Persistent VPN between PIX 501 and ASA 5505

I am a networking newbie with 2 small retail stores. I would like to create a persistent VPN between the stores. I already have a PIX 501 firewall, and I am looking at getting an ASA 5505. Would I have any problems creating a persistent VPN between these two firewalls?

No problems whatsoever :-)
There are loads of examples for the config on the Cisco website, and basically these boxes can run exactly the same software, so the config on each is virtually the same. Main difference is the ASA defines the interfaces in a different way. Even if you have different versions of software, say 6.3 on the PIX and 7.2 on the ASA they will still work fine for the VPN, just the configs will be a lot more different. Hope this helps to remove any worries you had?

Similar Messages

  • VPN with Cisco 877 and ASA 5505

    Hi Experts
    this is my scenario :
    remote clients ----> Internet----> Cisco 877---> ASA5505---->LAN
    i would like to allow remote users to connect to my LAN to chek their mails and work as they are in the office. Actually i have configured Cisco877 as VPN Server this is working Fine. but now i'm trying to use ASA with the router because it permit 25 connections at the same time.
    i'm connected to internet using a public ISDN IP.i have heard that i need a second IP adresse for ASA ! and the ASA must act as VPN server and the router as Client, is that right ?
    if i need to configure the link between the router and ASA how can i do it ? i can't find any document or example in the net :/
    please i need your support to make this dream real lol.
    i will poste my configuration step by step following your help.
    many thanks.

    ASA need public ip address that is sure and also ASA acts as vpn. Client server will be remote not router. For that you can use any Ethernet. Trying to make a remote VPN connection via the cisco client, authenticate against an RSA Secure Token server and provide the client an IP address via DHCP.

  • Phase 2 tunnel is not going up between PIX 525 and Watchguard

    Hi Folks,
    Can you please help me in knowing where is the problem liying, currently I am trying to establish a VPN tunnel between PIX firewall and Watchguard , all the parameters of both devices are the same though Phase two tunnel is not coming up.
    here is the debug :
    crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0
    ISAKMP (0): processing NONCE payload. message ID = 0
    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT does not match MINE hash
    hash received: b3 8f bb 0 93 3b 65 e8 35 6f 54 6 c4 6f 59 cc
    my nat hash : dd 70 9 ac 35 58 40 da 3b 5b fc 1b 4c 87 d2 11
    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT does not match HIS hash
    hash received: ba 72 c5 e 5b fb 88 f0 1e f7 8a ba c9 c6 c1 cc
    his nat hash : c 4c 89 a5 66 c1 dd 80 76 48 3f a5 b0 f0 56 ed
    ISAKMP (0:0): constructed HIS NAT-D
    ISAKMP (0:0): constructed MINE NAT-D
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): SA has been authenticated
    ISAKMP: Created a peer struct for 212.37.17.43, peer port 37905
    ISAKMP: Locking UDP_ENC struct 0x3cbb634 from crypto_ikmp_udp_enc_ike_init, count 1
    ISAKMP (0): ID payload
    next-payload : 8
    type : 2
    protocol : 17
    port : 0
    length : 23
    ISAKMP (0): Total payload length: 27
    return status is IKMP_NO_ERROR
    ISAKMP (0): sending INITIAL_CONTACT notify
    ISAKMP (0): sending NOTIFY message 24578 protocol 1
    VPN Peer: ISAKMP: Added new peer: ip:212.37.17.43/4500 Total VPN Peers:16
    VPN Peer: ISAKMP: Peer ip:212.37.17.43/4500 Ref cnt incremented to:1 Total VPN Peers:16
    crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
    ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    spi 0, message ID = 3168983470
    ISAKMP (0): processing notify INITIAL_CONTACT
    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
    OAK_QM exchange
    oakley_process_quick_mode:
    OAK_QM_IDLE
    ISAKMP (0): processing SA payload. message ID = 484086886
    ISAKMP : Checking IPSec proposal 1
    ISAKMP: transform 1, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (basic) of 28800
    ISAKMP: SA life type in kilobytes
    ISAKMP: SA life duration (basic) of 32000
    ISAKMP: encaps is 61433
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): SA not acceptable!
    ISAKMP (0): sending NOTIFY message 14 protocol 0
    return status is IKMP_ERR_NO_RETRANS
    crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
    crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    crypto_isakmp_process_block:src:213.210.211.82, dest:212.118.128.233 spt:500 dpt:500
    ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    spi 0, message ID = 287560609
    ISAMKP (0): received DPD_R_U_THERE from peer 213.210.211.82
    ISAKMP (0): sending NOTIFY message 36137 protocol 1
    return status is IKMP_NO_ERR_NO_TRANSdebug
    ISAKMP (0): retransmitting phase 1 (0)...
    Thanks,
    Ismail

    Hi Kanishka,
    The Phase 2 Parameters are the same also PFS is disabled !
    There are some curious things in the debug msg, could you please throw some light on them
    ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash MD5
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
    ISAKMP: default group 1
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): processing vendor id payload
    ISAKMP (0:0): vendor ID is NAT-T
    ISAKMP (0): processing vendor id payload
    what does the vendor ID is NAT-T above mean ? Is it say that both sides are using Nat traversal.
    Also in ecryption its says encryption 3DES-CBC
    i am not sure if this CBC is the culprit. Because thats what watchgaurd uses only it does not have an option for only 3DES.
    strange enought that Phase 1 is getting up, I am also questioning myself about the following message appearing in Phase 1:
    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT does not match MINE hash
    hash received: b3 8f bb 0 93 3b 65 e8 35 6f 54 6 c4 6f 59 cc
    my nat hash : dd 70 9 ac 35 58 40 da 3b 5b fc 1b 4c 87 d2 11
    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT does not match HIS hash
    hash received: ba 72 c5 e 5b fb 88 f0 1e f7 8a ba c9 c6 c1 cc
    his nat hash : c 4c 89 a5 66 c1 dd 80 76 48 3f a5 b0 f0 56 ed
    ISAKMP (0:0): constructed HIS NAT-D
    ISAKMP (0:0): constructed MINE NAT-D
    return status is IKMP_NO_ERROR
    how come Phase 1 is coming up though the PIX is claiming that his HASH is not the same as HIS HASH :(
    the log messages on WATCH GUARD states that there is no proposal chosen!
    why both firewalls are not friends?
    I appreciate any input

  • VPN between cisco WRVS4400N and EdgeMarc

    Hi Experts
    Please help me.
    Is it possible to create VPN between cisco WRVS4400N and EdgeMarc appliance.
    Regards,
    Ejaz

    Hi Ejaz
    I don't expect any cisco folks that answer this community to be expert on EdgeMarc, but i may be wrong..
    We employ a open standard IPSec implementation.
    Here is the open source document that relates to the RV220W.
    http://www.cisco.com/en/US/docs/routers/csbr/rv220w/open_source/OSD_RV220W_78-19892-02.pdf
    The question  could have  been,  have you asked EsgeMarc if they wiork with open standard based IPSec implemations on our routers. 
    I would prefer you look at the RV220W if possible, which is a relatively young product.
    I am guessing since you can source a product from Disti, try one and see if it works.
    The beauty of buying from a Cisco Disti Partner, is they they have a  returns policy. Check out that policy, if you wish and  keep the packaging and try out your application.
    Answered a question with someone trying to form a IPSec link to a OEM firewall/ IPSec gateway ..it worked. so give your application a try
    regards Dave.

  • Site to Site VPN Problems With 2801 Router and ASA 5505

    Hello,
    I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
    IP scheme at SIte A:
    IP    172.19.3.x
    sub 255.255.255.128
    GW 172.19.3.129
    Site A Ciscso 2801 Router
    Current configuration : 11858 bytes
    version 12.4
    service timestamps debug datetime localtime
    service timestamps log datetime localtime show-timezone
    service password-encryption
    hostname router-2801
    boot-start-marker
    boot-end-marker
    logging message-counter syslog
    logging buffered 4096
    aaa new-model
    aaa authentication login userauthen group radius local
    aaa authorization network groupauthor local
    aaa session-id common
    clock timezone est -5
    clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
    dot11 syslog
    ip source-route
    ip dhcp excluded-address 172.19.3.129 172.19.3.149
    ip dhcp excluded-address 172.19.10.1 172.19.10.253
    ip dhcp excluded-address 172.19.3.140
    ip dhcp ping timeout 900
    ip dhcp pool DHCP
       network 172.19.3.128 255.255.255.128
       default-router 172.19.3.129
       domain-name domain.local
       netbios-name-server 172.19.3.7
       option 66 ascii 172.19.3.225
       dns-server 172.19.3.140 208.67.220.220 208.67.222.222
    ip dhcp pool VoiceDHCP
       network 172.19.10.0 255.255.255.0
       default-router 172.19.10.1
       dns-server 208.67.220.220 8.8.8.8
       option 66 ascii 172.19.10.2
       lease 2
    ip cef
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW dns
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW https
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW imap
    ip inspect name SDM_LOW pop3
    ip inspect name SDM_LOW netshow
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW esmtp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    no ip domain lookup
    ip domain name domain.local
    multilink bundle-name authenticated
    key chain key1
    key 1
       key-string 7 06040033484B1B484557
    crypto pki trustpoint TP-self-signed-3448656681
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
    revocation-check none
    rsakeypair TP-self-signed-344bbb56681
    crypto pki certificate chain TP-self-signed-3448656681
    certificate self-signed 01
      3082024F
                quit
    username admin privilege 15 password 7 F55
    archive
    log config
      hidekeys
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key XXXXX address 209.118.0.1
    crypto isakmp key xxxxx address SITE B Public IP
    crypto isakmp keepalive 40 5
    crypto isakmp nat keepalive 20
    crypto isakmp client configuration group IISVPN
    key 1nsur3m3
    dns 172.19.3.140
    wins 172.19.3.140
    domain domain.local
    pool VPN_Pool
    acl 198
    crypto isakmp profile IISVPNClient
       description VPN clients profile
       match identity group IISVPN
       client authentication list userauthen
       isakmp authorization list groupauthor
       client configuration address respond
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto dynamic-map Dynamic 5
    set transform-set myset
    set isakmp-profile IISVPNClient
    qos pre-classify
    crypto map VPN 10 ipsec-isakmp
    set peer 209.118.0.1
    set peer SITE B Public IP
    set transform-set myset
    match address 101
    qos pre-classify
    crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
    track 123 ip sla 1 reachability
    delay down 15 up 10
    class-map match-any VoiceTraffic
    match protocol rtp audio
    match protocol h323
    match protocol rtcp
    match access-group name VOIP
    match protocol sip
    class-map match-any RDP
    match access-group 199
    policy-map QOS
    class VoiceTraffic
        bandwidth 512
    class RDP
        bandwidth 768
    policy-map MainQOS
    class class-default
        shape average 1500000
      service-policy QOS
    interface FastEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
    ip address 172.19.3.129 255.255.255.128
    ip access-group 100 in
    ip inspect SDM_LOW in
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    interface FastEthernet0/0.10
    description $ETH-VoiceVLAN$$
    encapsulation dot1Q 10
    ip address 172.19.10.1 255.255.255.0
    ip inspect SDM_LOW in
    ip nat inside
    ip virtual-reassembly
    interface FastEthernet0/1
    description "Comcast"
    ip address PUB IP 255.255.255.248
    ip access-group 102 in
    ip inspect SDM_LOW out
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map VPN
    interface Serial0/1/0
    description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
    bandwidth 1536
    no ip address
    encapsulation frame-relay IETF
    frame-relay lmi-type ansi
    interface Serial0/1/0.1 point-to-point
    bandwidth 1536
    ip address 152.000.000.18 255.255.255.252
    ip access-group 102 in
    ip verify unicast reverse-path
    ip inspect SDM_LOW out
    ip nat outside
    ip virtual-reassembly
    frame-relay interface-dlci 500 IETF 
    crypto map VPN
    service-policy output MainQOS
    interface Serial0/2/0
    description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
    ip address 123.252.123.102 255.255.255.252
    ip access-group 102 in
    ip inspect SDM_LOW out
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    crypto map VPN
    service-policy output MainQOS
    ip local pool VPN_Pool 172.20.3.130 172.20.3.254
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
    ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
    ip route 122.112.197.20 255.255.255.255 209.252.237.101
    ip route 208.67.220.220 255.255.255.255 50.78.233.110
    no ip http server
    no ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip flow-top-talkers
    top 20
    sort-by bytes
    ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
    ip nat inside source route-map PAETEC interface Serial0/2/0 overload
    ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
    ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
    ip access-list extended VOIP
    permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
    permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
    ip radius source-interface FastEthernet0/0
    ip sla 1
    icmp-echo 000.67.220.220 source-interface FastEthernet0/1
    timeout 10000
    frequency 15
    ip sla schedule 1 life forever start-time now
    access-list 23 permit 172.19.3.0 0.0.0.127
    access-list 23 permit 172.19.3.128 0.0.0.127
    access-list 23 permit 173.189.251.192 0.0.0.63
    access-list 23 permit 107.0.197.0 0.0.0.63
    access-list 23 permit 173.163.157.32 0.0.0.15
    access-list 23 permit 72.55.33.0 0.0.0.255
    access-list 23 permit 172.19.5.0 0.0.0.63
    access-list 100 remark "Outgoing Traffic"
    access-list 100 deny   ip 67.128.87.156 0.0.0.3 any
    access-list 100 deny   ip host 255.255.255.255 any
    access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit tcp host 172.19.3.190 any eq smtp
    access-list 100 permit tcp host 172.19.3.137 any eq smtp
    access-list 100 permit tcp any host 66.251.35.131 eq smtp
    access-list 100 permit tcp any host 173.201.193.101 eq smtp
    access-list 100 permit ip any any
    access-list 100 permit tcp any any eq ftp
    access-list 101 remark "Interesting VPN Traffic"
    access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
    access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
    access-list 101 permit tcp any any eq ftp
    access-list 101 permit tcp any any eq ftp-data
    access-list 102 remark "Inbound Access"
    access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
    access-list 102 permit udp any host 152.179.53.18 eq isakmp
    access-list 102 permit esp any host 152.179.53.18
    access-list 102 permit ahp any host 152.179.53.18
    access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
    access-list 102 permit udp any host 209.000.000.102 eq isakmp
    access-list 102 permit esp any host 209.000.000.102
    access-list 102 permit ahp any host 209.000.000.102
    access-list 102 permit udp any host PUB IP eq non500-isakmp
    access-list 102 permit udp any host PUB IP eq isakmp
    access-list 102 permit esp any host PUB IP
    access-list 102 permit ahp any host PUB IP
    access-list 102 permit ip 72.55.33.0 0.0.0.255 any
    access-list 102 permit ip 107.0.197.0 0.0.0.63 any
    access-list 102 deny   ip 172.19.3.128 0.0.0.127 any
    access-list 102 permit icmp any any echo-reply
    access-list 102 permit icmp any any time-exceeded
    access-list 102 permit icmp any any unreachable
    access-list 102 permit icmp any any
    access-list 102 deny   ip any any log
    access-list 102 permit tcp any host 172.19.3.140 eq ftp
    access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
    access-list 102 permit udp any host SITE B Public IP  eq non500-isakmp
    access-list 102 permit udp any host SITE B Public IP  eq isakmp
    access-list 102 permit esp any host SITE B Public IP
    access-list 102 permit ahp any host SITE B Public IP
    access-list 110 remark "Outbound NAT Rule"
    access-list 110 remark "Deny VPN Traffic NAT"
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
    access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
    access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
    access-list 110 permit ip 172.19.3.128 0.0.0.127 any
    access-list 110 permit ip 172.19.10.0 0.0.0.255 any
    access-list 198 remark "Networks for IISVPN Client"
    access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 199 permit tcp any any eq 3389
    route-map PAETEC permit 10
    match ip address 110
    match interface Serial0/2/0
    route-map COMCAST permit 10
    match ip address 110
    match interface FastEthernet0/1
    route-map VERIZON permit 10
    match ip address 110
    match interface Serial0/1/0.1
    snmp-server community 123 RO
    radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
    control-plane
    line con 0
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    line vty 5 15
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    scheduler allocate 20000 1000
    ntp server 128.118.25.3
    ntp server 217.150.242.8
    end
    IP scheme at site B:
    ip     172.19.5.x
    sub  255.255.255.292
    gw   172.19.5.65
    Cisco ASA 5505 at Site B
    ASA Version 8.2(5)
    hostname ASA5505
    domain-name domain.com
    enable password b04DSH2HQqXwS8wi encrypted
    passwd b04DSH2HQqXwS8wi encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.19.5.65 255.255.255.192
    interface Vlan2
    nameif outside
    security-level 0
    ip address SITE B public IP 255.255.255.224
    boot system disk0:/asa825-k8.bin
    ftp mode passive
    clock timezone est -5
    clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
    dns server-group DefaultDNS
    domain-name iis-usa.com
    same-security-traffic permit intra-interface
    object-group network old hosting provider
    network-object 72.55.34.64 255.255.255.192
    network-object 72.55.33.0 255.255.255.0
    network-object 173.189.251.192 255.255.255.192
    network-object 173.163.157.32 255.255.255.240
    network-object 66.11.1.64 255.255.255.192
    network-object 107.0.197.0 255.255.255.192
    object-group network old hosting provider
    network-object host 172.19.250.10
    network-object host 172.19.250.11
    access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
    access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
    access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
    access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
    access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
    access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
    access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
    access-list 10 extended permit icmp any any echo-reply
    access-list 10 extended permit icmp any any time-exceeded
    access-list 10 extended permit icmp any any unreachable
    access-list 10 extended permit icmp any any traceroute
    access-list 10 extended permit icmp any any source-quench
    access-list 10 extended permit icmp any any
    access-list 10 extended permit tcp object-group old hosting provider any eq 3389
    access-list 10 extended permit tcp any any eq https
    access-list 10 extended permit tcp any any eq www
    access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
    access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
    pager lines 24
    logging enable
    logging timestamp
    logging console emergencies
    logging monitor emergencies
    logging buffered warnings
    logging trap debugging
    logging history debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    ip audit name jab attack action alarm drop reset
    ip audit name probe info action alarm drop reset
    ip audit interface outside probe
    ip audit interface outside jab
    ip audit info action alarm drop reset
    ip audit attack action alarm drop reset
    ip audit signature 2000 disable
    ip audit signature 2001 disable
    ip audit signature 2004 disable
    ip audit signature 2005 disable
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit 75.150.169.48 255.255.255.240 outside
    icmp permit 72.44.134.16 255.255.255.240 outside
    icmp permit 72.55.33.0 255.255.255.0 outside
    icmp permit any outside
    icmp permit 173.163.157.32 255.255.255.240 outside
    icmp permit 107.0.197.0 255.255.255.192 outside
    icmp permit 66.11.1.64 255.255.255.192 outside
    icmp deny any outside
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group 10 in interface outside
    route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
    timeout xlate 3:00:00
    timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http 107.0.197.0 255.255.255.192 outside
    http 66.11.1.64 255.255.255.192 outside
    snmp-server host outside 107.0.197.29 community *****
    snmp-server host outside 107.0.197.30 community *****
    snmp-server host inside 172.19.250.10 community *****
    snmp-server host outside 172.19.250.10 community *****
    snmp-server host inside 172.19.250.11 community *****
    snmp-server host outside 172.19.250.11 community *****
    snmp-server host outside 68.82.122.239 community *****
    snmp-server host outside 72.55.33.37 community *****
    snmp-server host outside 72.55.33.38 community *****
    snmp-server host outside 75.150.169.50 community *****
    snmp-server host outside 75.150.169.51 community *****
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map VPNMAP 10 match address 110
    crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
    crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
    crypto map VPNMAP 10 set security-association lifetime seconds 86400
    crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
    crypto map VPNMAP interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet 172.19.5.64 255.255.255.192 inside
    telnet 172.19.3.0 255.255.255.128 outside
    telnet timeout 60
    ssh 0.0.0.0 0.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 60
    console timeout 0
    management-access inside
    dhcpd dns 172.19.3.140
    dhcpd wins 172.19.3.140
    dhcpd ping_timeout 750
    dhcpd domain iis-usa.com
    dhcpd address 172.19.5.80-172.19.5.111 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection scanning-threat shun except object-group old hosting provider
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 128.118.25.3 source outside
    ntp server 217.150.242.8 source outside
    tunnel-group 72.00.00.7 type ipsec-l2l
    tunnel-group 72.00.00.7 ipsec-attributes
    pre-shared-key *****
    tunnel-group old vpn public ip type ipsec-l2l
    tunnel-group old vpn public ip ipsec-attributes
    pre-shared-key *****
    tunnel-group SITE A Public IP  type ipsec-l2l
    tunnel-group SITE A Public IP  ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect netbios
      inspect tftp
      inspect pptp
      inspect sip 
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:
    : end

    I have removed the old "set peer" and have added:
    IOS router:
    access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
    ASA fw:
    access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
    on the router I have also added;
    access-list 110 deny  ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
    Here is my acl :
    access-list 110 remark "Outbound NAT Rule"
    access-list 110 remark "Deny VPN Traffic NAT"
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
    access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
    access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
    access-list 110 permit ip 172.19.3.128 0.0.0.127 any
    access-list 110 permit ip 172.19.10.0 0.0.0.255 any
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
    access-list 198 remark "Networks for IISVPN Client"
    access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    Still no ping tothe other site.

  • PIX 501 and Linksys VPN Router (WRV200)

    I have inherited a job where we have a Cisco PIX 501 firewall at one site, and Linksys WRV200 VPN Router on two other
    sites. I have been asked to connect these Linksys routers to the PIX firewall via VPN.
    I believe the Linksys vpn routers can only connect via IPSec VPN, so i am looking for help on configuring the PIX 501 to allow the linksys to connect with the following parameters, if possible.
    Key Exchange Method: Auto (IKE)
    Encryption: Auto, 3DES, AES128, AES192, AES256
    Authentication: MD5
    Pre-Shared Key: xxx
    PFS: Enabled/Disabled
    ISAKMP Key Lifetime: 28800
    IPSec Key Lifetime: 3600
    On the PIX i have the PDM installed and i have tried using the VPN Wizard to no avail.
    I chose the following settings when doing the VPN Wizard:
    Type of VPN: Remote Access VPN
    Interface: Outside
    Type of VPN Client Device used: Cisco VPN Client
    (can choose Cisco VPN 3000 Client, MS Windows Client using PPTP, MS Windows client using L2TP)
    VPN Client Group
    Group Name: RabyEstates
    Pre Shared Key: rabytest
    Extended Client Authentication: Disabled
    Address Pool
    Pool Name: VPN-LAN
    Range Start: 192.168.2.200
    Range End: 192.168.2.250
    DNS/WINS/Default Domain: None
    IKE Policy
    Encryption: 3DES
    Authentication: MD5
    DH Group: Group 2 (1024-bit)
    Transform Set
    Encryption: 3DES
    Authentication: MD5
    I have attached the VPN log from the Linksys VPN Router.
    This is the first time i've ever worked with PIX so i'm still trying to figure the thing out, but i'm confident with CCNA level networking.
    Thanks for your help!

    Hi again,
    I believe the pix has a 3des license because of the following parts of the "show version"
    Licensed Features:
    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES-AES: Enabled
    This PIX has a Restricted (R) license.
    I've tried reconnecting the VPN tunnel with debugging on the PIX and get the output as shown in the attached file "vpndebug.txt"
    As for the other show commands they give:
    pixfirewall# show crypto isakmp sa
    Total : 0
    Embryonic : 0
    dst src state pending created
    pixfirewall# show crypto ipsec sa
    interface: outside
    Crypto map tag: transam, local addr. 10.0.0.1
    local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
    current_peer: 10.0.0.2:0
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
    local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
    path mtu 1500, ipsec overhead 0, media mtu 1500
    current outbound spi: 0
    inbound esp sas:
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    outbound ah sas:
    outbound pcp sas:
    pixfirewall#
    Thanks again Daniel, i really appreciate your help on this matter.

  • VPN between PIX 515 Version 6.3(3) and CheckPoint NGX R70.10

    I'm trying to setup a simple VPN between a PIX 515 running version 6.3(3) and a Checkpoint running NGX R70.10 and I'm unable to get the tunnel created fully.
    What makes it puzzling is that the ACL defining the interesting traffic on the PIX side (which is always the inbound side of the traffic) is registering hits on it's rule. "access-list 130 line 1 permit ip host B.B.B.B D.D.D.0 255.255.255.0 (hitcnt=54)" but the D.D.D.0 address isn't showing up in the debug output below.
    Turning the PIX VPN debugging on "debug crypto ipsec" and "debug crypto isakmp" I'm receiving the following output which results in an error and which appears to also have an unexpected ip network (10.27.0.0) being displayed.  As displayed below nowhere is the "D.D.D.0" address showing up.
    I know this may be confusing to read, but I tried to hide the ip addresses by replacing them with letters.  Whatever assistance is appreciated.
    crypto_isakmp_process_block:src:A.A.A.A, dest:B.B.B.A spt:500 dpt:500
    OAK_QM exchange
    oakley_process_quick_mode:
    OAK_QM_IDLE
    ISAKMP (0): processing SA payload. message ID = 649100472
    ISAKMP : Checking IPSec proposal 1
    ISAKMP: transform 1, ESP_AES
    ISAKMP:   attributes in transform:
    ISAKMP:     SA life type in seconds
    ISAKMP:     SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP:     authenticator is HMAC-SHA
    ISAKMP:     encaps is 1
    ISAKMP:     key length is 256
    ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
    (key eng. msg.) dest= B.B.B.A, src= A.A.A.A,
       dest_proxy= B.B.B.B/255.255.255.255/0/0 (type=1),
       src_proxy= C.C.0.0/255.255.0.0/0/0 (type=4),
       protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,
       lifedur= 0s and 0kb,
       spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x4
    IPSEC(validate_transform_proposal): proxy identities not supported
    IPSEC(validate_proposal_request): proposal part #1,
    (key eng. msg.) dest= B.B.B.A, src= A.A.A.A,
       dest_proxy= C.C.0.0/255.255.0.0/0/0 (type=4),
       src_proxy= B.B.B.B/255.255.255.255/0/0 (type=1),
       protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,
       lifedur= 0s and 0kb,
       spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x4
    IPSEC(validate_transform_proposal): proxy identities not supported
    ISAKMP : Checking IPSec proposal 1
    ISAKMP: transform 1, ESP_AES
    ISAKMP:   attributes in transform:
    ISAKMP:     SA life type in seconds
    ISAKMP:     SA life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP:     authenticator is HMAC-SHA
    ISAKMP:     encaps is 1
    ISAKMP:     key length is 256
    ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
    (key eng. msg.) dest= B.B.B.A, src= A.A.A.A,
       dest_proxy= B.B.B.B/255.255.255.255/0/0 (type=1),
       src_proxy= C.C.0.0/255.255.0.0/0/0 (type=4),
       protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,
       lifedur= 0s and 0kb,
       spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x4
    IPSEC(validate_transform_proposal): proxy identities not supported
    IPSEC(validate_proposal_request): proposal part #1,
    (key eng. msg.) dest= B.B.B.A, src= A.A.A.A,
       dest_proxy= C.C.0.0/255.255.0.0/0/0 (type=4),
       src_proxy= B.B.B.B/255.255.255.255/0/0 (type=1),
       protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,
       lifedur= 0s and 0kb,
       spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x4

    I just found out that in version 6.x, traffic cannot pass through when the security level are the same.
    For VPN Client, user traffic came from outside interface.
    If split-tunneling is disabled and user want to access Internet, it has to go out from outside interface as well.
    As "same-security-traffic permit inter-interface" is not available in 6.x, it become impossilbe for VPN client to access Internet, when split-tunneling is disabled.
    Am I correct?

  • Can't get traffic flowing between VLANs on an ASA 5505

    I've got an ASA 5505 with the Security Plus license that I'm trying to configure.
    So far I have setup NATing on two VLANs, one called 16jda (VLAN 16 - 10.16.2.0/24) and one called 16jdc (VLAN 11 - 10.105.11.0/24).
    From each subnet I am able to connect to the internet, but I need these subnets to also be able to talk to each other.
    I have each VLAN interface at security level 100 and enabled "same-security-traffic permit inter-interface", and I have setup static NAT mappings between the two subnets, but they still can't communicate.
    When I try to ping there is no reply and the only log message is:
    6     Aug 21 2012     09:00:54     302020     10.16.2.10     23336     10.105.11.6     0     Built inbound ICMP connection for faddr 10.16.2.10/23336 gaddr 10.105.11.6/0 laddr 10.105.11.6/0
    I have attached a copy of the router config.

    Hi Bro
    I know your problem and I know exactly how to solve it too. You could refer to https://supportforums.cisco.com/message/3714412#3714412 for further details.
    Moving forward, this is what you’re gonna paste in your FW. This should work like a charm.
    access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.105.11.0 255.255.255.0
    access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.16.2.0 255.255.255.0
    access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.1.0 255.255.255.0
    access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.11.0 255.255.255.0
    access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.105.1.0 255.255.255.0
    access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.16.2.0 255.255.255.0
    nat (inside) 0 access-list from-inside
    nat (16jdc) 0 access-list from-16jdc
    nat (16jda) 0 access-list from-16jda
    clear xlate
    nat (inside) 1 10.105.1.0 255.255.255.0 <-- You forgot this!!
    Basically, when inside wants to communicate with the other interfaces bearing security-level 100 e.g. 16jda or 16jdc or vice-versa, you’ll need to enable “NAT Exemption” i.e. nat (nameif) 0 . I know you have already enabled the same-security permit inter-interface command, but this command becomes useless once you’ve enable dynamic nat on one of those interfaces. It’s as if the same-security traffic command wasn't even entered in the first place. Hence, the Cisco ASA is behaving as expected as per Cisco's documentation. For further details on this, you could refer to the URLs below;
    https://supportforums.cisco.com/thread/223898
    http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530
         

  • PIX 501 and UPnP

    Does the PIX 501 support UPnP? According to an older post, "PIX is currently not UPnP aware." The eight-year old answer lead to a "Request for UPnP support in PIX": https://tools.cisco.com/bugsearch/bug/CSCdy26037. If it has been made "aware" where would I find a resource on enabling it? Thanks.

    Agree with Steven, most if not all of our recommendations to clients is to use the newer asa firewall products in a migration path, beside, not will the asa5505 provide you with up to 20 virtual interfaces with Sec plus license, but other numerous features pix code 6.3(5) does not come close to providing.
    Ultimatelly the pix 506 cannot go beyond code 6.3(5) and probably give you up to 2 vlans maximun, and from clients experience out there they end up in a dead lock when needing new features, you want to have a product in your network whether is small that would be able to move forward with 7.x/8.x codes.
    If the above is not of a concern at all, then what Andrew sugested would work.
    Rgds
    -Jorge

  • VPN Site to Site Cisco ASA-5505-BUN-50 to RV-042

                       Hello guys , anyone has an example for connect by VPN Site to Site a Cisco ASA-5505 with RV-042 , i need establish a link for connect my UC560 with CUE on Cisco Router 2800 for VoIP Site to Site calls.
    Thanks

    On ASA running 8.4.3. B side. I believe object "email" is defined incorrectly.
    Existing configuration
    object network email
    host 172.16.0.0
    description 255.255.0.0
    Correct configuration
    object network email
    subnet 172.16.0.0 255.255.0.0

  • Pix 501 and H323

    Thank you in advanced.
    Is video teleconference supported on the PIX 501?
    I am trying to configure a static router from the inside to the outside using static routers and I can not do it.
    Please can some one send me config examples if Pix 501 supports VIdeo COnferencing using H323.
    Cristian

    Have a look here:
    http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1079378
    If connectivity still fails, a look at the pix log might help ('sh log').

  • PIX 501 and Java

    Hello,
    Trying to move some servers today and lo and behold this.... not good news...
    Does anyone have an easy workaround for the Java issue for a Cisco Pix 501? Is there an easy way to revert to older versions of Java without affecting everything else? Does QuickTime use Java? This is very frustrating.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/productsfieldnotice09186a008046c805.shtml
    "Customers running these versions of PDM or IDM should either uninstall the newer Java Plug-Ins and re-install previous versions of the Java Plug-In, or upgrade their PDM and IDM images to the versions indicated in the following table."
    Thanks,
    Rich

    Rich,
    Welcome to the forums.
    This notice doesn't apply to using Java programs or applets.
    It specifically applies to computers that will need to access the PDM or IDM to make changes.
    "Impacted PDM and IDM versions will not load when launched from a browser"
    As long as you don't need to access the PDM or IDM from the browser, you don't need to worry about this advisory.
    If you do, my advice would be to upgrade the PIX, as that seems the most logical thing to do (especially as it's a fix that Cisco has already released).

  • Pix 501 and Client VPN's

    Hi, I've had this 501 for several months now and really stuggled to get the client VPN side working.
    I can get site to site working with no problems using the wizard but the Client VPN never works.
    Latest i've set it up for pptp which I can get the client to connect with no problems but fails to get any traffic from the pix - I can however ping the remote PC from a PC behind the PIX.
    I'm setting these up by the PDM buy i've attached a copy of the config anyway.
    Best,
    Chris

    Hi Kamal.
    It didnt like the command
    nat (inside) 0 access0list nonat
    I can attach via Cisco VPN Client but the same occurs - I can ping the remote from the network - but not the other way round.
    Config attached. - Best, Chris
    : Written by enable_15 at 02:14:05.990 UTC Mon Feb 12 2007
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxx
    passwd xxx
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list outside_cryptomap_dyn_20 permit ip any 10.10.10.0 255.255.255.240
    access-list split permit ip 192.168.1.0 255.255.255.0 any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 213.x.146.72 255.255.x.0
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 10.10.10.1-10.10.10.10
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.x.249.x.65 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map cisco 1 set transform-set myset
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication LOCAL
    crypto map dyn-map 20 ipsec-isakmp dynamic cisco
    crypto map dyn-map interface outside
    isakmp enable outside
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup vpn address-pool vpnpool
    vpngroup vpn dns-server 192.168.1.1
    vpngroup vpn idle-time 1800
    vpngroup vpn password 634083
    vpngroup VPNclient split-tunnel split
    vpngroup VPNclient idle-time 1800
    vpngroup VPNclient password ******
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.33 inside
    dhcpd dns 89.238.129.211
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    username chris password 9DgK/T8KJkq.BhX6 encrypted privilege 15
    terminal width 80
    Cryptochecksum:xxx
    : end

  • Trying to create VPN between a Fortigate and Pix

    Here is the Pix config:
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set fortinet esp-3des esp-sha-hmac
    crypto map outside_map 10 ipsec-isakmp
    crypto map outside_map 10 match address 85
    crypto map outside_map 10 set peer 10.48.4.6
    crypto map outside_map 10 set transform-set fortinet
    crypto map outside_map 10 set security-association lifetime seconds 86400 kilobytes 4608000
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address 90
    crypto map outside_map 20 set peer 10.x.x.x
    crypto map outside_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map interface EPORT
    isakmp enable EPORT
    isakmp key ******** address 10.48.4.6 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address 10.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 28800
    Here is the output of debug crypto on the Pix:
    ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
      (key eng. msg.) dest= 10.48.5.94, src= 10.48.4.6,
        dest_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),
        src_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4),
        protocol= ESP, transform= esp-3des esp-sha-hmac ,
        lifedur= 0s and 0kb,
        spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
    IPSEC(validate_transform_proposal): peer address 10.48.4.6 not found
    IPSEC(validate_proposal_request): proposal part #1,
      (key eng. msg.) dest= 10.48.5.94, src= 10.48.4.6,
        dest_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4),
        src_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),
        protocol= ESP, transform= esp-3des esp-sha-hmac ,
        lifedur= 0s and 0kb,
        spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
    IPSEC(validate_transform_proposal): peer address 10.48.5.94 not found
    ISAKMP: IPSec policy invalidated proposal
    ISAKMP (0): SA not acceptable!
    I'm having trouble understanding the debug message and what might be wrong in the settings.

    Jon,
    Can you verify the cryto accees list on fortinet? I can see that you have configured crypto acees list as subnet. Fortinet should also be subnet and not range type
        dest_proxy= 10.74.33.0/255.255.255.0/0/0 (type=4),
        src_proxy= 199.38.8.0/255.255.248.0/0/0 (type=4)
    type 4 is type subnet
    let me know

  • VPN between Juniper ScreenOS and Cisco issue

    We are facing the issue between cisco and juniper after implementing GRE over IPSec with OSPF. According to Juniper the packets sending from one Branch to another are not encapsulated by Cisco. Below attached are the logs of cisco. As i am reading the forums over internet, most of them recommended to create Static VTI between cisco and juniper.
    Is Static VTI are recommaded or not ?
    We have 400 Branch offices, each Branches has point to point GRE Tunnel, can we use single VTI Profile and apply on all 400 Tunnel interfaces or its has some limitation?
    Can we enable netflow on Static VTI
    Can we pass Voice Traffic over it.
    Qos also implemented over it.
    Can we apply rate limit over it.
    All Traffic will be encrypted. ACL limitation ( permit ip any any)

    From the output of show cry ipsec sa, the encrypts are a lot more than decrypts, which means traffic is actually getting encrypted and getting sent through the VPN tunnel, and reply is probably not getting back towards the 2801 router.
    Can you check the output on the Linksys as well. And also make sure that the Linksys end knows how to route back towards the 2800 router.

Maybe you are looking for

  • ERS PO

    Hello, If I am checking a PO as ERS , the terms of payment along with tax code is mandatory ? regards NBanu

  • HT4101 Using a new lightning to SD card reader - nothing happens

    Just get nothing when I connect the SD card reader. Seems to be a common problem? No error message, no photos automatically come up. Latest iPad and reader purchased from an Apple store 2 weeks ago. Tried 2 different SD cards on 2 different iPads. No

  • Why is CS6 Zoom change window size is different then previous versions?

    Why in CS6 when zoom changes window size and a folating window fits in Photoshop window or on other display screen do I get scroll bars where a select all selection marching ants are not visible on all four sides till I drag out the window to get rid

  • Can I change two DC fans in PXI-1042 chasis?

    Can I change two DC fans ( Mechatronics E9225X)in PXI-1042 chasis? It is too noisy in a quiet environment. Could you reveal what kind of DC fans were adopted in the PXI-1042Q chasis?

  • DVD SP Surprises

    Hi All, Final Cut Studio 2, great programs, final cut pro is fantastic, I had a quick look at soundtrack pro, that looks really good also, but DVD SP is what I've thrown myself into. I have a couple of questions that I really hope someone can answer,