How can you config a Linksys RV082 infront of a PIX. We have two PIX's connected to different ISP's. Since the Linksys RV082 has DUAL Wans you can connect two ISP to it. Now I can pass traffic to my PIX's, but what about a Gateway to Gateway VPN. Basically a RV082 to another RV082 at another site. The easy part is creating a tunnel between the two Linksys routers, but how to I pass the tunnel traffic through my PIX?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations MikeeOK on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Linksys RV082 in front of PIX 515 and pass VPN tunnel traffic to PIX 1
- Thread starter mdbuddy
- Start date
Why not just connect your RV082 to the PIX? Much easier...
Thanks,
Matt Wray
GFH
Thanks,
Matt Wray
GFH
-
1
- Thread starter
- #3
- Thread starter
- #4
I forgot the Linksys runs on a Class C 192.x.x.x, we run a class A subnet 10.1x.x.x. I would have to have something doing the routing. If the pix is behind the linksys it will do the routing.
I found this info
Linksys:
Cisco PIX:
The only consideration is to modify this line:
"isakmp key ********** address 172.22.112.12 netmask 255.255.255.255 no-xauth no-config-mode"
After configuring both devices, please turn on the following commands for troubleshooting: "debug crypto isa" and "debug crypto ipsec" and try to establish the tunnel.
I found this info
Linksys:
Cisco PIX:
The only consideration is to modify this line:
"isakmp key ********** address 172.22.112.12 netmask 255.255.255.255 no-xauth no-config-mode"
After configuring both devices, please turn on the following commands for troubleshooting: "debug crypto isa" and "debug crypto ipsec" and try to establish the tunnel.
You misunderstood. You can create a tunnel with the RV082 on one end and the PIX on the other. I have 4 RV082's at remote branches running IPSec tunnels to our PIX515 here at HQ currently as a failover fro our Frame. They're a littel buggy, need to be bounced periodically. But otherwise I'm happy, they do their job when they need to...
Also, the RV082 can be set up with any IP on the LAN side. A 10.10.10 or whatever will work fine.
Thanks,
Matt Wray
GFH
Also, the RV082 can be set up with any IP on the LAN side. A 10.10.10 or whatever will work fine.
Thanks,
Matt Wray
GFH
- Thread starter
- #6
mattwray would you send me or post your config on the PIX and for the rv082. I can't get my tunnel to connect. I planned on remote office to have a RV082 to a RV082 in front of our PIX's. This way our sales could vpn to the RV082 at HQ. I scratched that out. Now I'm just trying a PIX to remote RV082. I thought I got things config'd right. The rv082 isn't that hard, just mirror pix config to a point
This is my PIX, I'll have to edit uot some IP's and whatnot but hopefully it will help.
Password:
Type help or '?' for a list of available commands.
HouPix> en
Password: ***********
HouPix# sho run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ/Guest security4
enable password encrypted
passwd
encrypted
hostname HouPix
recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.x.x Site1
name 192.168.x.x Site2
name 192.168.x.x Site3
name 192.168.x.x Site4
name 192.168.x.x Site5
name 192.168.x.x Site6
access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.x.x 255.255.255.0 <sitename>
255.255.255.0
access-list outside_cryptomap_40 permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list outside_cryptomap_60 permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list outside_cryptomap_80 permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list outside_cryptomap_30 permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list outside_cryptomap_25 permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ/Guest 1500
ip address outside x.x.x.x <subnet_mask>
ip address inside 192.168.x.x 255.255.255.0
ip address DMZ/Guest 172.16.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.x.x 255.255.255.255 inside
pdm location <sitename> 255.255.255.0 outside
pdm location 192.168.x.x 255.255.255.255 inside
pdm location 192.168.x.x 255.255.255.255 inside
pdm location <sitename> 255.255.255.0 outside
pdm location <sitename> 255.255.255.0 outside
pdm location <sitename> 255.255.255.0 outside
pdm location <sitename> 255.255.255.0 outside
pdm location <sitename> 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DMZ/Guest) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.x.x 255.255.255.255 inside
http 192.168.x.x 255.255.255.255 inside
http 192.168.x.x 255.255.255.255
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 25 ipsec-isakmp
crypto map outside_map 25 match address outside_cryptomap_25
crypto map outside_map 25 set peer x.x.x.x
crypto map outside_map 25 set transform-set ESP-DES-MD5
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer x.x.x.x
crypto map outside_map 30 set transform-set ESP-DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer x.x.x.x
crypto map outside_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer x.x.x.x
crypto map outside_map 60 set transform-set ESP-DES-MD5
crypto map outside_map 80 ipsec-isakmp
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer x.x.x.x
crypto map outside_map 80 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-
config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 28800
telnet 192.168.x.x 255.255.255.255 inside
telnet 192.168.x.x 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:
: end
HouPix#
Thanks,
Matt Wray
GFH
Password:
Type help or '?' for a list of available commands.
HouPix> en
Password: ***********
HouPix# sho run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ/Guest security4
enable password encrypted
passwd
encrypted
hostname HouPix
recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.x.x Site1
name 192.168.x.x Site2
name 192.168.x.x Site3
name 192.168.x.x Site4
name 192.168.x.x Site5
name 192.168.x.x Site6
access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.x.x 255.255.255.0 <sitename>
255.255.255.0
access-list outside_cryptomap_40 permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list outside_cryptomap_60 permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list outside_cryptomap_80 permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list outside_cryptomap_30 permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
access-list outside_cryptomap_25 permit ip 192.168.x.x 255.255.255.0 <sitename> 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ/Guest 1500
ip address outside x.x.x.x <subnet_mask>
ip address inside 192.168.x.x 255.255.255.0
ip address DMZ/Guest 172.16.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.x.x 255.255.255.255 inside
pdm location <sitename> 255.255.255.0 outside
pdm location 192.168.x.x 255.255.255.255 inside
pdm location 192.168.x.x 255.255.255.255 inside
pdm location <sitename> 255.255.255.0 outside
pdm location <sitename> 255.255.255.0 outside
pdm location <sitename> 255.255.255.0 outside
pdm location <sitename> 255.255.255.0 outside
pdm location <sitename> 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DMZ/Guest) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.x.x 255.255.255.255 inside
http 192.168.x.x 255.255.255.255 inside
http 192.168.x.x 255.255.255.255
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 25 ipsec-isakmp
crypto map outside_map 25 match address outside_cryptomap_25
crypto map outside_map 25 set peer x.x.x.x
crypto map outside_map 25 set transform-set ESP-DES-MD5
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer x.x.x.x
crypto map outside_map 30 set transform-set ESP-DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer x.x.x.x
crypto map outside_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer x.x.x.x
crypto map outside_map 60 set transform-set ESP-DES-MD5
crypto map outside_map 80 ipsec-isakmp
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer x.x.x.x
crypto map outside_map 80 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-
config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 28800
telnet 192.168.x.x 255.255.255.255 inside
telnet 192.168.x.x 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:
: end
HouPix#
Thanks,
Matt Wray
GFH
- Thread starter
- #8
Super thanks, I got them connected, but no pass through. I can't see otherside. I will try your pix config.
Oh I see you used group 1, I used group 2, but used group 1 and didn't get any further than I am now. I will work on it tonight and see.
Kudos!!!!
Oh I see you used group 1, I used group 2, but used group 1 and didn't get any further than I am now. I will work on it tonight and see.
Kudos!!!!
- Thread starter
- #10
Well I used your config, but could get tunnel to connect. Here is my config after editing and using yours.
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password FSDOl0hMplMtFXfw encrypted
passwd FSDOl0hMplMtFXfw encrypted
hostname husaPIX2
domain-name homanitusa.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.10.x.x Site1
name 192.168.x.x Site2
access-list inside_outbound_nat0_acl permit ip Site1 255.255.255.0 Site2 255.255.255.0
access-list inside_outbound_nat0_acl permit icmp any any
access-list outside_cryptomap_20 permit ip Site1 255.255.255.0 Site2 255.255.255.0
access-list outside_cryptomap_20 permit ip Site2 255.255.255.0 Site1 255.255.255.0
pager lines 24
logging timestamp
logging monitor critical
logging trap warnings
logging facility 23
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x subnet_mask
ip address inside 10.10.x.x 255.255.252.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.x.x 255.255.255.255 inside
pdm location Site1 255.255.255.255 inside
pdm location 10.10.x.x 255.255.255.255 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.x.x 255.255.255.255 inside
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
telnet 10.10.x.x 255.255.252.0 inside
telnet timeout 15
ssh 10.10.x.x 255.255.255.255 inside
ssh timeout 15
console timeout 0
terminal width 80
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password FSDOl0hMplMtFXfw encrypted
passwd FSDOl0hMplMtFXfw encrypted
hostname husaPIX2
domain-name homanitusa.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.10.x.x Site1
name 192.168.x.x Site2
access-list inside_outbound_nat0_acl permit ip Site1 255.255.255.0 Site2 255.255.255.0
access-list inside_outbound_nat0_acl permit icmp any any
access-list outside_cryptomap_20 permit ip Site1 255.255.255.0 Site2 255.255.255.0
access-list outside_cryptomap_20 permit ip Site2 255.255.255.0 Site1 255.255.255.0
pager lines 24
logging timestamp
logging monitor critical
logging trap warnings
logging facility 23
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x subnet_mask
ip address inside 10.10.x.x 255.255.252.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.x.x 255.255.255.255 inside
pdm location Site1 255.255.255.255 inside
pdm location 10.10.x.x 255.255.255.255 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.x.x 255.255.255.255 inside
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
telnet 10.10.x.x 255.255.252.0 inside
telnet timeout 15
ssh 10.10.x.x 255.255.255.255 inside
ssh timeout 15
console timeout 0
terminal width 80
Do you have the PDM installed? This is what I used to configure mine. It has some logs to check, and it's a little more user friendly in trying to figure out where the problem is...
Thanks,
Matt Wray
GFH
Thanks,
Matt Wray
GFH
- Thread starter
- #12
Yep I do have PDM. I'll try and use that.
Also Cisco is now giving out 3DES license's for FREE for PIX's.
You will have to log on with your CCO login. Just look for the link, it will take you to another page. Look under PIX Firewall and to the right. Fill out the form and enter your PIX s/n. You will have to do it for each PIX you have, if you want to enable 3DES. Finally FREE. It use to cost an extra $1000 give or take a few bucks.
Also Cisco is now giving out 3DES license's for FREE for PIX's.
You will have to log on with your CCO login. Just look for the link, it will take you to another page. Look under PIX Firewall and to the right. Fill out the form and enter your PIX s/n. You will have to do it for each PIX you have, if you want to enable 3DES. Finally FREE. It use to cost an extra $1000 give or take a few bucks.
Cool, I'm going to check that out now!
For your tunnels, in PDM, verify your settings on the VPN tab, under IPSec check IPSec rules and Tunnel policy. Under IKE, check the preshared keys and also verify you have the hosts/networks defined...
Thanks,
Matt Wray
GFH
For your tunnels, in PDM, verify your settings on the VPN tab, under IPSec check IPSec rules and Tunnel policy. Under IKE, check the preshared keys and also verify you have the hosts/networks defined...
Thanks,
Matt Wray
GFH
Thanks mdbuddy! I just upgraded my PIX and all my tunnels to use the 3DES, all is working well...
![[thumbsup2]](/data/assets/smilies/thumbsup2.gif "[thumbsup2] [thumbsup2]")
Thanks,
Matt Wray
GFH
Thanks,
Matt Wray
GFH
- Thread starter
- #15
Matt I couldn't get you config to work.
I used this cisco note
I think your config is similar to this cisco note.
This is my config, you may want to try it.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname RR-PIX2
domain-name 123.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list inside_outbound_nat0_acl permit ip 10.10.x.x 255.255.255.0 192.168.x.x 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.10.x.x 255.255.255.0 192.168.x.x 255.255.255.0
access-list split permit ip 10.10.x.0 255.255.255.0 192.168.x.0 255.255.255.0
pager lines 24
logging timestamp
logging monitor critical
logging trap warnings
logging facility 23
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x <subnet mask>
ip address inside 10.10.x.x <subnet mask>
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 192.168.x.x-192.168.x.x
pdm location 10.10.x.x 255.255.255.255 inside
pdm location 10.10.x.x 255.255.255.255 inside
pdm location 192.168.x.x 255.255.255.0 outside
pdm location 10.10.x.x 255.255.255.0 inside
pdm location 192.168.x.x 255.255.255.0 outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http x.x.x.x 255.255.255.255 inside
snmp-server location Unilin-ComputerRoom-PIXInside
snmp-server contact Matt Daughtry (910) 439-6959 x259
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set DR esp-3des esp-md5-hmac
crypto dynamic-map dynmap 100 set transform-set DR
crypto map outside_map 1 ipsec-isakmp
crypto map outside_map 1 match address inside_outbound_nat0_acl
crypto map outside_map 1 set peer 69.134.77.162
crypto map outside_map 1 set transform-set DR
crypto map outside_map 100 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 3600
vpngroup IT address-pool clientpool
vpngroup IT dns-server 10.10.1.3
vpngroup IT default-domain homanitusa.com
vpngroup IT split-tunnel split
vpngroup IT idle-time 43200
vpngroup IT password ********
telnet 10.10.x.x 255.255.252.0 inside
telnet timeout 15
ssh 10.10.x.x 255.255.255.255 inside
ssh timeout 30
console timeout 0
terminal width 80
banner exec Welcome to Cisco PIX !!
banner login Please Login for Configuration of PIX.
I used this cisco note
I think your config is similar to this cisco note.
This is my config, you may want to try it.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname RR-PIX2
domain-name 123.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list inside_outbound_nat0_acl permit ip 10.10.x.x 255.255.255.0 192.168.x.x 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.10.x.x 255.255.255.0 192.168.x.x 255.255.255.0
access-list split permit ip 10.10.x.0 255.255.255.0 192.168.x.0 255.255.255.0
pager lines 24
logging timestamp
logging monitor critical
logging trap warnings
logging facility 23
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x <subnet mask>
ip address inside 10.10.x.x <subnet mask>
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 192.168.x.x-192.168.x.x
pdm location 10.10.x.x 255.255.255.255 inside
pdm location 10.10.x.x 255.255.255.255 inside
pdm location 192.168.x.x 255.255.255.0 outside
pdm location 10.10.x.x 255.255.255.0 inside
pdm location 192.168.x.x 255.255.255.0 outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http x.x.x.x 255.255.255.255 inside
snmp-server location Unilin-ComputerRoom-PIXInside
snmp-server contact Matt Daughtry (910) 439-6959 x259
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set DR esp-3des esp-md5-hmac
crypto dynamic-map dynmap 100 set transform-set DR
crypto map outside_map 1 ipsec-isakmp
crypto map outside_map 1 match address inside_outbound_nat0_acl
crypto map outside_map 1 set peer 69.134.77.162
crypto map outside_map 1 set transform-set DR
crypto map outside_map 100 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 3600
vpngroup IT address-pool clientpool
vpngroup IT dns-server 10.10.1.3
vpngroup IT default-domain homanitusa.com
vpngroup IT split-tunnel split
vpngroup IT idle-time 43200
vpngroup IT password ********
telnet 10.10.x.x 255.255.252.0 inside
telnet timeout 15
ssh 10.10.x.x 255.255.255.255 inside
ssh timeout 30
console timeout 0
terminal width 80
banner exec Welcome to Cisco PIX !!
banner login Please Login for Configuration of PIX.
I really don't see that much difference other than the number of sites, you have DHCP on, and you have VPN groups defined.
Mine works, so I'm from the school of "If it ain't broke, dont fix it!"![[smile]](/data/assets/smilies/smile.gif "[smile] [smile]")
Glad you got yours up! And thanks again for the Cisco link...
Thanks,
Matt Wray
GFH
Mine works, so I'm from the school of "If it ain't broke, dont fix it!"
Glad you got yours up! And thanks again for the Cisco link...
Thanks,
Matt Wray
GFH
- Thread starter
- #17
- Thread starter
- #18
We have two centralized DNS servers here at HQ. All remote branches look to them for name resolution...
Thanks,
Matt Wray
GFH
Thanks,
Matt Wray
GFH
- Thread starter
- #20
- Status
Similar threads
- Locked
- Solved
- Locked
- Question