Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
973
Views
0
Helpful
2
Replies

PIX515E VPN between PIX <-> 2 fixed IP peers + 1 Dynamic IP

joaott1974
Level 1
Level 1

‎03-07-2011 08:05 AM

Hi all,

First of all sorry for my english,but i will to try to explain my problems connecting a VPN with a dynamic IP address (its a Draytek 2700)

We have a customer who has a PIX515E on the central site .Than there are more 2 sites where he installed 2 Draytek 2700 ,and contracted 2 fixes IP addresses for them.These are working fine and always did.


In another site they are doing building renewals ,só they will not have ADSL for about 2 month,and they connected a 3G Internet access wich is connected to a Draytek 2710 ,internet wich is working fine,but doesnt have a fixed ip address.

I had search a lot in Cisco support pages,but i can´t find this solution,cause the examples are only to 1 dynamic peer ,not mixed(multiple fixed ip addresses + 1 or more dynamic)

The PIX also needs to receive VPN connections from remote users who connect via Cisco VPN client(is working fine too)

So here is the configuration related to it:

Access list to remote lan2lan peers:

access-list Internet_40_cryptomap extended permit ip 192.168.0.0 255.255.0.0 172.21.2.0 255.255.255.0 - Dynamic IP Address - SIte A

access-list Internet_60_cryptomap extended permit ip 192.168.0.0 255.255.0.0 172.21.1.0 255.255.255.0 - Fixed IP Address - Site B


access-list VILA_ALISOL_CRYPTOMAP_ID80 remark   ======VPN LAN2LAN P/VILA ALISOL(IP FIXO A.B.C.D)-PONTA DRAYTEK 2800=====
access-list VILA_ALISOL_CRYPTOMAP_ID80 extended permit ip 192.168.0.0 255.255.0.0 172.21.3.0 255.255.255.0 - Site C


Crypto and Dynamic Maps :

! dynamic map to dynamic ip peer (this is the one wich is not working)

crypto dynamic-map SSHARIA_IPDINAMICO 10 match address Internet_40_cryptomap
crypto dynamic-map SSHARIA_IPDINAMICO 10 set transform-set ESP-DES-MD5

! Dynamic map to VPN remote users (they use Cisco and is working fine)

crypto dynamic-map Internet_dyn_map 40 set pfs
crypto dynamic-map Internet_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Micros_dyn_map 20 set pfs
crypto dynamic-map Micros_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Micros_dyn_map 40 set pfs
crypto dynamic-map Micros_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Micros_dyn_map 60 set pfs
crypto dynamic-map Micros_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map Micros_dyn_map 100 set pfs
crypto dynamic-map Micros_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA

! Crypto maps for fixed IP Peers lan2lan (working fine)
crypto map Internet_map 60 match address Internet_60_cryptomap
crypto map Internet_map 60 set peer A.B.C.D
crypto map Internet_map 60 set transform-set ESP-DES-MD5
crypto map Internet_map 80 match address VILA_ALISOL_CRYPTOMAP_ID80
crypto map Internet_map 80 set peer E.F.G.H
crypto map Internet_map 80 set transform-set ESP-DES-MD5

! Association from the cryptomap "internet-map" to the interface outside (internet)


crypto map Internet_map 65534 ipsec-isakmp dynamic SSHARIA_IPDINAMICO - lan2lan to dynamic ip (not working)
crypto map Internet_map 65535 ipsec-isakmp dynamic Internet_dyn_map - VPN remote users (working fine)
crypto map Internet_map interface Internet - assign to interface Internet
crypto map Micros_map 65535 ipsec-isakmp dynamic Micros_dyn_map
crypto map Micros_map interface Micros
crypto map inside_map interface inside

crypto isakmp enable Internet

crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2     
lifetime 86400

crypto isakmp nat-traversal  20
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *

! tunnel group for remote peers (fixed ip addresses(draytek 2700)-working fine)

tunnel-group A.B.C.D  type ipsec-l2

tunnel-group A.B.C.D  ipsec-attributes
pre-shared-key *

tunnel-group E.F.G.H type ipsec-l2l
tunnel-group E.F.G.H ipsec-attributes
pre-shared-key *

! Has y can see when  i try to create a tunnel group to my dynamic ip address ,i realize that need to typesomething like :

tunnel-group <Remote  fixed IP address) type l2l

tunnel-group <Remote fixed IP address> ipsec-attributes
  pre-shared-key *

....but the ip is dynamic......

I know now that when a communication starts from that dynamic peer to the PIX ,PIX doesnt know in wich group he should assign it.So the communication stops.

i tried to create a group-policy...but i dont know how to associate it with the tunnel group.

I also know that we can just associate 1 crypto map to each interface.

Do y have some idea about this???

Sorry for so much confusion,but the problem is complex

Hope someone helps...thanks

Joao Tendeiro

Labels:
0 Helpful
2 Replies 2

andamani
Cisco Employee
Cisco Employee

‎03-07-2011 08:26 AM

Hi Joao,

The tunnel group configuration is a requirement. It is needed so that the dynamic PIX knows  on what connection profile it has to talk.

The following link gives you configuration of your scenario.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Hope this helps.

Regards,

Anisha

P.S.: Please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

joaott1974
Level 1
Level 1
In response to andamani

‎03-07-2011 09:09 AM

I anisha ,

I already have that document ,and like i told you,the link y sent me  is an example only for 1 site with a dynamic IP address.

My problem is the configuration to mix MULTIPLE Lan2Lan connections  with dynamic and fixed ip addresses....i dont understand if i need to associate incoming connection to a default group,or if i need to create a group-policy.The examples Cisco has are only with 1 peer (dynamic or fixed) .

In the console i got this:

PIX-3-713902: Group = DefaultRAGroup, IP = X.250.51.4, Removing peer from peer table failed, no match!
%PIX-4-713903: Group = DefaultRAGroup, IP = X.250.51.4, Error: Unable to remove PeerTblEntry
%PIX-3-713902: Group = DefaultRAGroup, IP = X.250.51.4, Removing peer from peer table failed, no match!
%PIX-4-713903: Group = DefaultRAGroup, IP = X.250.51.4, Error: Unable to remove PeerTblEntry
%PIX-3-713902: Group = DefaultRAGroup, IP = X.250.51.4, Removing peer from peer table failed, no match!
%PIX-4-713903: Group = DefaultRAGroup, IP = X.250.51.4, Error: Unable to remove PeerTblEntry
%PIX-3-713902: Group = DefaultRAGroup, IP = X.250.51.4, Removing peer from peer table failed, no match!
%PIX-4-713903: Group = DefaultRAGroup, IP = X.250.51.4, Error: Unable to remove PeerTblEntry


My only config of the default group is this ,and the password is correct.

tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *

0 Helpful
Customers Also Viewed These Support Documents