Hello NG
I hav now tried multiply times to create a site to site vpn tunnel, between 2 cisco pix 501 firewalls
I have tried through GUI and CLI. I have even used cisco's own configuration guide. but without any luck.
Anyone that have a solution, please reply
~Peter
With out the configs it is impossible to tell what you are doing wrong.
Are the tunnel being formed but no traffic passed?
Is the IKEA negation successful?
Peter ?
: Saved : Written by enable_15 at 07:11:41.030 UTC Tue Jan 31 2006 PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password cxcxcxcxcx encrypted passwd cxcxcxcxc encrypted hostname RAFWAALHV-01 domain-name d.d.dk fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 90 permit ip 192.168.1.0 255.255.255.0 10.240.0.0 255.240.0.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 217.157.22.117 255.255.255.224 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 nat (inside) 0 access-list 90 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto map ToRALAal 20 ipsec-isakmp crypto map ToRALAal 20 match address 90 crypto map ToRALAal 20 set peer 217.157.22.116 crypto map ToRALAal 20 set transform-set strong crypto map ToRALAal interface outside isakmp enable outside isakmp key cxcxcxcxcx address 217.157.22.116 netmask 255.255.255.255 isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des isakmp policy 9 hash sha isakmp policy 9 group 1 isakmp policy 9 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.33 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 Cryptochecksum:5099c8704845c8b6156d2ed9b1fac2a2 : endThere is no tunnel formed.
~Peter
try this change fake IPs Location 1
IP outside 90.90.90.112 IP inside 10.0.0.254 (network 255.255.255.0)
VPN Tunnel Configuration access-list 90 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 nat (inside) 0 access-list 90 sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto map toDataCenter 20 ipsec-isakmp crypto map toDataCenter 20 match address 90 crypto map toDataCenter 20 set peer 85.85.85.112 crypto map toDataCenter 20 set transform-set strong crypto map toDataCenter interface outside isakmp enable outside isakmp key ************ address 85.85.85.112 netmask 255.255.255.255 isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des
Location 2
IP outside 85.85.85.112 IP inside 192.168.1.254 (network 255.255.255.0)
VPN Tunnel Configuration access-list 80 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 nat 0 access-list 80 sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto map toChepside 10 ipsec-isakmp crypto map toChepside 10 match address 80 crypto map toChepside 10 set peer 90.90.90.112 crypto map toChepside 10 set transform-set strong crypto map toChepside interface outside isakmp enable outside isakmp key ************ address 90.90.90.112 netmask 255.255.255.255 isakmp policy 8 authentication pre-share isakmp policy 8 encryption 3des
to check
1st command) sh isakmp sa 2nd xommand sh ipsec sa
Don't use the same ACL for two different purposes (e.g., nat 0 and crypto map). There are some situations where it is promised that it definitely will not work, and there are some situations where it simply doesn't work properly.
It isn't worth your time trying to track down the cases that work without bugs, seeing as that might change in the next subrelease.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.