Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

another newbie needs vpn setup help in PDM

Status
Not open for further replies.
kurtdb

kurtdb

Technical User
May 13, 2004
3
US
Hello, I've inherited a vpn 515e and a request to install a vpn to a remote site. The remote sight has handed me their lan ip-subnet but that's it. I'm doing this via the PDM. Is someone available to assist? This is live and I fear bringing something down. I've been reading my butt off, but still find it a lil difficult to bring together.
remote site 10.30.0.0/24


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname EDGE1
domain-name CORP
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.224.0.50 Exchange
object-group service Group_1 tcp
description Inbound to Exchange Server
port-object eq www
port-object eq https
port-object eq smtp
access-list outside_access_in remark Inbound email and owa services
access-list outside_access_in permit tcp any host 209.195.3.199 object-group Group_1
access-list sambavpn permit ip 10.224.0.0 255.255.0.0 10.30.0.0 255.255.255.0
access-list sambavpn permit ip 10.30.0.0 255.255.255.0 10.224.0.0 255.255.0.0
pager lines 24
logging on
logging console errors
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 209.195.3.194 255.255.255.192
ip address inside 10.224.0.1 255.255.0.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 209.195.3.199 255.255.255.255 outside
pdm location Exchange 255.255.255.255 inside
pdm location 10.30.0.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 209.195.3.199 Exchange netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.195.3.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.224.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set sambavpnset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400 kilobytes 50000
crypto map sambavpnmap 10 ipsec-isakmp
crypto map sambavpnmap 10 match address sambavpn
crypto map sambavpnmap 10 set peer 209.195.0.20
crypto map sambavpnmap 10 set transform-set sambavpnset
isakmp enable outside
isakmp key ******** address 209.195.0.20 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 10.224.0.1 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:736fbda72b723a1a4da0e667e4fe7e54
: end
 
Sort by date Sort by votes
You will need more info to set that up.
Remote LAN network
Remote Public IP
Encryption Settings (3DES, AES, MD5, SHA)
Shared Password

Here is the Cisco guide using the PDM -


This is extra info for examples of ACLs and such. It uses the CLI and 7.x code but the ideas are similar and good for comparison -


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Supergrrover, Thanks so much for the response, what I was given by the other side of my vpn is:

The network details for my side are as follows:


Tunnel WAN IP: 209.195.0.20 (which is my pool addy:)
LAN Subnet: 10.30.0.0/24
LAN IP of other side VPN concentrator (for ping testing): 10.30.0.2


The details of the tunnel are as follows:


Phase 1
Negotiation mode: Aggressive
Encryption algorithm: 3DES
Hash algorithm: MD5
DH key group: 2
Lifetime: 86400
Pre-shared key: passhrase


Phase 2
Protocol: ESP
Encryption algorithms: 3DES
Hash algorithms: MD5
PFS key group: 2
Lifetime: 86400

Even though this was supposedly installed we're getting nothing..they want to say it's due to our ACL..any thoughts guys????

 
Upvote 0 Downvote
sorry, I've been really busy. I will take a longer look at this tomorrow and get you going on the config.
I will agree that the console is better than the PDM, but it takes quite a lot more to understand what's going on. ;-)

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
OK, let's try this

access-list no-nat permit ip 10.30.0.0 255.255.255.0 10.224.0.0 255.255.0.0
access-list sambavpn permit ip 10.30.0.0 255.255.255.0 10.224.0.0 255.255.0.0 ***remove the other line
nat (inside) 0 access-list no-nat
crypto map sambavpnmap 10 set pfs group2

Give that a whirl.




Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Supergrrover,
I'm sorry, remove which line to remove? Please find the new modifications from the other day, but with no success, can you tell me if your changes would still apply? If so, what needs to come out and what needs to be added? Thanks.


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname EDGE1
domain-name CORP
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.224.0.50 Exchange
name 209.195.0.20 sambavpnnet
object-group service Group_1 tcp
description Inbound to Exchange Server
port-object eq www
port-object eq https
port-object eq smtp
access-list outside_access_in remark Inbound email and owa services
access-list outside_access_in permit tcp any host 209.195.3.199 object-group Group_1
access-list sambavpn permit ip 10.224.0.0 255.255.0.0 10.30.0.0 255.255.255.0
access-list sambavpn permit ip 10.30.0.0 255.255.255.0 10.224.0.0 255.255.0.0
access-list inside_nat0_outbound permit ip host Exchange 10.30.0.0 255.255.255.0
access-list outside_cryptomap_10 permit ip host Exchange 10.30.0.0 255.255.255.0
pager lines 24
logging on
logging console errors
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 209.195.3.194 255.255.255.192
ip address inside 10.224.0.1 255.255.0.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 209.195.3.199 255.255.255.255 outside
pdm location Exchange 255.255.255.255 inside
pdm location 10.30.0.0 255.255.255.0 outside
pdm location sambavpnnet 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 209.195.3.199 Exchange netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.195.3.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.224.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set sambavpnset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400 kilobytes 50000
crypto map sambavpnmap 10 ipsec-isakmp
crypto map sambavpnmap 10 match address sambavpn
crypto map sambavpnmap 10 set peer sambavpnnet
crypto map sambavpnmap 10 set transform-set sambavpnset
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set pfs group2
crypto map outside_map 10 set peer sambavpnnet
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address sambavpnnet netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 10.224.0.1 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:736fbda72b723a1a4da0e667e4fe7e54
 
Upvote 0 Downvote
go back to the old config and add the lines from my previous post and apply the sambavpnmap to the outside interface. To remove a line from an ACL just re-enter the line with "no" in front of it.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
965
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
766
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
303
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
910
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
239
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top