluk1
Level 1
Level 1
In response to revangelista

‎10-06-2005 01:59 PM

Hey,

I set these up with the PDM VPN wizard. I removed the Nat 0 thinking it was part of the NAT traversal. I added them back in.

I'm trying to attach the configs.

Thanks

Nick

Preview file
4 KB
0 Helpful

revangelista
Level 1
Level 1
In response to ndanyluk1

‎10-06-2005 02:51 PM

I hate the PDM. And quite frankly, I don't even know what it looks like. I can't blame you for using the PDM if you've never worked with a PIX in the past. However, there is probably a great likelihood that you have applied the wrong information via the wizard.

The most obvious mistake is your 'crpto ACL' information. You do not encrypt traffic between the 'outside' network and the remote network's 'outside' network. You're supposed to encrypt traffic between two 'inside' networks, or networks 'behind' the PIX firewall.

I do not believe that this is an issue with the 'Wizard'. I strongly feel that you were applying the wrong information.

Make sure you read the following link prior to proceeding:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

This will give you a better understanding of how you should be approaching this problem. A good understanding of ISAKMP, IPSEC and 'advanced' PIX commands should already be on your belt prior to attempting such a complex task.

Good luck.

0 Helpful
Customers Also Viewed These Support Documents