Microsoft
Software
Hardware
Network
Question : Problem creating a VPN tunnel between 2 Cisco PIX firewalls
I'm trying to configure a VPN tunnel thru internet between 2 Cisco PIX firewall but I'm getting errors from the debug modes of my routers. I'd appreciate any help you can provide for this issue.
Firewall 1's name is FB
Firewall 2's name is FP
The error message I get when I analyze the packets passing thru is : "No proposal chosen"
My network set up is the following (too bad we can't upload screenshots in the question) :
PIX Firewall - Cisco Router - Internet - Cisco Router - PIX Firewall
Here's the configuration of both firewalls
--------------------------
----------
----------
----------
----------
----------
----------
------
PIX Version 7.0(1)
names
!
interface Ethernet0
nameif inside
security-level 100
ip address 10.0.0.130 255.255.255.128
!
interface Ethernet1
nameif outside
security-level 1
ip address 10.0.0.5 255.255.255.252
!
interface Ethernet2
nameif dmz
security-level 50
ip address 10.0.0.9 255.255.255.240
!
enable password iSoc161g.C0864Pz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname FB
domain-name Bulle
access-list 102 extended permit icmp any any
access-list 103 extended permit icmp any any
access-list 110 extended permit icmp 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255
.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
monitor-interface inside
monitor-interface outside
monitor-interface dmz
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.64 255.255.255.192
nat (inside) 1 10.0.0.128 255.255.255.128
access-group 101 in interface inside
access-group 102 in interface outside
access-group 103 in interface dmz
route inside 10.0.0.0 255.255.255.252 10.0.0.129 1
route inside 10.0.0.64 255.255.255.192 10.0.0.129 1
route outside 0.0.0.0 0.0.0.0 10.0.0.6 1
timeout xlate 3:00:00
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map toPekin 20 match address 110
crypto map toPekin 20 set peer 30.0.0.2
crypto map toPekin 20 set transform-set strong
crypto map toPekin interface outside
isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 30.0.0.2 type ipsec-l2l
tunnel-group 30.0.0.2 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:f9dad96ac70
2684dbf487
f0bf56b3db
0
**************************
**********
**********
**********
**********
**********
**********
**********
****
PIX Version 7.0(1)
names
!
interface Ethernet0
nameif inside
security-level 100
ip address 10.1.0.130 255.255.255.128
!
interface Ethernet1
nameif outside
security-level 1
ip address 10.1.0.5 255.255.255.252
!
interface Ethernet2
nameif dmz
security-level 50
ip address 10.1.0.9 255.255.255.240
!
enable password iSoc161g.C0864Pz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname FP
domain-name Pekin
access-list 102 extended permit icmp any any
access-list 103 extended permit icmp any any
access-list 120 extended permit icmp 10.1.0.0 255.255.255.0 10.0.0.0 255.255.255
.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
monitor-interface inside
monitor-interface outside
monitor-interface dmz
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.1.0.64 255.255.255.192
nat (inside) 1 10.1.0.128 255.255.255.128
access-group 101 in interface inside
access-group 102 in interface outside
access-group 103 in interface dmz
route inside 10.1.0.64 255.255.255.192 10.1.0.129 1
route inside 10.1.0.0 255.255.255.252 10.1.0.129 1
route outside 0.0.0.0 0.0.0.0 10.1.0.6 1
timeout xlate 3:00:00
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map toBulle 10 match address 120
crypto map toBulle 10 set peer 20.0.0.1
crypto map toBulle 10 set transform-set strong
crypto map toBulle interface outside
isakmp enable outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash sha
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 20.0.0.1 type ipsec-l2l
tunnel-group 20.0.0.1 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:d3eed4e75b7
749e676452
b725565bb4
6
Answer : Problem creating a VPN tunnel between 2 Cisco PIX firewalls
Check out our own Pete Long's web pages on this topic
http://www.petenetlive.com
/Tech/Fire
walls/Cisc
o/s2svpn.h
tm
>access-group 101 in interface inside
Do NOT apply an acl to the inside interface unless you want to restrict specific traffic. I don't even see an acl 101 defined in your config
I also do not see any nat zero acl or acl to define the VPN tunnel traffic. Use the VPN wizard and go through the steps in Pete's instructions.
BTW, 7.0(1) is pretty buggy. I highly suggest updating to 7.0(6) or better
Random Solutions
Force a refresh in Bind DNS Server
Onelaptop can ping everyone but it cannot be pinged
VPN - Failed to connect to server - error
How to synchronize the time of a Windows NT/95 with a Unix server
Server Service Storage Error
Two Groups, Two ISPs, One domain
Synology Server on different network
smtp service will not start
Blocking Internet radio
Using 2 gateways, static routes in modem