VPN with 2 pix501..... please help

[itrukie]

hi dear all, i am a rookie of this society, recently i encounter some problems with PIX501, can someone please help me with the configuration lines provided below.
(we are trying to connect 2 offices together with 2 pix501 by using VPN function provided on Pix501. I set up a lab connecting 2 pix501 by using an cross-over cable. I enter all the commands from the book, but the VPN Tunnel light jes not blinking...
All the commands are exatly the same from the book, EXCEPT i don't have 2 routers connect between 'em)

Workstation---PIX1---(cross-over cable)---PIX2--Workstation

/Main office conf.:/
nameif ethernet0 outside security0
nameif ethernet1 inside security100
interface ethernet0 10baset
interface ethernet1 10full
hostname PIX1
domain-name abcd.com
names
pager lines 24
no logging on
mtu outside 1500
mtu inside 1500
ip address outside 209.165.201.8 255.255.255.224
ip address inside 192.168.12.1 255.255.255.0
arp timeout 14400
access-list 90 permit ip 192.168.12.0 255.255.255.0
nat 0 access-list 90
10.0.0.0 255.0.0.0
nat (inside) 1 0 0
global (outside) 1 209.165.202.129-209.165.202.159
global (outside) 1 209.165.202.160
no rip outside passive
no rip outside default
rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 209.165.201.8 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toPIX2 20 ipsec-isakmp
crypto map toPIX2 20 match address 90
crypto map toPIX2 20 set peer 209.165.200.229
crypto map toPIX2 20 set transform-set strong
crypto map toPIX2 interface outside
isakmp enable outside
isakmp key **** address 209.165.200.229 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
sysopt connection permit-ipsec
telnet timeout 5
terminal width 80

/Branch office conf.:/
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PIX2
domain-name abcd.com
names
pager lines 24
no logging on
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 209.165.200.229 255.255.255.224
ip address inside 10.0.0.1 255.0.0.0
arp timeout 14400
access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.0
nat 0 access-list 80
nat (inside) 1 0 0
global (outside) 1 209.165.202.160-209.165.202.189
global (outside) 1 209.165.202.190
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 209.165.200.229 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map PIX1 10 ipsec-isakmp
crypto map PIX1 10 match address 80
crypto map PIX1 10 set peer 209.165.201.8
crypto map PIX1 10 set transform-set strong
crypto map PIX1 interface outside
isakmp enable outside
isakmp key **** address 209.165.201.8 netmask 255.255.255.255
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
sysopt connection permit-ipsec
telnet timeout 5
terminal width 80

i got this script from this link:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/sit2site.htm

 

[netwrkr]

Nothing jumps out at me as being technically wrong with your configuration. You should turn on debugging and see what the logs say to you.

logging console debug
logging on

debug crypto ipsec isakmp
debug crypto ipsec ca

From PIX 1 try to ping the inside address of the other. You should see your access-list incrementing if the packets are matching.

IPSEC on the PIX can be flaky at times. When all else fails I reboot both ends and more often than not the tunnel will come up on the reboot.


Tom

 

[dayron]

I am having a simular problem...but a semi-fix. I am trying to VPN to a PIX 515 to 501...which we actually got working. However with all settings correct on both ends we couldn't get a tunnel at first. What I have found is if I pinged the other side the tunnel would connect. The problem I'm still having is if I, or the other side, reset the PIX then the tunnel won't reestablish automatically. I have to ping the remote PIX to get the tunnel back. I'm researching this now, but I am considering writing an easy script just to ping the remote pix about once an hour.

 

[IPSec]

i have a general suggestion,...just dun post the whole pix config. Now everyone knows yr network topology/Ip address and ACL.
This is very valuable information for black hat...

 

[Guest_imported]

Not sure if it's just a cut and paste error or what,
but your access-list and nat lines:

access-list 90 permit ip 192.168.12.0 255.255.255.0
nat 0 access-list 90
10.0.0.0 255.0.0.0

should be:
access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.90
nat 0 access-list 90

Turning the debug as mentioned above will give you tons of info as to where it's failing.

Cheers!