Question

  • Creator
    Topic
  • #2224550

    PIX VPN newbie

    Locked

    by kswallow ·

    Hello. I’m having trouble setting up a site-site vpn connection using a PIX 506E and I wonder if anyone can point if I’m missing something obvious.
    It appears that my PIX is not even attempting to put any traffic down my vpn tunnel as I dont see anything happening when using “debug crypto isakmp” (except for a repeat attempt by another site to connect inbound which is not configured for yet – this wouldn’t block creating a new outbound connection to another site would it?)

    Config is pasted below with the addresses modified and crap removed. It would be great if anyone could suggest reasons why it’s not trying to bring up the tunnel.
    I’m trying get from 192.168.1.0 to 192.168.2.0, have been trying pings from the PIX itself.
    The pix is not in use for anything else yet.
    Thanks in advance for any suggestions!

    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname MyPix
    name 192.168.2.0 OtherNet
    access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 OtherNet 255.255.255.0
    access-list outside_cryptomap_20 permit icmp 192.168.1.0 255.255.255.0 OtherNet 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 OtherNet 255.255.255.0
    ip address outside 10.10.10.10 255.255.255.224
    ip address inside 192.168.1.100 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    nat (inside) 0 access-list inside_outbound_nat0_acl
    route outside OtherNet 255.255.255.0 10.10.10.11 1
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 20.20.20.20
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 20.20.20.20 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400

All Answers

  • Author
    Replies
Viewing 0 reply threads