Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

pix 501 site-to-site vpn basic question

Status
Not open for further replies.
Apr 15, 2003
5
US
I am trying to set up a pix 501 at my house to connect to an existing Linksys befvp41 at my office through a cable connection. Up until now, I have used SSH Sentinel.
I have gone through the vpn wizard in PDM. Everything was fine until it asked a question I did not understand:
After Telling it the internal address of the remote network (10.1.1.0) it required me to set a static route to reach that network. How can I set a static route for a non-routable network? Do I set a static route to that networks gateway (the befvp41)? All of the configuration examples on Cisco's site appear to be configured for dedicated lines between sites.
I didn't expect to need directions for a vpn wizard. Can anyone point me in the right direction?
I can post the running config if you need.

 
HI.

> .... it required me to set a static route ....
Are you sure that it was required?
When adding a new external host/network object in PDM, you have an option to define static routes, but this is an option only and not required nor used in most cases.
So if you have the option not to define static routes, it should be fine.

Please try to describe the question again if I'm wrong.

Bye


Yizhar Hurwitz
 
OK, maybe "required" was the wrong term since I was able to cancel out of it. I guess I was surprised to have it ask me and wondered if I was doing something wrong by not setting one up.
In that case, the problem is that I have configured for a site-to-site vpn to the remote linksys and am getting no traffic.

zpix# sh crypto ipsec sa

interface: outside
Crypto map tag: outside_map, local addr. 24.25.129.99
local ident (addr/mask/prot/port): (172.20.220.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (ceg-vpn/255.255.255.0/0/0)
current_peer: 204.97.175.163
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 24.25.129.99, remote crypto endpt.: 204.97.175.163
path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:


Here is the config

Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <************> encrypted
passwd <************> encrypted
hostname zpix
domain-name channel-z.local
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.1.1.0 ceg-vpn
access-list inside_outbound_nat0_acl permit ip 172.20.220.0 255.255.255.0 ceg-vpn 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.20.220.0 255.255.255.0 ceg-vpn 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 172.20.220.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.20.220.0 255.255.255.0 inside
pdm location ceg-vpn 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.20.220.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 204.97.175.163
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 204.97.175.163 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
telnet timeout 5
ssh timeout 5
dhcpd address 172.20.220.25-172.20.220.50 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:<************>
: end
[OK]
 
yizar,

I am trying to run over a cable connection. I have to set my outside interface to dhcp to draw an ip from Time Warner RR. My cable connection is issuing me the address 24.25.129.99

In thinking about my problem a little more... The linksys box on the other end of my vpn tunnel requires a password to get into it before the tunnel can be negotiated. I had forgotten about this because SSH Sentinel has a spot in the client to pass a password to the linksys so the login happens automatically.
Does this seem logical? I would assume I would see no traffic in my sh crypto ipsec sa if the 501 can't even login to the linksys.
Is there any way to pass this type of login from the 501?
 
HI.

Myself I don't have any experience with Linksys to pix VPN, but you can search for more info in Linksys website/forums etc, as well as Cisco pix related.

Anyway - as an alternate solution (either temporary or permanent) if you don't manage to sort it out, maybe you'll find it more easy to setup using PCAW or RADMIN or similar tool from your home PC to a host at the office, without VPN.
Such a connection can be protected by access-list at the gateways, and with authentication and encryption at the applications, which can provide a solution with reasonable security, performance and simplicity.

Bye


Yizhar Hurwitz
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top