VPN - PIX to Cisco Router
DComTalk.com Forum Index DComTalk.com
Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web dcomtalk.com
VPN - PIX to Cisco Router

 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco
Author Message
Dave
Guest
Posted: Tue Dec 06, 2005 5:08 am    Post subject: VPN - PIX to Cisco Router Reply with quote
Hi folks,

I'm having problems setting up a VPN connection between my PIX and a
Cisco router which is managed in another location, I have no access to
the router but I have an engineer there who has sent me some of the
config from it.

Any help will be greatly appreciated
Dave

********IP Details...*************************************************

PIX Outside IP = 1.1.1.1
PIX Gateway is = 1.1.1.2
Managed Cisco Router's IP = 2.2.2.1
Managed Cisco Router's Gateway IP = 2.2.2.2
My inside network is 192.168.10.0 and 192.168.0.0
Devices on the other side of the VPN I need to connect to are
10.1.0.0/16 and 10.2.0.0/16

*******The following debug has been taken when the remote router tries
to create the vpn...***

ISAKMP Phase 1 SA created (local 1.1.1.1/500 (responder), remote
2.2.2.1/500, authentication=pre-share, encryption=3DES-CBC, hash=MD5,
group=1, lifetime=86400s)

<167>Dec 05 2005 17:53:49: %PIX-7-702205: ISAKMP Phase 2 retransmission
(local 1.1.1.1 (responder), remote 2.2.2.1, message-ID 232779274)

<167>Dec 05 2005 17:53:58: %PIX-7-702207: ISAKMP duplicate packet
detected (local 1.1.1.1 (responder), remote 2.2.2.1, message-ID
995176487)

*********The following debug has been taken when the PIX tries to
create the vpn...***********

ISAKMP Phase 1 retransmission (local 193.195.73.163 (initiator), remote
212.183.154.61)

**********PIX config....**************************************

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXX
passwd XXXXX
hostname pix4
domain-name vianet.co.uk
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.0.0 GPRSNode1Network
name 10.2.0.0 GPRSNode2Network
access-list inside_outbound_nat0_acl permit ip any GPRSNode1Network
255.255.0.0
access-list inside_outbound_nat0_acl permit ip any GPRSNode2Network
255.255.0.0
access-list outside_cryptomap_20 permit ip any GPRSNode1Network
255.255.0.0
access-list outside_cryptomap_20 permit ip any GPRSNode2Network
255.255.0.0
access-list outside_access_in permit ip GPRSNode1Network 255.255.0.0
any log 7
access-list outside_access_in permit ip GPRSNode2Network 255.255.0.0
any log 7
access-list outside_access_in permit icmp any any log 7
access-list outside_access_in permit ip host 2.2.2.1 any log 7
pager lines 24
logging on
logging timestamp
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging host inside 192.168.10.13
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.1 255.255.255.248
ip address inside 192.168.10.101 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.255.0 inside
pdm location GPRSNode1Network 255.255.0.0 outside
pdm location GPRSNode2Network 255.255.0.0 outside
pdm location 2.2.2.1 255.255.255.255 outside
pdm location 192.168.10.13 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route inside 192.168.0.0 255.255.255.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 2.2.2.1
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 2.2.2.1 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:be7dd4afa895ecc8fd697bf12656740e
: end
[OK]


**********the config from the router
is...*********************************************

crypto isakmp key 12345 address 1.1.1.1
crypto ipsec transform-set vianet_set esp-3des esp-md5-hmac
crypto map vianet_map 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set vianet_set
match address vianet_acl
interface FastEthernet0/0.4010
description VPN Gi563 vianet.co.uk
encapsulation dot1Q 4010
ip address 192.168.200.17 255.255.255.252
ip policy route-map f004010-f004011
no cdp enable
!
interface FastEthernet0/0.4011
description VPN Gi563 vianet.co.uk
encapsulation dot1Q 4011
ip address 2.2.2.1 255.255.255.252
ip policy route-map f004011-f004010
no cdp enable
crypto map vianet_map
ip route 1.1.1.1 255.255.255.255 2.2.2.2 name vianet.co.uk
ip access-list extended vianet_acl
permit ip 10.1.0.0 0.0.255.255 any
permit ip 10.2.0.0 0.0.255.255 any
Back to top
Oliver Rahn
Guest
Posted: Tue Dec 06, 2005 5:20 pm    Post subject: Re: VPN - PIX to Cisco Router Reply with quote
On Tue, 5 Dec 2005, Dave wrote:

Hi,

Quote:
isakmp enable outside
isakmp key ******** address 2.2.2.1 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400

isakmp identity address

it can be that you have the problem that your pix is sending the FQDN and
the router expects the ip. You can send the ip instead of the FQDN with
the above line.

oli
Back to top
Dave
Guest
Posted: Tue Dec 06, 2005 5:20 pm    Post subject: Re: VPN - PIX to Cisco Router Reply with quote
tried that, didn't work, cheers anyway
Back to top
garrisb
Guest
Posted: Fri Dec 09, 2005 9:21 am    Post subject: Re: VPN - PIX to Cisco Router Reply with quote
crypto isakmp policy <policy #>
hash md5
authentication pre-share
crypto isakmp key <key> address <address>

Is this section missing or was it cut off in your paste?
(It's been a while since I did it on a router)
Back to top
 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




VoIP Solutions: Telephone Systems Electronics Satellite TV Tech & Gadgets
Powered by phpBB