any cisco IOS with VPN/PIX experience about?

preilly79 · 28-04-2006 2:53pm #1

Hi, i'm trying to find a cisco expert with the relevant experience in PIX's and VPN'ing to them. i have a router config i'd like to run by somebody. if anybody can help please let me know!

Sponge Bob · 01-05-2006 11:54pm

paste it in here with radius keys/ vpn keys REMOVED and ip addresses and blocks REMOVED

preilly79 · 02-05-2006 10:41am

I've removed password and ip addresses for remote hosts. ip addresses of internal network remain to aid you.

cheers

router config:

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
enable password 7 **************
!
no aaa new-model
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key 0 ********** address remote.pix.ip
!
!
crypto ipsec transform-set pix-set esp-des esp-md5-hmac
!
crypto map pix 10 ipsec-isakmp
set peer remote.pix.ip
set transform-set pix-set
match address 101
!
!
interface Ethernet0
ip address 192.168.25.161 255.255.255.224
ip nat inside
!
interface Ethernet1
ip address 192.168.49.250 255.255.255.0
ip nat outside
duplex auto
crypto map pix
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip default-gateway 192.168.49.254
ip nat inside source route-map nonat interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.49.254
ip route remote.host.ip 255.255.255.255 remote.pix.ip
ip route remote.pix.ip 255.255.255.255 192.168.49.254
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.25.160 0.0.0.31 remote.host.ip 0.0.0.127
access-list 150 deny ip 192.168.25.160 0.0.0.31 remote.host.ip 0.0.0.127
access-list 150 permit ip 192.168.25.160 0.0.0.31 any
route-map nonat permit 10
match ip address 150
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
!
end

and here's the pix config:

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password ************ encrypted
passwd ************* encrypted
hostname pix.domain.com
domain-name domain.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list nonat permit ip remote.host.ip 255.255.255.128 192.168.0.0 255.255.0.0
pager lines 24
logging on
logging trap informational
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside pix.outside.ip.address 255.255.255.248
ip address inside pix.inside.ip.address 255.255.255.248
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm location x.x.x.x 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
route outside 0.0.0.0 0.0.0.0 pix.outisde.ip.address 1
route inside remote.host.ip 255.255.255.192 pix.inside.ip.address 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set router-set esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set router-set
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

preilly79 · 02-05-2006 3:16pm

ok, so the configs are above. what i want to do is route traffic destined for remote.host.ip over an ipsec tunnel which terminates at remote.pix.ip and route everything else over the ethernet interface. problem is, the ipsec tunnel is not being initiated.
any ideas?

ntlbell · 02-05-2006 4:31pm

what's on the remote side? a pix or a router?

preilly79 · 02-05-2006 4:52pm

It's a pix. you can find the config above.

ntlbell · 02-05-2006 5:01pm

preilly79 wrote:

It's a pix. you can find the config above.

Indeed, is their pix on the other side aswell? or just a router?

Sponge Bob · 03-05-2006 10:08am

create object group for external net

object-group network outside_ip
network-object 192.168.25.161 255.255.255.224

tunnel from that to remote pix, say remote pix whose own outside object is 192.1.2.3

crypto ipsec transform-set myset esp-3des
crypto ipsec transform-set clientset esp-3des
crypto dynamic-map dynmap 10 set transform-set clientset
crypto map mri1 10 ipsec-isakmp
crypto map mri1 10 set peer 192.1.2.3
crypto map mri1 20 ipsec-isakmp dynamic dynmap
crypto map mri1 interface outside
isakmp enable outside
isakmp key ****** address 192.1.2.3 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des

any cisco IOS with VPN/PIX experience about?

Comments