Re: Issues with Cisco 871 tunnel with Pix515e

Author	All Replies
bigdogg2 join:2004-08-11	reply to bigdogg2 Re: Issues with Cisco 871 tunnel with Pix515e I guess I should have scrubbed the config before and posted it :\ ----- pix515# sh run : Saved : PIX Version 8.0(3) ! hostname pix515 domain-name test.local enable password ********** encrypted names dns-guard ! interface Ethernet0 nameif outside security-level 0 ip address 192.168.10.20 255.255.255.0 ! interface Ethernet1 description Inside Trunk no nameif no security-level no ip address ! interface Ethernet1.100 vlan 100 nameif inside security-level 100 ip address 10.45.45.2 255.255.255.248 ! interface Ethernet2 description DMZ Trunk no nameif no security-level no ip address ! interface Ethernet2.50 vlan 50 nameif DMZ security-level 80 ip address 192.168.1.1 255.255.255.0 ! passwd ******* encrypted boot system flash:/pix803.bin ftp mode passive dns server-group DefaultDNS domain-name test.local same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service dns tcp-udp description DNS Port Mapping port-object eq domain object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list inside-test extended permit ip any any log critical access-list inside extended permit ip any any log access-list nonat extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0 access-list out extended deny icmp any any alternate-address access-list out extended deny icmp any any router-advertisement access-list out extended deny icmp any any router-solicitation access-list out extended deny icmp any any timestamp-request access-list out extended deny icmp any any timestamp-reply access-list out extended deny icmp any any information-request access-list out extended deny icmp any any information-reply access-list out extended deny icmp any any mask-request access-list out extended deny icmp any any mask-reply access-list out extended deny icmp any any mobile-redirect access-list out extended deny icmp any any echo access-list out extended permit icmp any any access-list out extended deny ip any any log critical access-list inside_cryptomap extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0 access-list dmz-in extended permit ip any any access-list S2S-Split extended permit ip 10.100.100.0 255.255.255.0 10.35.1.0 255.255.255.0 access-list outside_cryptomap extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0 pager lines 14 logging enable logging timestamp logging list VPN-debug level debugging class vpn logging buffer-size 50000 logging asdm-buffer-size 512 logging console debugging logging monitor critical logging buffered debugging logging trap critical logging asdm debugging logging host inside 10.35.1.20 no logging message 305012 no logging message 305011 no logging message 305010 mtu outside 1500 mtu inside 1500 mtu DMZ 1500 ip local pool vpn-dhcp 10.35.254.50-10.35.254.60 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image flash:/asdm-603.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 nat (DMZ) 0 access-list nonat-dmz nat (DMZ) 1 0.0.0.0 0.0.0.0 static (inside,DMZ) 10.35.1.0 10.35.1.0 netmask 255.255.255.0 static (inside,DMZ) 10.44.44.0 10.44.44.0 netmask 255.255.255.0 access-group out in interface outside access-group dmz-in in interface DMZ route outside 0.0.0.0 0.0.0.0 192.168.10.1 1 route inside 10.35.1.0 255.255.255.0 10.45.45.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server partnerauth protocol radius aaa-server local protocol radius aaa authentication ssh console LOCAL http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server community snmp-server enable traps snmp authentication linkup linkdown coldstart snmp-server enable traps syslog crypto ipsec transform-set xform-3des-md5 esp-aes-256 esp-sha-hmac crypto ipsec transform-set S2S esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5 crypto map cmap-vpncient 1 match address outside_cryptomap crypto map cmap-vpncient 1 set peer 192.168.10.50 crypto map cmap-vpncient 1 set transform-set ESP-3DES-MD5 xform-3des-md5 ESP-DES-MD5 crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient crypto map cmap-vpncient interface outside crypto map SiteToSiteVPN 1 match address inside_cryptomap crypto map SiteToSiteVPN 1 set peer 10.44.44.2 crypto map SiteToSiteVPN 1 set transform-set ESP-3DES-MD5 ESP-DES-MD5 xform-3des-md5 crypto map SiteToSiteVPN interface inside crypto isakmp identity address crypto isakmp enable outside crypto isakmp enable inside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 1 lifetime 86400 telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 30 ssh version 2 console timeout 0 priority-queue outside threat-detection basic-threat threat-detection statistics access-list vpn-idle-timeout none vpn-tunnel-protocol IPSec password-storage disable re-xauth disable pfs disable username ** tunnel-group 10.44.44.2 type ipsec-l2l tunnel-group 10.44.44.2 ipsec-attributes pre-shared-key * tunnel-group 192.168.10.50 type ipsec-l2l tunnel-group 192.168.10.50 ipsec-attributes pre-shared-key * ! class-map voip description High Priority = voip match dscp ef class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect http inspect netbios inspect pptp inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect sip inspect xdmcp policy-map general class voip priority ! service-policy global_policy global service-policy general interface outside prompt hostname context Cryptochecksum:a333040ff1f2a173d40122e0d5ab4de9 : end pix515#
bigdogg2 join:2004-08-11	to forum · permalink · · 2009-06-30 08:09:50 ·


Sunday, 06-Dec 10:56:34	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF