Hi There,
I am using the config examples to do an IPSEC Router to PIX from ...
But seem to have nowhere as Ive got incompletes in one of my configs and I have got no communication between.
I used a similar IPSEC to do a PIX 2 PIX with success, just wondering if anyone could point me in the right direction on this one.
Any help greatly appreciated.
Heres my configs.
Thanks
AJ
====
===
Cisco PIX
===
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password CHaYWDNMTsCsdyhU encrypted
passwd uanr0EdOwqOUPrY4 encrypted
hostname mdc-pix
domain-name mdctest.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name...
name...
name...
object group network...
object group network...
object group network...
object group service...
object group service...
object group service...
inbound and outbound ACL
permit all out
deny all in
access-list ipsec permit ip MDC000NET 255.255.255.0 10.0.0.0 255.255.255.0
access-list ipsec permit ip MDC220TECHIES 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip MDC000NET 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip MDC220TECHIES 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside SRVTECHGENSERV1
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.240
ip address inside 192.168.0.254 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm locations...
pdm locations...
pdm locations...
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 RTR2600MAIN 255.255.255.255 0 0
access-group COMMINGIN in interface outside
access-group GOINGOUT in interface inside
rip inside passive version 2
rip inside default version 2
route outside 0.0.0.0 0.0.0.0 RTRMDC837 1
timeout xlate 0:10:00
timeout conn 0:10:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp authenticate
ntp server RTR2600MAIN source inside prefer
http server enable
http MDC220TECHIES 255.255.255.0 inside
http MDC010SERVERSRM 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map outside_map 20 ipsec-isakmp
! Incomplete
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 set security-association lifetime seconds 28800 kilobytes 46080
00
! Incomplete
crypto map transam 1 ipsec-isakmp
! Incomplete
crypto map forsberg 21 ipsec-isakmp
crypto map forsberg 21 match address ipsec
crypto map forsberg 21 set peer xxx.xxx.xxx.xxx
crypto map forsberg 21 set transform-set avalanche
crypto map forsberg interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
telnet MDC010SERVERSRM 255.255.255.0 inside
telnet MDC220TECHIES 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 5
terminal width 80
===
Cisco 2600
===
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname router
!
logging buffered 4096 debugging
no logging console
!
memory-size iomem 15
clock timezone CET 1
clock summer-time CET recurring
ip subnet-zero
no ip source-route
ip cef
!
!
no ip bootp server
ip inspect name ethernetin cuseeme timeout 3600
ip inspect name ethernetin ftp timeout 3600
ip inspect name ethernetin h323 timeout 3600
ip inspect name ethernetin http timeout 3600
ip inspect name ethernetin rcmd timeout 3600
ip inspect name ethernetin realaudio timeout 3600
ip inspect name ethernetin smtp timeout 3600
ip inspect name ethernetin sqlnet timeout 3600
ip inspect name ethernetin streamworks timeout 3600
ip inspect name ethernetin tcp timeout 3600
ip inspect name ethernetin tftp timeout 30
ip inspect name ethernetin udp timeout 15
ip inspect name ethernetin vdolive timeout 3600
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key ******* address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set sharks
match address 120
!
!
!
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface ATM0/0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0/0
ip address 10.0.0.250 255.255.255.0
ip access-group insiders in
no ip proxy-arp
ip nat inside
ip inspect ethernetin in
speed auto
half-duplex
!
interface ATM0/1
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
ip access-group outsiders in
ip accounting output-packets
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ADSL Dial Info Here....
ppp multilink
crypto map nolan
!
ip nat pool branch xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.248
ip nat inside source list 51 interface Dialer0 overload
ip nat inside source route-map nonat pool branch overload
ip nat inside source static 10.0.0.3 xxx.xxx.xxx.xxx
ip nat inside source static 10.0.0.2 xxx.xxx.xxx.xxx
ip nat inside source static 10.0.0.6 xxx.xxx.xxx.xxx
ip nat inside source static 10.0.0.5 xxx.xxx.xxx.xxx
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
!
ip access-list standard telnet
!
ip access-list extended goingout
ip access-list extended insiders
permit tcp 10.0.0.0 0.0.0.255 any
permit udp 10.0.0.0 0.0.0.255 any
permit icmp 10.0.0.0 0.0.0.255 any
deny tcp any host 207.46.104.20
deny icmp any any redirect
deny ip any any log
ip access-list extended ipsec
permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
ip access-list extended nonat
permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
ip access-list extended outsiders
permit udp host 10.255.255.255 eq netbios-dgm host xxx.xxx.xxx.xxx eq 39
permit tcp any host xxx.xxx.xxx.xxx eq 3389
permit tcp any host xxx.xxx.xxx.xxx 3389
permit tcp any host xxx.xxx.xxx.xxx ftp-data
permit tcp any host xxx.xxx.xxx.xxx ftp
permit tcp any host xxx.xxx.xxx.xxx 443
permit tcp any host xxx.xxx.xxx.xxx www
permit tcp any host xxx.xxx.xxx.xxx www
permit tcp any host xxx.xxx.xxx.xxx pop3
permit tcp any host xxx.xxx.xxx.xxx smtp
permit tcp any host xxx.xxx.xxx.xxx eq telnet
deny icmp any any redirect
permit tcp any host xxx.xxx.xxx.xxx eq ftp
permit tcp any host xxx.xxx.xxx.xxx eq ftp-data
permit tcp any host xxx.xxx.xxx.xxx eq 3389
deny ip any any log
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 51 permit 10.0.0.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 130 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 130 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 130
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 5 0
login
line aux 0
exec-timeout 1 0
line vty 0 4
access-class telnet in
exec-timeout 5 0
login
!
!
end
===
Fatman Superstar (Andrew James)
CCNA, CCAI
I am using the config examples to do an IPSEC Router to PIX from ...
But seem to have nowhere as Ive got incompletes in one of my configs and I have got no communication between.
I used a similar IPSEC to do a PIX 2 PIX with success, just wondering if anyone could point me in the right direction on this one.
Any help greatly appreciated.
Heres my configs.
Thanks
AJ
====
===
Cisco PIX
===
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password CHaYWDNMTsCsdyhU encrypted
passwd uanr0EdOwqOUPrY4 encrypted
hostname mdc-pix
domain-name mdctest.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name...
name...
name...
object group network...
object group network...
object group network...
object group service...
object group service...
object group service...
inbound and outbound ACL
permit all out
deny all in
access-list ipsec permit ip MDC000NET 255.255.255.0 10.0.0.0 255.255.255.0
access-list ipsec permit ip MDC220TECHIES 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip MDC000NET 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip MDC220TECHIES 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside SRVTECHGENSERV1
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.240
ip address inside 192.168.0.254 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm locations...
pdm locations...
pdm locations...
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 RTR2600MAIN 255.255.255.255 0 0
access-group COMMINGIN in interface outside
access-group GOINGOUT in interface inside
rip inside passive version 2
rip inside default version 2
route outside 0.0.0.0 0.0.0.0 RTRMDC837 1
timeout xlate 0:10:00
timeout conn 0:10:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp authenticate
ntp server RTR2600MAIN source inside prefer
http server enable
http MDC220TECHIES 255.255.255.0 inside
http MDC010SERVERSRM 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map outside_map 20 ipsec-isakmp
! Incomplete
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 set security-association lifetime seconds 28800 kilobytes 46080
00
! Incomplete
crypto map transam 1 ipsec-isakmp
! Incomplete
crypto map forsberg 21 ipsec-isakmp
crypto map forsberg 21 match address ipsec
crypto map forsberg 21 set peer xxx.xxx.xxx.xxx
crypto map forsberg 21 set transform-set avalanche
crypto map forsberg interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
telnet MDC010SERVERSRM 255.255.255.0 inside
telnet MDC220TECHIES 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 5
terminal width 80
===
Cisco 2600
===
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname router
!
logging buffered 4096 debugging
no logging console
!
memory-size iomem 15
clock timezone CET 1
clock summer-time CET recurring
ip subnet-zero
no ip source-route
ip cef
!
!
no ip bootp server
ip inspect name ethernetin cuseeme timeout 3600
ip inspect name ethernetin ftp timeout 3600
ip inspect name ethernetin h323 timeout 3600
ip inspect name ethernetin http timeout 3600
ip inspect name ethernetin rcmd timeout 3600
ip inspect name ethernetin realaudio timeout 3600
ip inspect name ethernetin smtp timeout 3600
ip inspect name ethernetin sqlnet timeout 3600
ip inspect name ethernetin streamworks timeout 3600
ip inspect name ethernetin tcp timeout 3600
ip inspect name ethernetin tftp timeout 30
ip inspect name ethernetin udp timeout 15
ip inspect name ethernetin vdolive timeout 3600
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key ******* address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set sharks
match address 120
!
!
!
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface ATM0/0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0/0
ip address 10.0.0.250 255.255.255.0
ip access-group insiders in
no ip proxy-arp
ip nat inside
ip inspect ethernetin in
speed auto
half-duplex
!
interface ATM0/1
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
ip access-group outsiders in
ip accounting output-packets
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ADSL Dial Info Here....
ppp multilink
crypto map nolan
!
ip nat pool branch xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.248
ip nat inside source list 51 interface Dialer0 overload
ip nat inside source route-map nonat pool branch overload
ip nat inside source static 10.0.0.3 xxx.xxx.xxx.xxx
ip nat inside source static 10.0.0.2 xxx.xxx.xxx.xxx
ip nat inside source static 10.0.0.6 xxx.xxx.xxx.xxx
ip nat inside source static 10.0.0.5 xxx.xxx.xxx.xxx
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
!
ip access-list standard telnet
!
ip access-list extended goingout
ip access-list extended insiders
permit tcp 10.0.0.0 0.0.0.255 any
permit udp 10.0.0.0 0.0.0.255 any
permit icmp 10.0.0.0 0.0.0.255 any
deny tcp any host 207.46.104.20
deny icmp any any redirect
deny ip any any log
ip access-list extended ipsec
permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
ip access-list extended nonat
permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
ip access-list extended outsiders
permit udp host 10.255.255.255 eq netbios-dgm host xxx.xxx.xxx.xxx eq 39
permit tcp any host xxx.xxx.xxx.xxx eq 3389
permit tcp any host xxx.xxx.xxx.xxx 3389
permit tcp any host xxx.xxx.xxx.xxx ftp-data
permit tcp any host xxx.xxx.xxx.xxx ftp
permit tcp any host xxx.xxx.xxx.xxx 443
permit tcp any host xxx.xxx.xxx.xxx www
permit tcp any host xxx.xxx.xxx.xxx www
permit tcp any host xxx.xxx.xxx.xxx pop3
permit tcp any host xxx.xxx.xxx.xxx smtp
permit tcp any host xxx.xxx.xxx.xxx eq telnet
deny icmp any any redirect
permit tcp any host xxx.xxx.xxx.xxx eq ftp
permit tcp any host xxx.xxx.xxx.xxx eq ftp-data
permit tcp any host xxx.xxx.xxx.xxx eq 3389
deny ip any any log
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 51 permit 10.0.0.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 130 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 130 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 130
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 5 0
login
line aux 0
exec-timeout 1 0
line vty 0 4
access-class telnet in
exec-timeout 5 0
login
!
!
end
===
Fatman Superstar (Andrew James)
CCNA, CCAI