Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN between PIX 501 & 1841

Status
Not open for further replies.
honest1

honest1

Technical User
Jan 31, 2005
21
0
0
US
I'm moving a site to site VPN between 2 1841s, to between an 1841 and a PIX501. If there are any commands that need to be on the PIX so that it will bring up the tunnel, I would appreciate the help. Thannks.
 
Sort by date Sort by votes
What type of tunnel are you bringing up between the two? Is it pre-share keys or rsa certificates?

If its pre share key here are some examples...

(Change these access-lists to fit your networks)
access-list nonat permit ip 172.17.6.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 permit ip 172.17.6.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (vpn) 0 access-list nonat (Tells the PIX not to perform NAT on this access-list)

crypto ipsec transform-set vpn0 esp-aes-256 esp-md5-hmac

crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address 100
crypto map vpn 10 set peer xxx.xxx.xxx.xxx
crypto map vpn 10 set transform-set vpn0

isakmp enable internet
isakmp key xxxxxxx address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

That should give you an idea.. Let me know if you need any additional help.

Frank


 
Upvote 0 Downvote
Excellent reply. Thanks much. The VPN is pre-shared key. We got the VPN up, but now the remote site (pix) users can't get their e-mail from the exchange server at the main site (1841). The users at the remote site can get to other server resources at the main site. The MIS guy turned off telnet & HTTP in the main site router this morning, so now I can't pull the config to show you what is on the router or the PIX. Thanks again.
 
Upvote 0 Downvote
Glad the VPN works. Now lets troubleshoot why you can't get to your email server when you can get to other resources. What type of clients are you using to access email? Is it OWA, Outlook or Outlook Express? Then take a look at the the access-lists on both the pix and the router. Last check the exchange server. You are now coming from another network address, does you email server know about the other network?

Frank
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
145
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
67
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
167
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
51
WhosYourDiffie
WhosYourDiffie
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
35
xwray
xwray

Part and Inventory Search

Sponsor

Back
Top