f



PIX 515 vpn site-2-site -> Linux

Hi NG,

i need some help on a vpn site-2-site connection bedween my pix and a linux 
box. I'pretty new to networking and cisco pix since i had to take over 
someones job since yesterday!
i've been looking at the pix manual, it tells me to insert following with a 
pix-2-pix vpn tunnel:

crypto ipsec transform-set strong ESP-DES-MD5 esp-des esp-md5-hmac
access-list ACL_NAME permit ip IPADRESS 255.255.255.0 IPADRESS 255.255.255.0
nat 0 access-list ACL_NAME
nat (inside) 1 0 0
global (outside) 1 IP_Start-IP_END
global (outside) 1 PAT_IPs_Adr
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address 90
crypto map outside_map 40 set transform-set strong
crypto map outside_map 40 set peer IP_ADRESS
crypto map outside_map interface outside
sysopt connection permit-ipsec

now what i got is following information of my gateway:

IP Adress of gateway
IP Adress of what ip's will be on the other side
ike=3des-md5-mod1024
esp=3des-md5
keylife times

is this to be configured like pix-to-pix config? what if a sh ver of the pix 
shows
VPN-3DES-AES:                Disabled
he wants to use 3des and my pix does not support 3des right? i'm just a bit 
lost, so any help is welcome.

thank ya
colin


 


0
7/9/2005 8:19:41 AM
comp.dcom.sys.cisco 25313 articles. 0 followers. Post Follow

0 Replies
447 Views

Similar Articles

[PageSpeed] 58

Reply:

Similar Artilces:

PIX 515 nat 0 and vpn site-2-site
Hi NG, i got 2 sites witch i would like to connect via vpn site-2-site. Now with one of the sites i got an nat 0 accesslist statement. And for the second i dlike to nat 0 again. But since it overrites that statement i just can set one single nat 0 statement ...i do not want to nat to these other sites! nat (inside) 0 access-list ACL_SITE_1 ((nat (inside) 0 access-list ACL_SITE_2)) access-list ACL_SITE_1 permit ip 176.x.x.0 255.255.0.0 host X.Y.Z.Z ((access-list ACL_SITE_2 permit ip 10.x.x.0 255.255.0.0 X.Y.Z.Z 0.0.255.255)) how should i solve this? thank ya Colin -- pix 515E: nat [(...

Cisco PIX 501-515 Site-to-Site VPN Issue
I'm deferring to the experts in this group to help me solve a nightmare of a PIX configuration issue. I have a PIX 501 located in Connecticut and a PIX 515 located in New York and am trying to put together a site-to-site VPN. The remote access on the 515 works like a charm, but I've been unable to make any headway with the site-to-site. The only way that I've been able to initiate the connection, in fact, is to launch the packet tracer on the 515 to 'send' a packet from an IP on the 515's network to an IP on the 501's. Everything comes back okay, but if I try to ping or connect to any machine on either of the networks from the other one, it doesn't go through, and no useful debugging information seems to be returned. If anyone has any insight into what might be going on, your advice would be tremendously appreciated. I've copied the configurations below and have removed only the clearly-irrelevant parts. PIX 501: Internal IP Range: 10.0.2.0/255.255.255.0 External IP: x.x.123.29 PIX 515: Internal IP Range: 10.0.0.0/255.255.255.0 Remote Access: 10.0.1.0/255.255.255.0 External IP: x.x.23.17 CISCO PIX 501 IN CONNECTICUT PIX Version 6.3(5) access-list outside_access_in permit icmp any any access-list outside_access_in permit tcp any any object-group TCP access-list inside_outbound_nat0_acl permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255....

Site to Site VPN problems between PIX 501 and PIX 515
Recently at work I was handed an old Cisco PIX 501 and was told to get a VPN working with our PIX 515 for a remote office location. The 501 had been set up for a VPN 3 years ago with the 515 so I thought that this would be easy, as the config information on both ends has not changed. Obivously, I was mistaken and no matter what I try I cannot get the VPN tunnel to work. Any help would be greatly appreciated. I'm sorry if this is long winded but here are the configs for the 501 and 515: PIX 501 PIX Version 6.3(3) interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password *** encrypted passwd *** encrypted hostname example501 domain-name example.net fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 access-list example permit ip 10.10.20.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list acl_out permit icmp any any pager lines 24 logging on logging timestamp logging buffered warnings mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 10.10.20.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable ar...

515 Pix site-to-site VPN
I need to configure site to site VPN between two companies. They have their own networks. Every company has PIX515 configured to accept VPN clients. Is it possible to configure site-to-site vpn and keep both firewalls continue to accept remote vpn clients? If someone can post me example configurations I'll appreciate this! Thanks, In article <1167928541.825645.113090@i15g2000cwa.googlegroups.com>, Exclusive <kamen.rashev@gmail.com> wrote: >I need to configure site to site VPN between two companies. They have >their own networks. Every company has PIX515 configured to a...

2 simultaneous site to site VPN tunnels with 3 PIX
I have been having a tough time setting up 3 PIX devices so that all 3 have 2 tunnels to the other 2. I can only get one to keep both tunnels open, making a chain instead of a fully connected triangle. When I managed to bring up the 2nd tunnel on another, it broke the 1st tunnel, leaving me in the same situation. The config for all 3 is nearly identical, so variations in behavior are especially perplexing. 2 are using 6.3(5) and 1 on 6.3(3). Any suggestions would be appreciated. access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0 access-list 100 permit ip 192.16...

PIX VPN Problem (EZvpn and Site-2-Site in parallel)
Hello, I shall establish a EZvpn and a site-2-site VPN config on a single PIX. Sounds straight forward and not to difficult. Yes, but ? Both part on their own work just fine. When I run the EZvpn part and then add the site-2-site part I never get a proper ISAKMP releationship as you can see from the two show outputs at the very end. Below you see the configuration I use. There must be something wrong with the order of operation for the authentication of the site-2-site connection. Any help is greatly appreciated. Roland Configuration extract: ---------------------- crypto ipsec transf...

setting up site-2-site with PIX 506e VPN Wizard
Hi All: looking for an introduction on setting up a site-to-site vpn between two PIX 506e using the wizard. Pix 1 has inside IF 192.168.0/24 Pix 2 has inside IF 192.168.1/24 I want to enable 192.168.0.10 to connect to 192.168.1.15 I tried to step through the wizard, but am stuck at what to configure for the remote IPSec Traffic Selector. If I select the inside IF of PIX 2 and enter 192.168.1.15 as the termination point, I'm prompted to provide a static route. Am I setting it up correctly up to that point? If so, what IP/IF would I want to specify for the route? TIA cisco wrote:...

site to site vpn using cisco pix 501's
I'm having the worst time trying to get a site to site VPN set up between two pix 501's any pointers would be super helpful here, I've tried so many things and this is my last resort. The tunnel comes up but I cannot access any devices on the remote lans. here is a config from one of the pix's, unsanitized for utmost clarity. PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname breda domain-name westianet.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.1.0 remote_site_lan access-list inside_outbound_nat0_acl permit ip 10.246.246.0 255.255.255.0 remote_site_lan 255.255.255.0 access-list outside_cryptomap_20 permit ip 10.246.246.0 255.255.255.0 remote_site_lan 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 65.174.244.23 255.255.255.0 ip address inside 10.246.246.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location remote_site_lan 255.255.255.0 outside pdm logging informational 100 pdm history enable arp tim...

site-to-site vpn #2
show a sample configuration, there are two routers with two ISPs they set up a choice of providers in the fall of another, you need to connect 2 routers tunnel, in what way will be a choice on what sort of tunnel back to work, please give an example of working configuration. R1------------- isp1--------------R2 -------------isp2 -------------- "Slava" <1vasya1@gmail.com> wrote in message news:96d9a0ec-12fe-4495-ae8f-3847ed01d3d4@n6g2000vbg.googlegroups.com... > > show a sample configuration, there are two routers with two ISPs > they set up a choice of providers in the fall of another, you need to > connect 2 routers tunnel, > in what way will be a choice on what sort of tunnel back to work, > please give an example of working configuration. > > R1------------- isp1--------------R2 > -------------isp2 -------------- do your own homework On 2011-12-20 03:29:43 -0700, Slava said: > show a sample configuration, there are two routers with two ISPs > they set up a choice of providers in the fall of another, you need to > connect 2 routers tunnel, > in what way will be a choice on what sort of tunnel back to work, > please give an example of working configuration. > > R1------------- isp1--------------R2 > -------------isp2 -------------- Most people here would be happy to help, if you show that you are willing to do your...

site-2-site VPN
Hi everybody, I was asking about the S2S VPN lately, but have a bit different question now. What are the industry standards / best practices to securely connect two company branches? I was thinking of a VPN connection, but it does not allow one to connect two identical subnets e.g. 10.11.12.0/24 with 10.11.12.0/24. Is there a way to connect two offices via VPN and reduce or eliminate the possibility of subnet overlap? Thanks, AL ALeu schrieb: > I was asking about the S2S VPN lately, but have a bit different question > now. What are the industry standards / best practices to sec...

PIX site-to-site VPN
Internet / \ 11.11.11.11 22.22.22.22 ADSL Router ADSL Router 10.0.11.254 10.0.0.22.254 | | 10.0.11.1 10.0.22.1 PIX 506E PIX 501 192.168.11.254 192.168.22.254 | | New York LAN San Jose LAN http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72b.html I am trying to set up a hardware VPN based on the link above, but the multiple internet IP setup in the document has confused me. The following is what I intend to add to the ...

RE: Seeking Data Archiving (BACKUP) Suggestions (was: Re: VAX/VMS site) site)site) site) site)site)site) site)site) #2
-----Original Message----- From: Dave Froble [mailto:davef@tsoft-inc.com]=20 Sent: Thursday, August 17, 2006 12:23 AM To: Info-VAX@Mvb.Saic.Com Subject: Re: Seeking Data Archiving (BACKUP) Suggestions (was: Re: VAX/VMS site) site)site) site) site)site)site) site)site) Stanley F. Quayle wrote: > On 16 Aug 2006 at 14:42, Barry.Treahy@EmersonNetworkPower.com wrote: >> You might find the costs to migrate everything from the 4000/100 models >> to replacement CHARON 4000/108 emulated systems cost effect >=20 > Another CHARON-VAX possibility [Shameless Plug Alert (tm)] is to=20 ...

PIX 501 VPN servers and VPN site to site
Hello I have 2 cisco PIX firewalls. Ihave VPN servers on both of PIX. How can i make VPN site to site this is mu config Office PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname fwl1 names object-group service tcp_19 tcp description tcp ports for server on address 80.80.80.19 port-object eq www port-object eq https access-list outside_access_in permit icmp any any log access-list outside_access_in permit tcp any host 80.80.80.19 object-group tcp_19 access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 ip address outside 80.80.80.18 255.255.255.240 ip address inside 192.168.1.1 255.255.255.0 ip local pool ippool 192.168.2.14-192.168.2.20 global (outside) 10 interface nat (inside) 0 access-list 101 nat (inside) 10 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 80.80.80.19 192.168.1.28 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 80.80.80.17 1 http server enable http 192.168.1.0 255.255.255.0 inside sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map inside_map interface inside crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp enable outside isakmp nat-traversal 10 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 ha...

Vpn site to site + vpn cisco client access list problem.
Hi I have problem to get vpn site to site tunnel and the vpn client tunnel to work at the same time. How can I join access list 80 and 100 so i can add them to nat "(inside) 0 access-list 80" I got a pix 501 and 2620 and on the pix 501 It's accessible thugh Cisco VPN client. The config on the pix 501: : Written by admin at 15:32:22.817 CEDT Mon Aug 7 2006 PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password g4JAhKwvQDnczMDZ encrypted passwd g4JAhKwvQDnczMDZ encrypted hostname gotfw01 domain-name veprox.int clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.99.0 VPN access-list 80 permit ip 172.16.100.0 255.255.255.0 172.16.101.0 255.255.255.0 access-list 100 permit ip 172.16.100.0 255.255.255.0 VPN 255.255.255.0 pager lines 24 mtu outside 1420 mtu inside 1500 ip address outside 192.168.0.10 255.255.254.0 ip address inside 172.16.100.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpn_client_pool 192.168.99.50-192.16...

Site to Site VPN
Hi, I've got a site to site VPN created with two Pix 506e firewalls. The remote site has 7 users over a 512k ADSL line. The VPN is used for MS Outlook, occaisional file access and the use of a Terminal emulator connected to a UNIX box at the central site. Users in the remote site will loose connectivity to the unix box a few times during the day but the VPN appears to be still running as it doesn't kick all users off. I created the VPN by using PDM and have checked them on the Cisco website, below are the configs, the first one being the central site. I've also copied the entrie...

site 2 site vpn problems
Hello all, I'm having a problem with a site-to-site vpn tunnel between a cisco 871 and some d-link routers at branch locations. Once I installed the 871 I had the s2s tunnels up with what appeared to be no problem. On the 871 side I could connect to the remote branch equipment, however, from the remote branch side they could not connect back to the servers at corp, but they could ping anything. In my experience this is normally an MTU problem. Sadly when I went to configure the interface (FastEthernet4) with "ip mtu 1450", I got an error stating that the interface did not have a "user settable mtu"?? I then tried the "ip tcp adjust-mss" statement which appeared to have no effect and based on my reading that is for PPPoE connections anyway. Thus I decided to put their original router (DI-804HV) back in place and carry one of the cisco's to my office and work on the config there. I created a tunnel back to their dlink which would simulate the "Branch" problem and with the configuration below they can connect to all servers at my location EXCEPT one, which really has me confused, because I can put my 804HV back in place and then they can connect to that server. The big difference between the two locations is they are running a T1 with an adtran and I am running business aDSL. So my questions are; 1) How do you adjust the MTU's on the FastEthernet4 device? 2) Why would one particular server (redhat linux) be re...

site to site vpn #2 481678
Hello all, We are currently terminating vpn connections from client sites in our dmz area and then letting their traffic pass through our firewall. The circuits and routers that the vpns terminate on are owned by the clients and are located at our facility. We are currently using the 10.0.0.0 address space and so are some of our clients. I can forsee a time when we might have a problem with this if a client has a host at 10.0.0.1 and if we have a host at 10.0.0.1 and we try to connect to the client's host our router will think the host is on the local subnet and not route the packet to the...

Site to site VPN
I am trying to set up a site to site VPN from my PIX to a Checkpoint. I am getting the following errors - first error with ISAKMP NAT-T , send seccond one without NAT-T... pixfirewall(config)# ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3 ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:162.145.74.130, dest:95.103.225.196 spt:500 dpt: 500 ISAKMP: drop P2 msg on unauthenticated SA ISAKMP (0): retransmitting phase 1 (0)... ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired: count = 1, (identity) local= 95.103.225.196, remote= 162.145.74.130, local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 118.1.118.0/255.255.255.0/0/0 (type=4) ISAKMP (0): deleting SA: src 95.103.225.196, dst 162.145.74.130 ISADB: reaper checking SA 0x3575e7c, conn_id = 0 DELETE IT! VPN Peer:ISAKMP: Peer Info for 162.145.74.130/500 not found - peers:0 ******************************************************************************** no ISAKMP NAT-T pixfirewall(config)# ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:162.145.74.130, dest:95.103.225.196 spt:500 dpt: 500 ISAKMP: drop P2 msg on unauthenticated SA ISAKMP (0): retransmitting phase 1 (0)... ISAKMP (0): retransmitting phase 1 (4)... ISAKMP (0): deleting SA: src 95.103.225.196, dst 162.145.74.130IPSEC(key_engine) : request timer fired: count = 1, (identity) local= 95.103.225.196, remote= 162.145.74.130, local_proxy= 192.168.1.0/2...

site to site vpn with pix 506
hi, at first my setup: we have a local net, a pix, a default router for internet (yyy.yyy.yyy.yyy) and a remote vpn gateway (zzz.zzz.zzz.zzz) from which we know that there are already about 5 pix sucessfully connecting to it, except for mine. local net (192.168.1.0/24) <-> pix (internal: 192.168.1.1, external xxx.xxx.xxx.xxx) <-> internet router (yyy.yyy.yyy.yyy) < -~ internet ~-> remote vpn gateway (zzz.zzz.zzz.zzz) <-> remote host (10.10.11.1) pix config: *snip* ----------------------------------------------------------------------------- Building configuration... : Saved : PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname pixfirewall domain-name xxxx.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.1.0 local_net name zzz.zzz.zzz.zzz remote_gateway name 10.10.11.1 remote_host access-list inside_outbound_nat0_acl permit ip local_net 255.255.255.0 host remote_host access-list inside_access_in permit tcp local_net 255.255.255.0 any access-list inside_access_in permit icmp any any access-list outside_cryptomap_60 permit ip local_net 25...

Site-to-Site VPN with PIX 506E
I'd appreciate advice from the group regarding setup of a site-to-site VPN using a Cisco Secure PIX 506E Firewall. I'm considering the purchase of two of these firewalls to help my small company set up a secure connection between two offices. I have a programming background, but this type of work is new to me. I would like to link two office locations together for the purpose of transferring some files back and forth between two Dell PowerVault NAS (one at each location). Each site has a fixed IP address. I read the documentation from Cisco's web site, and the configuration of...

Pix vpn Site to Site problem
hi, am trying to set up a pix 506 and 501 to make a site to site vpn, i am currently receiving this output on the syslog server: a.a.a.a -outside address of pix 506e b.b.b.b - outside address of pix 501 %PIX-7-702303: sa_request, (key eng. msg.) src= b.b.b.b, dest= a.a.a.a, src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), dest_proxy= crayford/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 28800s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004 %PIX-7-702208: ISAKMP Phase 1 exchange started (local b.b.b.b (initiator), remote a.a.a.a) -702204: ISAKMP Phase 1 retransmission (local b.b.b.b (initiator), remote a.a.a.a) %PIX-7-702204: ISAKMP Phase 1 retransmission (local b.b.b.b (initiator), remote a.a.a.a) %PIX-7-702204: ISAKMP Phase 1 retransmission (local b.b.b.b (initiator), remote a.a.a.a) %PIX-6-602203: ISAKMP session disconnected (local b.b.b.b (initiator), remote a.a.a.a) I think these debug messages point to a problem with the shared key but ive already checked this and ive also check the ip addresses are right. here are the sho runs on both pix's 506e PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password iXGnkrGXSVRGTY encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup pr...

routing through a Site to Site VPN on PIX
Hi, Two 501's are connected to eachother via a site-to-site VPN: Site 1 : Internal IP : 10.0.0.254/24 External IP : 1.2.3.4/24 Site 2 : Internal IP : 10.1.0.254/24 External IP : 5.6.7.8/24 Tunnelling works okay... On Site 1 i have a router connected to some network.. The Internal IP of the router is 10.0.0.1/24. On the other side of the router i have an IP network : 192.168.0.0/24 How can i make the 192.168.0.0/24 network accessible from Site 2 ? Thanks, R. Bressers On Thu, 2 Jun 2005, Remco Bressers wrote: > On Site 1 i have a router connected to some network.. > T...

pix 501
Hello I have 2 pix firewalls i have vpn site to site i tried so many times do VPN server and nothing works this is my VPN config - what do i have to do ot be able connect to Office via Cisco VPN Client Office IP address Outside = 100.100.100.100 IP address inside = 192.168.1.254 access-list 90 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 nat (inside) 0 access-list 90 sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto map toRemote 20 ipsec-isakmp crypto map toRemote 20 match address 90 crypto map toRemote 20 set peer 90.90.90.90 cryp...

Site to Site VPN Problem #2
X-No-Archive: yes Hi Have a site to site VP N problem The network servers are Microsoft windows server both 200 and 2003. AT one remote site using an ASA to ASA VPN clients could pick up email from an exchange server buy not send email. The site with the exchange server cold VNC to the machine that could not send email When one browsed the network one could see only local machines. The domain controller at the remote site had lots of id event 1311 in the directory log. Machines could not connect to an SQL server using active directory credentials but could get to a web site on the same machine. Change the remote site to A PIX 501 solved the problem Mugged config of remote site Thanks in advance for any help : Saved : ASA Version 7.2(2) ! hostname domain-name l enable password no names name 10.0.20.0 mainsite name 10.0.50.0 site a name 10.0.50.2 caffreys ! interface Vlan1 nameif inside security-level 100 ip address 10.0.50.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address aa.bb.nn.mm 255.255.255.248 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd ftp mode passive dns server-group DefaultDNS domain-name object-group service std tcp port-object eq domain port-object eq ftp port-object eq ftp-data port-object eq www port-object eq http...

Pix site to site and client VPN
Hi All, I have a PIX 515 with version 6.3(3). I have a site to site VPN up and running fine. I am adding client VPN access to this now. All clients will use the Cisco VPN Client 4.6. I followed some instructions I found online and have made the connection to the PIX from a client. Relevant config: access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.23.52.240 255.255.255.252 access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.168.0 255.255.255.0 access-list split permit ip 192.168.0.0 255.255.255.0 192.168.168.0 255.255.255.0 nat (inside) 0 access-list outside_cryptomap_20 sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set ESP-DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 212.39.xxx.xxx crypto map outside_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 30 ipsec-isakmp dynamic dynmap crypto map outside_map client configuration address initiate crypto map outside_map client configuration address respond crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 212.39.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp client configuration address-pool local vpnpool outside isakmp nat-traversal 20 isakmp policy 10 auth...

Web resources about - PIX 515 vpn site-2-site -> Linux - comp.dcom.sys.cisco

Resources last updated: 3/28/2016 7:29:34 PM