Greeting folks,
I am running into a tough issue (at least for me) here, allow me to describe:
I currently have a WAN between a few PIX 515Es in data centers and a static 851W at a remote office. I am trying to hook up another 851W, running Version 12.4(4)T7, with a dynamic IP into this WAN. I have targeted one of the 515Es, running Version 7.0(1), as the first point of entry into the WAN. All the devices are in a mesh (connecting to all the other nodes).
Anyways, I have read through and attempted to make the changes recommended by
So let me include some of my config based on the Cisco article and maybe a fresh set of eyes can figure out where I am going wrong. Understand that the PIX is working fine so there is no issue with internet connection, natting (though maybe on this connection)
Thanks for your help!
Dave
PIX 515E Version 7.0:access-list inside_outbound_nat0_acl extended permit ip 192.168.10.0
255.255.255.0 192.168.2.0 255.255.255.240access-list outside_cryptomap_100 extended permit ip 192.168.10.0
255.255.255.0 192.168.2.0 255.255.255.240 access-list outside_cryptomap_100 extended permit ip 192.168.110.0 255.255.255.0 192.168.2.0 255.255.255.240crypto dynamic-map dynmap 10 set transform-set ESP-DES-MD5 crypto map dyn-map 100 ipsec-isakmp dynamic dynmap crypto map dyn-map interface outside
isakmp key ***** address 0.0.0.0 netmask 0.0.0.0 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 28800
851W Version 12.4:crypto isakmp policy 1 hash md5 authentication pre-share lifetime 28800
crypto isakmp key ***** address xxx.xxx.xxx.xxx
crypto ipsec transform-set SF_Transform_Set esp-des esp-md5-hmac
crypto map SF_iC 3 ipsec-isakmp description Tunnel LA set peer xxx.xxx.xxx.xxx set transform-set SF_Transform_Set match address 102
interface FastEthernet4 ip nat outside crypto map SF_iC
interface Dialer1 ip nat outside
interface Vlan1 no ip address ip nat inside
interface BVI1 ip address 192.168.2.1 255.255.255.240 ip nat inside
ip nat inside source route-map SF_RMAP interface Dialer1 overload
access-list 102 remark ACL to LA access-list 102 permit ip 192.168.2.0 0.0.0.15 192.168.10.0 0.0.0.255 access-list 102 permit ip 192.168.2.0 0.0.0.15 192.168.110.0 0.0.0.255
access-list 105 deny ip 192.168.2.0 0.0.0.15 192.168.10.0 0.0.0.255 access-list 105 permit ip 192.168.2.0 0.0.0.15 any
route-map SF_RMAP permit 1 match ip address 105