Issue with PIX to Route VPN


I am setting up a test VPN between a PIX 515 and 1841 Router running Firewall IOS. The Tunnel seems to come up fine and is encrypting traffic on the router side but there seems to be an issue on the PIX side as it does not seem to be encrypting/decrypting. I have checked the ACL used in the crypto map on the PIX and it seems to be fine. Can anyone help from the following configuration?

_____________________________________________________________ PIX

PIX# sh run : Saved : PIX Version 7.0(1) names ! interface Ethernet0 speed 100 duplex full nameif outside security-level 0 ip address ! interface Ethernet1 speed 100 duplex full nameif inside security-level 100 ip address ! interface Ethernet2 speed 100 duplex full nameif dmz security-level 50 ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname PIX ftp mode passive access-list CRYPTO-ACL extended permit ip pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip audit name INFOPOLICY info action alarm reset ip audit interface inside INFOPOLICY ip audit signature 4052 disable no failover monitor-interface outside monitor-interface inside monitor-interface dmz no asdm history enable arp timeout 14400 route outside 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp crypto ipsec transform-set TEST-TS esp-3des esp-sha-hmac crypto map RTR 10 match address CRYPTO-ACL crypto map RTR 10 set peer crypto map RTR 10 set transform-set TEST-TS crypto map RTR interface outside isakmp identity address isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 5 isakmp policy 10 lifetime 86400 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash sha isakmp policy 65535 group 2 isakmp policy 65535 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 tunnel-group type ipsec-l2l tunnel-group ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum:d329d214da16974fe6a4972319bc7dc2 : end


1841 Router

TR# sh run Building configuration...

Current configuration : 1544 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RTR ! boot-start-marker boot-end-marker ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! no ip dhcp use vrf connected ! ip inspect name OUTBOUND icmp ip inspect name OUTBOUND http no ip ips deny-action ips-interface ! crypto isakmp policy 110 encr 3des authentication pre-share group 5 crypto isakmp key cisco address ! crypto ipsec transform-set MINE esp-3des esp-sha-hmac ! crypto map PIX-VPN 10 ipsec-isakmp set peer set transform-set MINE match address ENCR-ACL !! interface FastEthernet0/0 ip address duplex auto speed auto crypto map PIX-VPN ! interface FastEthernet0/1 ip address ip inspect OUTBOUND in duplex auto speed auto ! interface FastEthernet0/0/0 ! interface FastEthernet0/0/1 ! interface FastEthernet0/0/2 ! interface FastEthernet0/0/3 ! interface Vlan1 no ip address ! ip classless ip route ! ip http server no ip http secure-server ! ip access-list extended ACCESS-SRV permit icmp any host ip access-list extended ENCR-ACL permit ip ip access-list extended INBOUND-BLOCK deny ip any any ! control-plane ! line con 0 line aux 0 line vty 0 4 login ! end


Reply to
Loading thread data ...

Hmmm, lots and lots of bugs associated with that version.

Try knocking the transmitter down to group 2 -- 3DES group 5 is unusual enough that it might tickle one of the many bugs in 7.0(1).

Reply to
Walter Roberson

I will give that a shot Walter. Can you tell me though why you think the 3DES/DH-5 is an unusual combination?


Walter Robers> >

Reply to

Because the standard in our industry is group 1 or group 2, group 2 for almost 99% of what we do.

Reply to
Brian V Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.