republican-creole
site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Equipment Support > Hardware By Brand > Cisco > Issues with Cisco 871 tunnel with Pix515e

Search Topic:
 Share Topic
Posting?
Post a:
Post a:
Links: ·Submit a new forum topic ·Forum FAQ ·Submit a FAQ ·Docs Guidelines and Advisories ·EOS/EOL thread
AuthorAll Replies

bigdogg2

join:2004-08-11

reply to bigdogg2

Re: Issues with Cisco 871 tunnel with Pix515e


I guess I should have scrubbed the config before and posted it :\
-----

pix515# sh run
: Saved
:
PIX Version 8.0(3)
!
hostname pix515
domain-name test.local
enable password ************ encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.10.20 255.255.255.0
!
interface Ethernet1
description Inside Trunk
no nameif
no security-level
no ip address
!
interface Ethernet1.100
vlan 100
nameif inside
security-level 100
ip address 10.45.45.2 255.255.255.248
!
interface Ethernet2
description DMZ Trunk
no nameif
no security-level
no ip address
!
interface Ethernet2.50
vlan 50
nameif DMZ
security-level 80
ip address 192.168.1.1 255.255.255.0
!
passwd *********** encrypted
boot system flash:/pix803.bin
ftp mode passive
dns server-group DefaultDNS
domain-name test.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service dns tcp-udp
description DNS Port Mapping
port-object eq domain
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside-test extended permit ip any any log critical
access-list inside extended permit ip any any log

access-list nonat extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0

access-list out extended deny icmp any any alternate-address
access-list out extended deny icmp any any router-advertisement
access-list out extended deny icmp any any router-solicitation
access-list out extended deny icmp any any timestamp-request
access-list out extended deny icmp any any timestamp-reply
access-list out extended deny icmp any any information-request
access-list out extended deny icmp any any information-reply
access-list out extended deny icmp any any mask-request
access-list out extended deny icmp any any mask-reply
access-list out extended deny icmp any any mobile-redirect
access-list out extended deny icmp any any echo
access-list out extended permit icmp any any
access-list out extended deny ip any any log critical

access-list inside_cryptomap extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0

access-list dmz-in extended permit ip any any

access-list S2S-Split extended permit ip 10.100.100.0 255.255.255.0 10.35.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0

pager lines 14
logging enable
logging timestamp
logging list VPN-debug level debugging class vpn
logging buffer-size 50000
logging asdm-buffer-size 512
logging console debugging
logging monitor critical
logging buffered debugging
logging trap critical
logging asdm debugging
logging host inside 10.35.1.20
no logging message 305012
no logging message 305011
no logging message 305010
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpn-dhcp 10.35.254.50-10.35.254.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list nonat-dmz
nat (DMZ) 1 0.0.0.0 0.0.0.0

static (inside,DMZ) 10.35.1.0 10.35.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.44.44.0 10.44.44.0 netmask 255.255.255.0

access-group out in interface outside
access-group dmz-in in interface DMZ

route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
route inside 10.35.1.0 255.255.255.0 10.45.45.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server local protocol radius
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community **
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set xform-3des-md5 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set S2S esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5
crypto map cmap-vpncient 1 match address outside_cryptomap
crypto map cmap-vpncient 1 set peer 192.168.10.50
crypto map cmap-vpncient 1 set transform-set ESP-3DES-MD5 xform-3des-md5 ESP-DES-MD5
crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient
crypto map cmap-vpncient interface outside
crypto map SiteToSiteVPN 1 match address inside_cryptomap
crypto map SiteToSiteVPN 1 set peer 10.44.44.2
crypto map SiteToSiteVPN 1 set transform-set ESP-3DES-MD5 ESP-DES-MD5 xform-3des-md5
crypto map SiteToSiteVPN interface inside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
password-storage disable
re-xauth disable
pfs disable
username **
tunnel-group 10.44.44.2 type ipsec-l2l
tunnel-group 10.44.44.2 ipsec-attributes
pre-shared-key *
tunnel-group 192.168.10.50 type ipsec-l2l
tunnel-group 192.168.10.50 ipsec-attributes
pre-shared-key *
!
class-map voip
description High Priority = voip
match dscp ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect sip
inspect xdmcp
policy-map general
class voip
priority
!
service-policy global_policy global
service-policy general interface outside
prompt hostname context
Cryptochecksum:a333040ff1f2a173d40122e0d5ab4de9
: end
pix515#
to forum · permalink · 2009-06-30 08:09:50 ·
Forums > Equipment Support > Hardware By Brand > Cisco

Monday, 13-Feb 09:52:25 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online! © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics