Re: Fwd: dsl and pix

From: Guilherme Correia (razzolini80@hotmail.com)
Date: Thu Apr 14 2005 - 14:09:57 GMT-3

• Next message: gladston@br.ibm.com: "RE: Multicast filter does not avoid reply"
• Previous message: john matijevic: "Re: Fwd: dsl and pix"
• Maybe in reply to: john matijevic: "Fwd: dsl and pix"
• Next in thread: john matijevic: "Re: Fwd: dsl and pix"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

HI John,

Additionally, add " no-xauth" and "no config-mode" on the "isakmp key " on
the server side.
Check with " clear isakmp sa" and "debug crypto isakmp"

HTH
#13754
=================

Hello Guilherme and Team,
The command is on the server:
crypto ipsec transform-set usinstall esp-3des esp-md5-hmac
just didnt include it in the output, but its there on the server.
Thanks again Team.
Sincerely,
John Matijevic, CCIE #13254

  On 4/14/05, Guilherme Correia <razzolini80@hotmail.com> wrote:
>
> Hi John
>
> I dont see:
>
> crypto ipsec transform-set
>
> on your server side; make sure that it is the same as the client side.
>
> ================================
>
> Hello Team,
> I appreciate all of your help on this one. Here is an update on the
> particular issue I am having, I can ping from external address to other
> external address, however, I cant seem to get to phase 1 of IPSEC. I turn
> on
> the debug for crypto and I see no output. I am attatching the configs
here
> for assistance. Also on the client side there is a PIX with DSL
connection
> on the server side, there is a router on the outside with a T1 coming in
> and
> then a PIX firewall. Please feel free to call me if you need any
> additional
> information.
> Sincerely,
> John Matijevic, CCIE #13254
> Senior Network Engineer
> U.S. Installation Group
> 954-969-7160 extension 1147 office
> 305-321-6232 cell
> Client config:
>
> name 192.168.101.0 <http://192.168.101.0> <http://192.168.101.0> Server
> access-list inside_outbound_nat0_acl permit ip
> 192.168.21.0 <http://192.168.21.0><http://192.168.21.0>
> 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0> Server
> 255.255.255.0 <http://255.255.255.0><http://255.255.255.0>
>
> access-list outside_cryptomap_20 permit ip
192.168.21.0<http://192.168.21.0>
> <http://192.168.21.0>
> 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0> Server
> 255.255.255.0 <http://255.255.255.0><http://255.255.255.0>
>
> access-list inside_access_in remark VPN access to Server
> access-list inside_access_in permit ip 192.168.21.0
<http://192.168.21.0><
> http://192.168.21.0>
> 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0> Server
> 255.255.255.0 <http://255.255.255.0><http://255.255.255.0>
> access-list inside_access_in remark Block all Access
> access-list inside_access_in deny ip 192.168.21.0 <http://192.168.21.0> <
> http://192.168.21.0>
> 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0> any
>
> global (outside) 1 interface
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 0.0.0.0 <http://0.0.0.0> <http://0.0.0.0>
0.0.0.0<http://0.0.0.0><
> http://0.0.0.0> 0 0
> access-group inside_access_in in interface inside
> route outside 0.0.0.0 <http://0.0.0.0> <http://0.0.0.0>
0.0.0.0<http://0.0.0.0><
> http://0.0.0.0>
> 68.213.219.250 <http://68.213.219.250> <http://68.213.219.250> 1
>
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
>
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>
> crypto map outside_map 20 ipsec-isakmp
> crypto map outside_map 20 match address outside_cryptomap_20
> crypto map outside_map 20 set peer 65.240.142.186
<http://65.240.142.186><
> http://65.240.142.186>
> crypto map outside_map 20 set transform-set ESP-3DES-MD5
>
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp key ******** address 65.240.142.186 <http://65.240.142.186> <
> http://65.240.142.186> netmask
> 255.255.255.255 <http://255.255.255.255> <http://255.255.255.255>
no-xauth
> no-c
> onfig-mode
>
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
>
> Server Config:
>
> name 192.168.26.0 <http://192.168.26.0> <http://192.168.26.0> Client
> name 68.213.219.250 <http://68.213.219.250> <http://68.213.219.250>
> Client_Public
>
> object-group network RemoteLocationsVPN
> description These are the remote locations that VPN in to this network.
> network-object Client 255.255.255.0 <http://255.255.255.0> <
> http://255.255.255.0>
>
> access-list 10 permit ip 192.168.101.0 <http://192.168.101.0> <
> http://192.168.101.0>
> 255.255.255.0 <http://255.255.255.0><http://255.255.255.0>Client
> 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0>
>
> access-list 20 permit tcp host Client_Public host
> 65.240.142.187 <http://65.240.142.187><http://65.240.142.187>eq www
>
> access-list 106 permit ip 192.168.101.0 <http://192.168.101.0> <
> http://192.168.101.0>
> 255.255.255.0 <http://255.255.255.0><http://255.255.255.0>Client
> 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0>
>
> ip address outside 65.240.142.186 <http://65.240.142.186> <
> http://65.240.142.186>
> 255.255.255.248 <http://255.255.255.248><http://255.255.255.248>
> ip address inside 192.168.101.1 <http://192.168.101.1> <
> http://192.168.101.1>
> 255.255.255.0 <http://255.255.255.0><http://255.255.255.0>
>
> global (outside) 1 interface
> global (outside) 4 65.240.142.189 <http://65.240.142.189> <
> http://65.240.142.189>
>
> nat (inside) 0 access-list 10
> nat (inside) 1 192.168.101.0 <http://192.168.101.0>
<http://192.168.101.0>
> 255.255.255.0 <http://255.255.255.0><http://255.255.255.0>400 200
>
> access-group 20 in interface outside
> access-group inside_access_in in interface inside
> route outside 0.0.0.0 <http://0.0.0.0> <http://0.0.0.0>
0.0.0.0<http://0.0.0.0><
> http://0.0.0.0>
> 65.240.142.185 <http://65.240.142.185> <http://65.240.142.185> 1
>
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
>
> crypto map corpvpn 106 ipsec-isakmp
> crypto map corpvpn 106 match address 106
> crypto map corpvpn 106 set peer Client_Public
> crypto map corpvpn 106 set transform-set usinstall
>
> crypto map corpvpn interface outside
> isakmp enable outside
>
> isakmp key ******** address Client_Public netmask
> 255.255.255.255 <http://255.255.255.255><http://255.255.255.255>
>
>
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
>
> ---------- Forwarded message ----------
> From: john matijevic <john.matijevic@gmail.com>
> Date: Apr 12, 2005 5:11 PM
> Subject: dsl and pix
> To: ccielab@groupstudy.com
>
> Hello Team,
> I was wondering if anyone has come across using a dsl for internet in
> corporate environment and have used the pix firewall for establishing a
> vpn
> network over the dsl network. Please contact me offline to discuss.
> Sincerely,
> John Matijevic
> 305-321-6232
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>

--
John Matijevic, CCIE #13254
U.S. Installation Group
Senior Network Engineer
954-969-7160 (office)
305-321-6232 (cell)

• Next message: gladston@br.ibm.com: "RE: Multicast filter does not avoid reply"
• Previous message: john matijevic: "Re: Fwd: dsl and pix"
• Maybe in reply to: john matijevic: "Fwd: dsl and pix"
• Next in thread: john matijevic: "Re: Fwd: dsl and pix"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:58 GMT-3