Fwd: dsl and pix

From: john matijevic (john.matijevic@gmail.com)
Date: Thu Apr 14 2005 - 13:28:53 GMT-3

• Next message: Jean Baaklini: "RE: RPF failure"
• Previous message: Lee Donald: "RE: RPF failure"
• Next in thread: Guilherme Correia: "RE: Fwd: dsl and pix"
• Maybe reply: Guilherme Correia: "RE: Fwd: dsl and pix"
• Maybe reply: john matijevic: "Re: Fwd: dsl and pix"
• Maybe reply: Guilherme Correia: "Re: Fwd: dsl and pix"
• Maybe reply: john matijevic: "Re: Fwd: dsl and pix"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Team,
I appreciate all of your help on this one. Here is an update on the
particular issue I am having, I can ping from external address to other
external address, however, I cant seem to get to phase 1 of IPSEC. I turn on
the debug for crypto and I see no output. I am attatching the configs here
for assistance. Also on the client side there is a PIX with DSL connection
on the server side, there is a router on the outside with a T1 coming in and
then a PIX firewall. Please feel free to call me if you need any additional
information.
Sincerely,
 John Matijevic, CCIE #13254
Senior Network Engineer
U.S. Installation Group
954-969-7160 extension 1147 office
305-321-6232 cell
 Client config:

name 192.168.101.0 <http://192.168.101.0> Server
access-list inside_outbound_nat0_acl permit ip
192.168.21.0<http://192.168.21.0>
255.255.255.0 <http://255.255.255.0> Server
255.255.255.0<http://255.255.255.0>

access-list outside_cryptomap_20 permit ip 192.168.21.0<http://192.168.21.0>
255.255.255.0 <http://255.255.255.0> Server
255.255.255.0<http://255.255.255.0>

access-list inside_access_in remark VPN access to Server
access-list inside_access_in permit ip 192.168.21.0 <http://192.168.21.0>
255.255.255.0 <http://255.255.255.0> Server
255.255.255.0<http://255.255.255.0>
access-list inside_access_in remark Block all Access
access-list inside_access_in deny ip 192.168.21.0 <http://192.168.21.0>
255.255.255.0 <http://255.255.255.0> any

global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 <http://0.0.0.0> 0.0.0.0 <http://0.0.0.0> 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 <http://0.0.0.0> 0.0.0.0 <http://0.0.0.0>
68.213.219.250 <http://68.213.219.250> 1

sysopt connection permit-ipsec
sysopt connection permit-pptp

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 65.240.142.186 <http://65.240.142.186>
crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 65.240.142.186 <http://65.240.142.186> netmask
255.255.255.255 <http://255.255.255.255> no-xauth no-c
onfig-mode

isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

Server Config:

name 192.168.26.0 <http://192.168.26.0> Client
name 68.213.219.250 <http://68.213.219.250> Client_Public

object-group network RemoteLocationsVPN
description These are the remote locations that VPN in to this network.
network-object Client 255.255.255.0 <http://255.255.255.0>

access-list 10 permit ip 192.168.101.0 <http://192.168.101.0>
255.255.255.0<http://255.255.255.0>Client
255.255.255.0 <http://255.255.255.0>

access-list 20 permit tcp host Client_Public host
65.240.142.187<http://65.240.142.187>eq www

access-list 106 permit ip 192.168.101.0 <http://192.168.101.0>
255.255.255.0<http://255.255.255.0>Client
255.255.255.0 <http://255.255.255.0>

ip address outside 65.240.142.186 <http://65.240.142.186>
255.255.255.248<http://255.255.255.248>
ip address inside 192.168.101.1 <http://192.168.101.1>
255.255.255.0<http://255.255.255.0>

global (outside) 1 interface
global (outside) 4 65.240.142.189 <http://65.240.142.189>

nat (inside) 0 access-list 10
nat (inside) 1 192.168.101.0 <http://192.168.101.0>
255.255.255.0<http://255.255.255.0>400 200

access-group 20 in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 <http://0.0.0.0> 0.0.0.0 <http://0.0.0.0>
65.240.142.185 <http://65.240.142.185> 1

sysopt connection permit-ipsec
sysopt connection permit-pptp

crypto map corpvpn 106 ipsec-isakmp
crypto map corpvpn 106 match address 106
crypto map corpvpn 106 set peer Client_Public
crypto map corpvpn 106 set transform-set usinstall

crypto map corpvpn interface outside
isakmp enable outside

isakmp key ******** address Client_Public netmask
255.255.255.255<http://255.255.255.255>

isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

---------- Forwarded message ----------
From: john matijevic <john.matijevic@gmail.com>
Date: Apr 12, 2005 5:11 PM
Subject: dsl and pix
To: ccielab@groupstudy.com

 Hello Team,
I was wondering if anyone has come across using a dsl for internet in
corporate environment and have used the pix firewall for establishing a vpn
network over the dsl network. Please contact me offline to discuss.
Sincerely,
John Matijevic
305-321-6232

• Next message: Jean Baaklini: "RE: RPF failure"
• Previous message: Lee Donald: "RE: RPF failure"
• Next in thread: Guilherme Correia: "RE: Fwd: dsl and pix"
• Maybe reply: Guilherme Correia: "RE: Fwd: dsl and pix"
• Maybe reply: john matijevic: "Re: Fwd: dsl and pix"
• Maybe reply: Guilherme Correia: "Re: Fwd: dsl and pix"
• Maybe reply: john matijevic: "Re: Fwd: dsl and pix"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:57 GMT-3