Help creating a VPN Tunnel - Pix 501 1710 Router

How about posting the configs that you have so far and we'll help you debug them. Naturally you will need to strip out your IP's and passwords.

It's big but....

Here's My current config on the Pix:

Building configuration... : Saved : PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password VdNQtSmyp5pSIPcY encrypted passwd VdNQtSmyp5pSIPcY encrypted hostname superwall domain-name ciscopix.com clock timezone EST -5 clock summer-time EDT recurring fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names object-group service RemoteAssistance tcp description Remote Assistance Port port-object range 3389 3389 object-group service UPnP tcp port-object range 5000 5000 object-group network pos description POS Stations network-object host 10.0.0.11 network-object host 10.0.0.14 network-object host 10.0.0.16 access-list inside_outbound_nat0_acl permit ip any 10.0.0.32 255.255.255.224 access-list noweb deny tcp object-group pos any eq www access-list noweb permit ip any any pager lines 24 logging on logging timestamp logging trap informational logging host inside 10.0.0.2 interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 10.0.0.1 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit info action alarm ip audit attack action alarm ip local pool VPNPool 10.0.0.40-10.0.0.50 pdm location 10.0.0.2 255.255.255.255 inside pdm logging warnings 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0 access-group noweb in interface inside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 10.0.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp no sysopt route dnat telnet 10.0.0.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe 128 vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username bsmith password ********* vpdn username bsmitty password ********* vpdn enable outside dhcpd address 10.0.0.10-10.0.0.41 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 Cryptochecksum:8b874c8b88d7786009a1ccb287287f05 : end [OK]

Here's what I am attempting to use to create the tunnel; on both sides...

Dallas Router

***Creating IKE Policy Crypto isakmp policy 100 Authentication pre-share Encryption 3des Hash md5 Group 2 Lifetime 86400

***Defining the Pre-shared Key & Peer

crypto isakmp key mrpix1 address 219.221.75.150 255.255.255.255

***Create the Transform-set

Crypto ipsec transform-set 20 esp-3des esp-md5-hmac

***Configure IPSec SA Lifetimes

Crypto ipsec security-association lifetime seconds 3600

***Create the Crypto ACL *Must match at both ends

Access-list 105 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

***Create the Crypto Map

Crypto map Houston 120 ipsec-isakmp Match address 105 Set peer 219.221.75.150 Set pfs group2 Set transform-set 20 Set security-association lifetime seconds 3600

***Apply the Crypto Map to Interface Int e0 Crypto map Houston Houston PIX

***Enable IKE

Isakmp enable outside

***Create IKE Policy

Isakmp policy 100 authentication pre-share Isakmp policy 100 encryption 3des Isakmp policy 100 group 2 Isakmp policy 100 hash md5 Isakmp policy 100 lifetime 3600 Isakmp identity address Isakmp enable outside

***Configure Pre-Shared Key

Isakmp key mrpix1 address 78.127.140.189 netmask 255.255.255.255

***Do not nat traffic across tunnel nat (inside) 0 access-list 105

***Create A Crypto Access List

Access-list 105 permit ip 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0

***Configure a Transform-Set

Crypto ipsec transform-set 20 esp-3des esp-md5-hmac

***Configure IPSec SA Lifetime

Crypto ipesc security-association lifetime seconds 3600

***Create Crypto Map

Crypto map Dallas 10 ipsec-isakmp Crypto map Dallas 10 match address 105 Crypto map Dallas 10 set transform-set 20 Crypto map Dallas 10 set peer 78.127.140.189 Crypto map Dallas 10 interface outside

***Bypass traffic checking through tunnel

Sysopt connection permit-ipsec

Phew. I noted it all out before I began, but obviously I'm missing something. I never see the tunnel establish at all. Is it that I'm not defining traffic? Is it that I need to permit esp, ah and udp in access lists? Help, Help, Help!!!

There is only so many times I can look at the same configs. I have checked out the cisco site and reread my Cisco Press book, but their examples do not seem to work as easily as they are laid out...or I am doing it wrong. :)

Thanks Everyone!

*I currenlty have nothing configured other than basic access to the internet on the 1710 router, but the pix is already going. In my next reply here I will post what I am putting in. Perhaps someone can see the err of my ways; personally I'm pulling my hair out... "None" wrote in message news:ANmKe.2743$ snipped-for-privacy@newssvr29.news.prodigy.net...

:PIX Version 6.2(2)

That version has known security problems. You should upgrade to 6.2(5) -- it's free even if you don't have a support contract.

:access-list inside_outbound_nat0_acl permit ip any 10.0.0.32 255.255.255.224

:ip address outside dhcp setroute :ip address inside 10.0.0.1 255.255.255.0

:ip local pool VPNPool 10.0.0.40-10.0.0.50

:global (outside) 1 interface :nat (inside) 0 access-list inside_outbound_nat0_acl :nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0

:vpdn group PPTP-VPDN-GROUP accept dialin pptp

:vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool

:dhcpd address 10.0.0.10-10.0.0.41 inside

Your dhcpd address range (to be assigned to inside IPs) overlaps with your VPNPool address range (to be assigned to outside PPTP dialins).

It is not common to use "dialin" to a dynamic IP address: you would normally want to "dialout" from a device with a dynamic IP.

:Here's what I am attempting to use to create the tunnel; on both sides...

:***Create the Crypto ACL *Must match at both ends

:Access-list 105 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

But it doesn't. You don't have a specific crypto ACL assigned on the PIX, so for each VPN group dialin, it is going to create a new temporary ACL with a host netmask, not a /24 netmask. That will mess up your tunnels.

:Crypto map Houston 120 ipsec-isakmp :Match address 105 :Set peer 219.221.75.150 :Set pfs group2 :Set transform-set 20 :Set security-association lifetime seconds 3600

You've defined an IPSec tunnel out of the 1710, but on the PIX end, you've defined PPTP instead of IPSec.

If you thought you were using EzVPN between the devices, then you need to configure 'vpnclient' or 'vpngroup' on the 501 rather than 'vpdn'.