Question : Pix 501 site to site configuration issus.

I have an interesting problem with a site to site vpn configuration. On "my" side there is a Pix 501. On the "other" side there is a watchguard firebox. For some reason on my configration I am unable to establish the phase 1 config . To establish the communication to the other side I start a ping from a computer on my lan to a computer on the other lan. I run the "debug crypto isakmp" command and I would expect to see the negotiations from my end to the other for the different phases. I have attached the config the A.B.C is the adddress for the my side outside interface. X.Y.Z. is the address for the other side outside. Here is the config. Thanks for any advice in advance
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password mfaQF/BNUQlUjFmk encrypted
passwd mfaQF/BNUQlUjFmk encrypted
hostname FM-Pix501
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.31.41.0 max
access-list 101 permit icmp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq 4500
access-list 101 permit esp any any
access-list outside_cryptomap_30 permit ip 172.16.0.0 255.255.255.0 max 255.255.255.0
access-list outside_cryptomap_30 permit ip any 10.1.1.0 255.255.255.192
access-list fmTunnelAcl permit ip 172.16.0.0 255.255.255.0 any
pager lines 24
logging console debugging
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside A.B.C.54 255.255.255.0
ip address inside 172.16.0.2 255.255.252.0
ip audit info action alarm
ip audit attack action alarm
ip local pool FM 10.1.1.1-10.1.1.50
pdm location 172.16.0.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list outside_cryptomap_30
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 69.95.78.1 1
route inside 172.16.1.0 255.255.255.0 172.16.0.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
crypto map outside-map 30 ipsec-isakmp
crypto map outside-map 30 match address outside_cryptomap_30
crypto map outside-map 30 set peer 216.117.10.2
crypto map outside-map 30 set transform-set ESP-3DES-SHA
isakmp enable outside
isakmp key address X.Y.Z.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup fmv address-pool FMP
vpngroup fmv dns-server 172.16.0.253
vpngroup fmv default-domain familymed.local
vpngroup fmv split-tunnel fmvpn_splitTunnelAcl
vpngroup fmv idle-time 1800
vpngroup fmv password
telnet 172.16.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.16.0.0 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
dhcpd auto_config outside
username Bobb password oigZIdYXVh9Vg/i/p encrypted privilege 2

terminal width 80
Cryptochecksum:5e986a2f416d4cfb0df259412c4e0c7d
: end

Answer : Pix 501 site to site configuration issus.

First, assuming that the LAN on the remote side of the tunnel is 172.31.41.0/24, you shouldn't have this ACL statement that defines your remote access VPN pool as the destination in your site-to-site crypto ACL and it should be removed:

access-list outside_cryptomap_30 permit ip any 10.1.1.0 255.255.255.192

Are you not receiving any messages from the debug? You should if you are trying to ping across the tunnel.

Have you verified the Phase I parameters that are running on the WG FW? You will have to get these from the remote firewall administrator. If you are unable to verify the settings, then I would add a few more Phase I policies to the PIX config just to see if any of them connect. See the example isakmp policies below to add to your PIX configuration:

isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption des
isakmp policy 60 hash md5
isakmp policy 60 group 1
isakmp policy 60 lifetime 86400
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption des
isakmp policy 70 hash sha
isakmp policy 70 group 1
isakmp policy 70 lifetime 86400
isakmp policy 80 authentication pre-share
isakmp policy 80 encryption des
isakmp policy 80 hash sha
isakmp policy 80 group 2
isakmp policy 80 lifetime 86400

All I've done is vary the 3 Phase I parameters of encryption, hash and DH group number so that you have all combinations of either 3des or des encryption, md5 or sha hashing, and DH group 1 or DH group 2 for the key exchange. In the absence of knowing the specific policy that is setup on the WG FW, one of these may work.

Random Solutions

Losing access to lpt1

How can i block portable file

Managed Services

Wireless Network internet disconnects

Can't browse workgroup after adding DNS Suffix

I have a nortel option 11 and I'm having trouble forwarding calls to my cell phone. When some calls me from within the office it forwards no problem, exterernally the get transferred to the operator

debugging in eclipse under mac environement

Novell client maps drives differently than Microsoft client

Unable to deploy EJB: fcCommonServicesEJB from fcCommonServicesEJB:

Changing Domain Controllers IP Address has caused problems with active directory