Re: Site-Site VPN tunnel in Cisco Pix 515E Version 6.3(1)

Ramu Ch · ‎11-24-2010

HI Team,

How can we configure SIte-Site VPN tunnel in Older Cisco Pix 515e Version 6.3(1).I have experience in Latest Cicso ASA Firewalls but

it seems to be crypto is not supporting in Cisco Pix 515e.See the Following Command when i am trying to configure in Pix :

FIREWALL(config)# isakmp enable outside
ISAKMP cannot be enabled since fixup protocol esp-ike is enabled. Please correct

What is the information means "ISAKMP cannot be enabled since fixup protocol esp-ike is enabled. Please correct"

Pls follow the Sh Version Output :

FIREWALL# sh ver

Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 19-Mar-03 11:49 by morlee

STPI-FIREWALL up 115 days 22 hours

Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 000d.2832.11cb, irq 10
1: ethernet1: address is 000d.2832.11cc, irq 11
2: ethernet2: address is 0002.b3b6.cff9, irq 5
Licensed Features:
Failover:           Disabled
VPN-DES:            Enabled
VPN-3DES-AES:       Disabled
Maximum Interfaces: 3
Cut-through Proxy: Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited

This PIX has a Restricted (R) license.

Serial Number: 807211327 (0x301d113f)
Running Activation Key: 0x55320d37 0xdc70af37 0x9734ac1f 0xf28fcb14
Configuration last modified by enable_15 at 21:56:22.117 UTC Wed Nov 24 2010

Is it due to the Firewall is a Restricted (R) license.Pls help me on this

Regards

Ramu

Jennifer Halim · ‎11-24-2010

You can either terminate or pass through IPSec VPN on that version.

If you would like to terminate the IPSec VPN on that PIX, then you can disable the fixup if you are not passing through IPSec traffic on the PIX:

no fixup protocol esp-ike

From the show version output, it seems that you only have DES license. You can upgrade it to 3DES license for free if you are going to configure 3DES or AES encryption policy.

Hope that helps.

Ramu Ch · ‎11-24-2010

Hi,

Thanks for your Quick Reply.

I am Configuring Site-Site VPN tunnel on this Pix-515E. How can i upgrade the License for Free ,

My querie is how can i myself determine & take Decision that license upgradation is Free or needs to purchase ,how u said.

The IP Sec data traffic is both directions means we will send /recive data over VPN.Pls guide us now.

Regards

Ramu

Jennifer Halim · ‎11-24-2010

Here is the URL to obtain the 3DES license:

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y

and click on the "Cisco PIX Security Appliance 3DES/AES License" to obain the 3DES license.

Ramu Ch · ‎11-24-2010

Hi,

Thanks again for quick response.

But it is asking CCO username & Password,What would be the details , is dfault cisco/cisco

Regards

Ramu

Jennifer Halim · ‎11-24-2010

You would need to have a valid CCO ID that links to the Smartnet contract for your PIX515E.

Ramu Ch · ‎11-24-2010

Thanks.

Until i make as no fixup protocol esp-ike in the Firewall ,i can esatblish the IPSec VPN.

As this Firewall is in Production and it is for Interner access to users ,will it effect to the Users Traffic if i make configuration with

no fixup protocol esp-ike in the Firewall.

Pls suggest.

Sorry for Troubling you with all queries as i am running with short of time and i am unable to get good docuentation.

Regards

Ramu

Jennifer Halim · ‎11-24-2010

Do you have any IPSec traffic passing through the PIX at the moment?

If you don't have any IPSec traffic passing through the PIX, then it is safe to disable that fixup.

Ramu Ch · ‎11-25-2010

Thanks Jennifer .

Will do it.

Regards

Ramu

Jennifer Halim · ‎11-25-2010

How does it go? Please kindly mark the post as answered if you have no further questions. Thanks.