Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1144
Views
0
Helpful
16
Replies

second IPSec tunnel into the office passing through PIX

blin
Level 1
Level 1

‎12-22-2003 09:11 AM - edited ‎02-21-2020 12:58 PM

I am helping one company to setup a DI-804HV router configured to support a second encrypted IPSec tunnel into the office passing through the PIX firewall. The DI-804HV is using public IP 68.46.61.8. When we tested it using w2k, we get error 678. Do we need to open some ports for that and this is routing issue? If we need open the ports, which ports and what are the command lines?

here are the configuration.

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname Firewall

domain-name methownet.com

clock timezone PST -8

clock summer-time PDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inside permit ip any any

access-list inside permit icmp any any

access-list inside permit icmp any any unreachable

access-list inside permit icmp any any time-exceeded

access-list outside permit ip any any

access-list outside permit icmp any any unreachable

access-list outside permit icmp any any time-exceeded

access-list outside permit icmp any any

access-list inside_outbound_nat0_acl permit ip any 10.10.98.0 255.255.255.0

pager lines 120

logging on

logging buffered critical

icmp permit any unreachable outside

icmp deny any outside

mtu outside 1500

mtu inside 1500

ip address outside 69.19.7.4 255.255.255.252

ip address inside 10.10.22.2 255.255.255.252

ip audit info action alarm

ip audit attack action alarm

ip local pool p3 192.168.7.1-192.168.7.10

pdm location 68.46.61.0 255.255.255.0 inside

pdm location 192.168.0.0 255.255.255.0 inside

pdm location 10.10.22.1 255.255.255.255 inside

pdm location 10.10.250.0 255.255.255.0 inside

pdm location 10.0.0.0 255.0.0.0 inside

pdm location 0.0.0.0 255.255.255.255 outside

pdm location 255.255.255.255 255.255.255.255 outside

pdm location 199.181.165.9 255.255.255.255 outside

pdm location 10.10.1.208 255.255.255.240 outside

pdm location 10.10.98.0 255.255.255.0 outside

pdm location 68.46.61.8 255.255.255.255 inside

pdm location 4.2.63.38 255.255.255.255 outside

pdm location 68.46.61.6 255.255.255.248 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 0 68.46.61.0 255.255.255.0 0 0

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

static (inside,outside) 68.46.61.0 68.46.61.0 netmask 255.255.255.0 0 0

access-group outside in interface outside

access-group inside in interface inside

route outside 0.0.0.0 0.0.0.0 69.19.7.3 1

route inside 10.0.0.0 255.0.0.0 10.10.22.1 1

route inside 68.46.61.0 255.255.255.0 10.10.22.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 99.81.65.9 255.255.255.255 outside

http 4.2.63.38 255.255.255.255 outside

http 10.0.0.0 255.0.0.0 inside

http 68.46.61.6 255.255.255.248 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

isakmp keepalive 60 30

telnet 0.0.0.0 255.255.255.255 outside

telnet 255.255.255.255 255.255.255.255 outside

telnet 10.10.250.0 255.255.255.0 inside

telnet 10.10.22.0 255.255.255.252 inside

telnet 10.0.0.0 255.0.0.0 inside

telnet timeout 5

ssh 99.81.65.9 255.255.255.255 outside

ssh timeout 5

console timeout 0

vpdn group pigtest accept dialin pptp

vpdn group pigtest ppp authentication mschap

vpdn group pigtest ppp encryption mppe auto required

vpdn group pigtest client configuration address local p3

vpdn group pigtest client configuration dns 69.19.92.1 69.19.92.9

vpdn group pigtest pptp echo 60

vpdn group pigtest client authentication local

vpdn username EnoFang password *********

vpdn username test password *********

vpdn enable outside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Labels:
0 Helpful
16 Replies 16

jasobrown
Level 1
Level 1
In response to blin

‎12-23-2003 02:45 PM

What is this?

"We still got error 734"

Are you trying to use a Windows PPTP client to connect to an IPSEC Device?

0 Helpful

blin
Level 1
Level 1
In response to jasobrown

‎12-23-2003 03:05 PM

Sorry, that doesn't count. I tested it use windows to test it and check how far I could go.

0 Helpful
Customers Also Viewed These Support Documents