hi dear all, i am a rookie of this society, recently i encounter some problems with PIX501, can someone please help me with the configuration lines provided below.
(we are trying to connect 2 offices together with 2 pix501 by using VPN function provided on Pix501. I set up a lab connecting 2 pix501 by using an cross-over cable. I enter all the commands from the book, but the VPN Tunnel light jes not blinking...
All the commands are exatly the same from the book, EXCEPT i don't have 2 routers connect between 'em)
Workstation---PIX1---(cross-over cable)---PIX2--Workstation
/Main office conf.:/
nameif ethernet0 outside security0
nameif ethernet1 inside security100
interface ethernet0 10baset
interface ethernet1 10full
hostname PIX1
domain-name abcd.com
names
pager lines 24
no logging on
mtu outside 1500
mtu inside 1500
ip address outside 209.165.201.8 255.255.255.224
ip address inside 192.168.12.1 255.255.255.0
arp timeout 14400
access-list 90 permit ip 192.168.12.0 255.255.255.0
nat 0 access-list 90
10.0.0.0 255.0.0.0
nat (inside) 1 0 0
global (outside) 1 209.165.202.129-209.165.202.159
global (outside) 1 209.165.202.160
no rip outside passive
no rip outside default
rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 209.165.201.8 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toPIX2 20 ipsec-isakmp
crypto map toPIX2 20 match address 90
crypto map toPIX2 20 set peer 209.165.200.229
crypto map toPIX2 20 set transform-set strong
crypto map toPIX2 interface outside
isakmp enable outside
isakmp key **** address 209.165.200.229 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
sysopt connection permit-ipsec
telnet timeout 5
terminal width 80
/Branch office conf.:/
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PIX2
domain-name abcd.com
names
pager lines 24
no logging on
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 209.165.200.229 255.255.255.224
ip address inside 10.0.0.1 255.0.0.0
arp timeout 14400
access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.0
nat 0 access-list 80
nat (inside) 1 0 0
global (outside) 1 209.165.202.160-209.165.202.189
global (outside) 1 209.165.202.190
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 209.165.200.229 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map PIX1 10 ipsec-isakmp
crypto map PIX1 10 match address 80
crypto map PIX1 10 set peer 209.165.201.8
crypto map PIX1 10 set transform-set strong
crypto map PIX1 interface outside
isakmp enable outside
isakmp key **** address 209.165.201.8 netmask 255.255.255.255
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
sysopt connection permit-ipsec
telnet timeout 5
terminal width 80
i got this script from this link:
(we are trying to connect 2 offices together with 2 pix501 by using VPN function provided on Pix501. I set up a lab connecting 2 pix501 by using an cross-over cable. I enter all the commands from the book, but the VPN Tunnel light jes not blinking...
All the commands are exatly the same from the book, EXCEPT i don't have 2 routers connect between 'em)
Workstation---PIX1---(cross-over cable)---PIX2--Workstation
/Main office conf.:/
nameif ethernet0 outside security0
nameif ethernet1 inside security100
interface ethernet0 10baset
interface ethernet1 10full
hostname PIX1
domain-name abcd.com
names
pager lines 24
no logging on
mtu outside 1500
mtu inside 1500
ip address outside 209.165.201.8 255.255.255.224
ip address inside 192.168.12.1 255.255.255.0
arp timeout 14400
access-list 90 permit ip 192.168.12.0 255.255.255.0
nat 0 access-list 90
10.0.0.0 255.0.0.0
nat (inside) 1 0 0
global (outside) 1 209.165.202.129-209.165.202.159
global (outside) 1 209.165.202.160
no rip outside passive
no rip outside default
rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 209.165.201.8 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toPIX2 20 ipsec-isakmp
crypto map toPIX2 20 match address 90
crypto map toPIX2 20 set peer 209.165.200.229
crypto map toPIX2 20 set transform-set strong
crypto map toPIX2 interface outside
isakmp enable outside
isakmp key **** address 209.165.200.229 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
sysopt connection permit-ipsec
telnet timeout 5
terminal width 80
/Branch office conf.:/
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PIX2
domain-name abcd.com
names
pager lines 24
no logging on
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 209.165.200.229 255.255.255.224
ip address inside 10.0.0.1 255.0.0.0
arp timeout 14400
access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.0
nat 0 access-list 80
nat (inside) 1 0 0
global (outside) 1 209.165.202.160-209.165.202.189
global (outside) 1 209.165.202.190
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 209.165.200.229 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map PIX1 10 ipsec-isakmp
crypto map PIX1 10 match address 80
crypto map PIX1 10 set peer 209.165.201.8
crypto map PIX1 10 set transform-set strong
crypto map PIX1 interface outside
isakmp enable outside
isakmp key **** address 209.165.201.8 netmask 255.255.255.255
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
sysopt connection permit-ipsec
telnet timeout 5
terminal width 80
i got this script from this link: