1. Home
  2. Cisco Systems
  3. Pix 515e -> dynamic 851w

Pix 515e -> dynamic 851w

Greeting folks,

I am running into a tough issue (at least for me) here, allow me to describe:

I currently have a WAN between a few PIX 515Es in data centers and a static 851W at a remote office. I am trying to hook up another 851W, running Version 12.4(4)T7, with a dynamic IP into this WAN. I have targeted one of the 515Es, running Version 7.0(1), as the first point of entry into the WAN. All the devices are in a mesh (connecting to all the other nodes).

Anyways, I have read through and attempted to make the changes recommended by

formatting link
seemed perfect, alas I am still not seeing any results. Additionally I have read through many newsgroup postings however none seem to be on topic or correct.

So let me include some of my config based on the Cisco article and maybe a fresh set of eyes can figure out where I am going wrong. Understand that the PIX is working fine so there is no issue with internet connection, natting (though maybe on this connection)

Thanks for your help!

Dave

PIX 515E Version 7.0:

access-list inside_outbound_nat0_acl extended permit ip 192.168.10.0

255.255.255.0 192.168.2.0 255.255.255.240

access-list outside_cryptomap_100 extended permit ip 192.168.10.0

255.255.255.0 192.168.2.0 255.255.255.240 access-list outside_cryptomap_100 extended permit ip 192.168.110.0 255.255.255.0 192.168.2.0 255.255.255.240

crypto dynamic-map dynmap 10 set transform-set ESP-DES-MD5 crypto map dyn-map 100 ipsec-isakmp dynamic dynmap crypto map dyn-map interface outside

isakmp key ***** address 0.0.0.0 netmask 0.0.0.0 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 28800

851W Version 12.4:

crypto isakmp policy 1 hash md5 authentication pre-share lifetime 28800

crypto isakmp key ***** address xxx.xxx.xxx.xxx

crypto ipsec transform-set SF_Transform_Set esp-des esp-md5-hmac

crypto map SF_iC 3 ipsec-isakmp description Tunnel LA set peer xxx.xxx.xxx.xxx set transform-set SF_Transform_Set match address 102

interface FastEthernet4 ip nat outside crypto map SF_iC

interface Dialer1 ip nat outside

interface Vlan1 no ip address ip nat inside

interface BVI1 ip address 192.168.2.1 255.255.255.240 ip nat inside

ip nat inside source route-map SF_RMAP interface Dialer1 overload

access-list 102 remark ACL to LA access-list 102 permit ip 192.168.2.0 0.0.0.15 192.168.10.0 0.0.0.255 access-list 102 permit ip 192.168.2.0 0.0.0.15 192.168.110.0 0.0.0.255

access-list 105 deny ip 192.168.2.0 0.0.0.15 192.168.10.0 0.0.0.255 access-list 105 permit ip 192.168.2.0 0.0.0.15 any

route-map SF_RMAP permit 1 match ip address 105

Reply to
dmgeller
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.