Question : Problem creating a VPN tunnel between 2 Cisco PIX firewalls

I'm trying to configure a VPN tunnel thru internet between 2 Cisco PIX firewall but I'm getting errors from the debug modes of my routers. I'd appreciate any help you can provide for this issue.

Firewall 1's name is FB
Firewall 2's name is FP
The error message I get when I analyze the packets passing thru is : "No proposal chosen"

My network set up is the following (too bad we can't upload screenshots in the question) :

PIX Firewall - Cisco Router - Internet - Cisco Router - PIX Firewall

Here's the configuration of both firewalls
--------------------------------------------------------------------------------------------
PIX Version 7.0(1)
names
!
interface Ethernet0
nameif inside
security-level 100
ip address 10.0.0.130 255.255.255.128
!
interface Ethernet1
nameif outside
security-level 1
ip address 10.0.0.5 255.255.255.252
!
interface Ethernet2
nameif dmz
security-level 50
ip address 10.0.0.9 255.255.255.240
!
enable password iSoc161g.C0864Pz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname FB
domain-name Bulle
access-list 102 extended permit icmp any any
access-list 103 extended permit icmp any any
access-list 110 extended permit icmp 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255
.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
monitor-interface inside
monitor-interface outside
monitor-interface dmz
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.64 255.255.255.192
nat (inside) 1 10.0.0.128 255.255.255.128
access-group 101 in interface inside
access-group 102 in interface outside
access-group 103 in interface dmz
route inside 10.0.0.0 255.255.255.252 10.0.0.129 1
route inside 10.0.0.64 255.255.255.192 10.0.0.129 1
route outside 0.0.0.0 0.0.0.0 10.0.0.6 1
timeout xlate 3:00:00
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map toPekin 20 match address 110
crypto map toPekin 20 set peer 30.0.0.2
crypto map toPekin 20 set transform-set strong
crypto map toPekin interface outside
isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 30.0.0.2 type ipsec-l2l
tunnel-group 30.0.0.2 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:f9dad96ac702684dbf487f0bf56b3db0

****************************************************************************************************

PIX Version 7.0(1)
names
!
interface Ethernet0
nameif inside
security-level 100
ip address 10.1.0.130 255.255.255.128
!
interface Ethernet1
nameif outside
security-level 1
ip address 10.1.0.5 255.255.255.252
!
interface Ethernet2
nameif dmz
security-level 50
ip address 10.1.0.9 255.255.255.240
!
enable password iSoc161g.C0864Pz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname FP
domain-name Pekin
access-list 102 extended permit icmp any any
access-list 103 extended permit icmp any any
access-list 120 extended permit icmp 10.1.0.0 255.255.255.0 10.0.0.0 255.255.255
.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
monitor-interface inside
monitor-interface outside
monitor-interface dmz
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.1.0.64 255.255.255.192
nat (inside) 1 10.1.0.128 255.255.255.128
access-group 101 in interface inside
access-group 102 in interface outside
access-group 103 in interface dmz
route inside 10.1.0.64 255.255.255.192 10.1.0.129 1
route inside 10.1.0.0 255.255.255.252 10.1.0.129 1
route outside 0.0.0.0 0.0.0.0 10.1.0.6 1
timeout xlate 3:00:00
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map toBulle 10 match address 120
crypto map toBulle 10 set peer 20.0.0.1
crypto map toBulle 10 set transform-set strong
crypto map toBulle interface outside
isakmp enable outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash sha
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 20.0.0.1 type ipsec-l2l
tunnel-group 20.0.0.1 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:d3eed4e75b7749e676452b725565bb46

Answer : Problem creating a VPN tunnel between 2 Cisco PIX firewalls

Check out our own Pete Long's web pages on this topic
http://www.petenetlive.com/Tech/Firewalls/Cisco/s2svpn.htm

>access-group 101 in interface inside
Do NOT apply an acl to the inside interface unless you want to restrict specific traffic. I don't even see an acl 101 defined in your config

I also do not see any nat zero acl or acl to define the VPN tunnel traffic. Use the VPN wizard and go through the steps in Pete's instructions.

BTW, 7.0(1) is pretty buggy. I highly suggest updating to 7.0(6) or better

Random Solutions

error 733 in VPN

mgmtdb.log - ds not working - can't log in... even to backup exec.

How do you save the running config to startup config on a 6509

What's a routingtabel?

Make specified applications use specified Network Connections on the machine.

Uplink Speed Slow

Folder mapping issue using Net Use command.

Embarq DSL is giving me a private 192.168.2.4 address does anyone know how to VPN through that address to my local LAN

sharetab file information

security report generated says ssl version 2 is not secure and soultion is to disable it