I am having trouble establishing a tunnel between two sites. I'm not sure what I'm missing here. The first part is my Pix config, the second part is what I'm putting into both sides for the tunnel.
Here's My current config on the Pix:
Building configuration... : Saved : PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password VdNQtSmyp5pSIPcY encrypted passwd VdNQtSmyp5pSIPcY encrypted hostname superwall domain-name ciscopix.com clock timezone EST -5 clock summer-time EDT recurring fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names object-group service RemoteAssistance tcp description Remote Assistance Port port-object range 3389 3389 object-group service UPnP tcp port-object range 5000 5000 object-group network pos description POS Stations network-object host 10.0.0.11 network-object host 10.0.0.14 network-object host 10.0.0.16 access-list inside_outbound_nat0_acl permit ip any 10.0.0.32 255.255.255.224 access-list noweb deny tcp object-group pos any eq www access-list noweb permit ip any any pager lines 24 logging on logging timestamp logging trap informational logging host inside 10.0.0.2 interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 10.0.0.1 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit info action alarm ip audit attack action alarm ip local pool VPNPool 10.0.0.40-10.0.0.50 pdm location 10.0.0.2 255.255.255.255 inside pdm logging warnings 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0 access-group noweb in interface inside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 10.0.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp no sysopt route dnat telnet 10.0.0.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe 128 vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username bsmith password ********* vpdn username bsmitty password ********* vpdn enable outside dhcpd address 10.0.0.10-10.0.0.41 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 Cryptochecksum:8b874c8b88d7786009a1ccb287287f05 : end [OK]Here's what I am attempting to use to create the tunnel; on both sides...
Dallas Router
***Creating IKE Policy Crypto isakmp policy 100 Authentication pre-share Encryption 3des Hash md5 Group 2 Lifetime 86400***Defining the Pre-shared Key & Peer
crypto isakmp key mrpix1 address 219.221.75.150 255.255.255.255
***Create the Transform-setCrypto ipsec transform-set 20 esp-3des esp-md5-hmac
***Configure IPSec SA LifetimesCrypto ipsec security-association lifetime seconds 3600
***Create the Crypto ACL *Must match at both endsAccess-list 105 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
***Create the Crypto MapCrypto map Houston 120 ipsec-isakmp Match address 105 Set peer 219.221.75.150 Set pfs group2 Set transform-set 20 Set security-association lifetime seconds 3600
***Apply the Crypto Map to Interface Int e0 Crypto map Houston Houston PIX***Enable IKE
Isakmp enable outside
***Create IKE PolicyIsakmp policy 100 authentication pre-share Isakmp policy 100 encryption 3des Isakmp policy 100 group 2 Isakmp policy 100 hash md5 Isakmp policy 100 lifetime 3600 Isakmp identity address Isakmp enable outside
***Configure Pre-Shared KeyIsakmp key mrpix1 address 78.127.140.189 netmask 255.255.255.255
***Do not nat traffic across tunnel nat (inside) 0 access-list 105***Create A Crypto Access List
Access-list 105 permit ip 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0
***Configure a Transform-SetCrypto ipsec transform-set 20 esp-3des esp-md5-hmac
***Configure IPSec SA LifetimeCrypto ipesc security-association lifetime seconds 3600
***Create Crypto MapCrypto map Dallas 10 ipsec-isakmp Crypto map Dallas 10 match address 105 Crypto map Dallas 10 set transform-set 20 Crypto map Dallas 10 set peer 78.127.140.189 Crypto map Dallas 10 interface outside
***Bypass traffic checking through tunnelSysopt connection permit-ipsec
Phew. I noted it all out before I began, but obviously I'm missing something. I never see the tunnel establish at all. Is it that I'm not defining traffic? Is it that I need to permit esp, ah and udp in access lists? Help, Help, Help!!!
There is only so many times I can look at the same configs. I have checked out the cisco site and reread my Cisco Press book, but their examples do not seem to work as easily as they are laid out...or I am doing it wrong. :)
Thanks Everyone!
*I currenlty have nothing configured other than basic access to the internet on the 1710 router, but the pix is already going. In my next reply here I will post what I am putting in. Perhaps someone can see the err of my ways; personally I'm pulling my hair out...