VPN two PIX 501 -> Cisco 2600 - please help

PiotrIrPiotrIr Member Posts: 236
I have got help from "wastedtime" when I set VPN between PIX 501 and Cisco 2600 so finally I configured ptp connection between devices.
I expected that when I set up one vpn, next will be quite easy but was wrong.....
As I'm not very good in Cisco 2600 router please help me to find where I made mistake.


version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname alpha
!
boot-start-marker
boot-end-marker
!
enable password password
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 10.10.11.1
!
ip dhcp pool pool1
network 10.10.11.0 255.255.255.0
dns-server 208.67.222.222
default-router 10.10.11.1
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key KEY address xx.xx.xx.xx no-xauth
crypto isakmp key KEY address yy.yy.yy.yy no-xauth
crypto isakmp keepalive 12
!
!
crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
!
crypto map VPNLINKS local-address FastEthernet0/0
crypto map VPNLINKS 10 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set DES-MD5
match address 101
crypto map VPNLINKS 20 ipsec-isakmp
set peer yy.yy.yy.yy
set transform-set 3DES-MD5
match address 102
!
!
interface FastEthernet0/0
description WAN IP Address
ip address dhcp
ip nat outside
speed auto
half-duplex
crypto map VPNLINKS
!
interface FastEthernet0/1
description LAN GATEWAY
ip address 10.10.11.1 255.255.255.0
ip nat inside
speed auto
half-duplex
!
ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip http server
no ip http secure-server
ip classless
!
!
access-list 101 permit ip 10.10.11.0 0.0.0.255 192.168.231.0 0.0.0.255
access-list 102 permit ip 10.10.11.0 0.0.0.255 172.23.110.0 0.0.0.255
access-list 150 deny ip 10.10.11.0 0.0.0.255 192.168.231.0 0.0.0.255
access-list 150 deny ip 10.10.11.0 0.0.0.255 172.23.110.0 0.0.0.255
access-list 150 permit ip 10.10.11.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 150
!
line con 0
line aux 0
line vty 0 4
password password
login
!
end

Comments

  • wastedtimewastedtime Member Posts: 586 ■■■■□□□□□□
    I have been looking over this and don't see anything that would cause it not to work. I would look at your PIXs and show/debug commands to see what is going on.
  • PiotrIrPiotrIr Member Posts: 236
    Wastedtime (nice name), many thanks for your help again.

    At list I found, I have to restart my router after set up VPNs – is it normal behaviour? After restarting Cisco 2600 all began to work without any problems. Is any command which can run my VPNs without restarting device, after I make changes?

    Another problem is that I’m using pptp connection, to couple of servers, from network where the router is. I can connect to some of them (using Microsoft VPN client) but not able to establish connection to another. I’m sure servers are working fine, as I’m able to connect from internet out of my Cisco. Is any command which enable pptp vpn pass thorough on Cisco 2600 like fixup in PIX?

    Best Regards
  • wastedtimewastedtime Member Posts: 586 ■■■■□□□□□□
    :) Back at this url: Configuring IPSec Router-to-Router with NAT Overload and Cisco Secure VPN Client - Cisco Systems

    Take a look down at "clear crypto isakmp" and "clear crypto sa." That should take care of your problem.

    Not sure on the PPTP issue though.
  • PiotrIrPiotrIr Member Posts: 236
    Ok, make perfect sense, thanksicon_smile.gif

    and wha about vpn pass throught? Any advice?
  • wastedtimewastedtime Member Posts: 586 ■■■■□□□□□□
    I am not sure about the PPTP but you may want to enable some tracing on the server or open up Wireshark and have a peak with that. From the config you posted I would assume that PPTP would pass through just fine so it may be the other end. I want to say the PPP and RASAUTH log files will have what you are looking for. I used "netsh ras diagnostics * enable" command for the tracing. The logs should be located at "%SystemRoot%\Tracing."
    Maybe one of these MCSE could tell you better about it than me. :)
  • PiotrIrPiotrIr Member Posts: 236
    Thanks for reply.

    It started to work for my after rebooting router again. I looks if something is not working, reboot deviceicon_smile.gif
  • wastedtimewastedtime Member Posts: 586 ■■■■□□□□□□
    If you find out what is going on with it. Let me know as I am curious.
Sign In or Register to comment.