VPN site to site problem

Leif,

Within the cryptomap outside_map you use a transform-set called Nordalen. However, there is no transform-set with this name. Also make sure yor peer uses the same credentials.

Good luck.

Patrick

In article , newbee wrote: :Hi, I have a problem to get VPN connection from a pix 501 to another :pix 501. I can't see the error in this config:

:access-list acl_out permit icmp any any :access-list inside_outbound_nat0_acl permit ip x.x.x.x 255.255.255.0 x.x.x.x

255.255.255.0 :access-list outside_cryptomap_20 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

:ip address outside x.x.x.x 255.255.255.0 :ip address inside x.x.x.x 255.255.255.0

You cannot use the same IP address range on both interfaces.

You probably didn't really use the same address in both places, but in obscuring the addresses you erase information we needed to evaluate whether the VPN would work. You have to leave in enough information for us to be able to tell whether the proper range of addresses has been used everywhere.

:isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode :isakmp peer ip x.x.x.x no-xauth no-config-mode

You cannot use "isakmp peer" with pre-shared keys.

Thanks for your reply!

Sorry for the incomplete config. Here is a modified config. Maybye this is a bit clearer :-)

interface ethernet0 100basetx interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password lhSmIyUoB09JU/08 encrypted passwd lhSmIyUoB09JU/08 encrypted hostname pix1 domain-name X.com clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list acl_out permit icmp any any access-list 100 permit ip 10.0.0.0 255.255.255.0 10.0.8.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside x.x.244.26 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 10.0.0.0 255.255.255.0 inside pdm location x.x.231.0 255.255.255.0 outside pdm location x.x.63.5 255.255.255.255 outside pdm location x.x.207.0 255.255.255.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 x.x.244.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http x.x.231.0 255.255.255.0 outside http x.x.63.5 255.255.255.255 outside http 10.0.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 100 crypto map mymap 10 set peer x.x.63.5 crypto map mymap 10 set transform-set myset crypto map mymap interface outside isakmp enable outside isakmp key ******** address x.x.63.5 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 telnet x.x.231.16 255.255.255.255 outside telnet timeout 5 ssh x.x.231.0 255.255.255.0 outside ssh x.x.63.5 255.255.255.255 outside ssh x.x.207.0 255.255.255.0 outside ssh timeout 10 console timeout 0 dhcpd address 10.0.0.50-10.0.0.70 inside dhcpd dns 194.19.2.11 194.19.3.11 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside username admin password /Db0u0XWkbA299Du encrypted privilege 15 terminal width 80 Cryptochecksum:ae160fc446e3a1ee44fca0792e8bb23e

Another question (stupid...). Do Walter see my reply to Patrick or do I also have to reply to Walter also?

Your NAT'ing thru the tunnel. 99% of instances should not be NAT'ing in a tunnel.

For this end: access-list nonat permit ip 10.0.0.0 255.255.255.0 10.0.8.0 255.255.255.0 nat (inside) 0 access-list nonat

For the other end: access-list nonat permit ip 10.0.8.0 255.255.255.0 10.0.0.0 255.255.255.0 nat (inside) 0 access-list nonat

-Brian

Hi, I want to tell you that the last config finally worked. Thanks anyway:-) The last problem was that I was unable to ping from the CLI. I don't know what is causing that, but I can live with that.

Leif

newbee skrev:

I added the nonat rule....

Leif