Pix 501 to 506 VPN

I am creating a site to site VPN from a pix 501 with an outside address
of 24.173.110.82 and an inside network of 192.168.1.0/24 to a pix 506
with an outside address of 207.200.35.62 and an inside network of
10.0.0.0/24. I am not very fimiliar with pix firewalls but have setup
a few pix vpns in the past. This time I just followed the step by step
instructions on the cisco site but I am not able to get any traffic
across the vpn. Thanks in advance.
PIX 506
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **********
passwd *********
hostname *
******
domain-name *******
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.0 Level0
name 10.1.0.0 level1
name 10.2.0.0 level2
name 10.2.1.0 CityOf
access-list out_in permit icmp any any echo-reply
access-list out_in permit icmp any any time-exceeded
access-list out_in permit icmp any any unreachable
access-list in_out permit tcp Level0 255.255.255.0 any eq www
access-list in_out permit tcp Level0 255.255.255.0 any eq domain
access-list 80 permit ip Level0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 207.200.35.62 255.255.255.240
ip address inside 10.0.0.254 255.255.255.0
ip audit info action drop
ip audit attack action drop
pdm location 10.0.0.11 255.255.255.255 inside
pdm location 10.0.0.12 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 207.200.35.61 netmask 255.255.255.240
nat (inside) 0 access-list 80
nat (inside) 1 Level0 255.255.255.0 0 0
static (inside,outside) Level0 Level0 netmask 255.255.255.0 0 0
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.200.35.49 1
timeout xlate 5:00:00
timeout conn 2:30:00 half-closed 0:10:00 udp 2:30:00 rpc 2:30:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map City 10 ipsec-isakmp
crypto map City 10 match address 80
crypto map City 10 set peer 24.173.110.82
crypto map City 10 set transform-set strong
crypto map City interface outside
isakmp enable outside
isakmp key *
******* address 24.173.110.82 netmask 255.255.255.255
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash sha
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400
ssh timeout 5
Pix 501
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *
*********
passwd *
*********
hostname hutfw
domain-name *
*******
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit icmp any any
access-list outside permit tcp any host 192.168.1.3 eq 3389
access-list outside permit tcp any host 24.173.110.82 eq 3389
access-list outside permit tcp any host 192.168.1.99 eq 3390
access-list outside permit tcp any host 24.173.110.82 eq 3390
access-list 90 permit ip 192.168.1.0 255.255.255.0 10.0.0.0
255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 24.173.110.82 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action drop
ip audit attack action drop
pdm location 192.168.1.3 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 24.173.110.81 1
timeout xlate 5:00:00
timeout conn 2:30:00 half-closed 0:10:00 udp 2:30:00 rpc 2:30:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map toMITIS 20 ipsec-isakmp
crypto map toMITIS 20 match address 90
crypto map toMITIS 20 set peer 207.200.35.62
crypto map toMITIS 20 set transform-set strong
crypto map toMITIS interface outside
isakmp enable outside
isakmp key *
******* address 207.200.35.62 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Reply to
Timid K
Loading thread data ...
Do not use the same ACL for two different purposes. In some cases it is certain to fail due to the PIX design, and in other cases there are PIX 6.x bugs that lead to failures. Safest just to never do it at all.
Reply to
Walter Roberson
ok, I created a second access list on each firewall with the same info in it and used it for the crypto map address. I am still not able to get any traffic through. Any other ideas? Thanks
Reply to
Timid K
Your transform sets don't match between the two -- 3DES on one side, DES on the other.
Also, my memory is that SHA is not supported with single-DES in 6.3. I cannot find any documentation of that point at the moment.
Reply to
Walter Roberson
Thank you very much for all your help, I switched it to MD5 and everything worked.
Reply to
Timid K

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.