cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
406
Views
0
Helpful
4
Replies

simple lab site to site vpn does not work - pix to pix

anand.narine1
Level 1
Level 1

Hi all I have a home lab trying to setup a site to site vpn between 2 cisco pix 501 devices but it does not work. Can someone help, i have attached the followign run configs. thanks

PIX Version 6.2(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password NuLKvvWGg.x9HEKO encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname CiscoPix2

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list ping_acl permit icmp any any

access-list 90 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list 100 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.2 255.255.255.0

ip address inside 192.168.1.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 90

access-group ping_acl in interface outside

access-group ping_acl in interface inside

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto map topix1 20 ipsec-isakmp

crypto map topix1 20 match address 100

crypto map topix1 20 set peer 10.0.0.1

crypto map topix1 20 set transform-set strong

crypto map topix1 interface outside

isakmp enable outside

isakmp key ******** address 10.0.0.1 netmask 255.255.255.255

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash sha

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:81f37c16401555abe7299b5a95e69d3d

: end

//////////////////////////////////////////////////////////////

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password NuLKvvWGg.x9HEKO encrypted

passwd NuLKvvWGg.x9HEKO encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list ping_acl permit icmp any any

access-list 90 permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.1 255.255.255.0

ip address inside 192.168.0.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 90

access-group ping_acl in interface outside

access-group ping_acl in interface inside

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto map topix2 20 ipsec-isakmp

crypto map topix2 20 match address 100

crypto map topix2 20 set peer 10.0.0.2

crypto map topix2 20 set transform-set strong

crypto map topix2 interface outside

isakmp enable outside

isakmp key ******** address 10.0.0.2 netmask 255.255.255.255

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash sha

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:4558d14bca52c36021eeab79729ee63b

: end

1 Accepted Solution

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

The first problem that I see is that the access list used to identify the VPN traffic permits traffic from your inside subnet to the outside subnet of the peer but not to the inside subnet of the peer.

HTH

Rick

HTH

Rick

View solution in original post

4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

The first problem that I see is that the access list used to identify the VPN traffic permits traffic from your inside subnet to the outside subnet of the peer but not to the inside subnet of the peer.

HTH

Rick

HTH

Rick

yes i just noticed that. changing that now. will let u know in a second

changed the access lists to the following and it works fine now. thanks

PIX Version 6.2(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password NuLKvvWGg.x9HEKO encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname CiscoPix2

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list ping_acl permit icmp any any

access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.2 255.255.255.0

ip address inside 192.168.1.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 90

access-group ping_acl in interface outside

access-group ping_acl in interface inside

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto map topix1 20 ipsec-isakmp

crypto map topix1 20 match address 100

crypto map topix1 20 set peer 10.0.0.1

crypto map topix1 20 set transform-set strong

crypto map topix1 interface outside

isakmp enable outside

isakmp key ******** address 10.0.0.1 netmask 255.255.255.255

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash sha

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:2c2208bf5a797b9a2cadc82765993d2b

: end

////////////////////////////////////////////////////////////////////////////

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password NuLKvvWGg.x9HEKO encrypted

passwd NuLKvvWGg.x9HEKO encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list ping_acl permit icmp any any

access-list 90 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.1 255.255.255.0

ip address inside 192.168.0.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 90

access-group ping_acl in interface outside

access-group ping_acl in interface inside

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto map topix2 20 ipsec-isakmp

crypto map topix2 20 match address 100

crypto map topix2 20 set peer 10.0.0.2

crypto map topix2 20 set transform-set strong

crypto map topix2 interface outside

isakmp enable outside

isakmp key ******** address 10.0.0.2 netmask 255.255.255.255

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash sha

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:a6fc51fba2fb1f4c0d36ddc446413ea6

: end

//////////////////////////////////////////////////////////////

I am glad that my suggestion pointed you in the right direction. Thanks for posting back to the forum and confirming that fixing this did allow the VPN to work.

HTH

Rick

HTH

Rick