Verifying and Troubleshooting
After you configure the PIX for VPNs, the next step is to verify the configuration. The show,
clear, and debug commands are used to verify and troubleshoot your configuration.
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 192.168.2.12-192.168.2.250 netmask 255.255.255.0
global (outside) 1 192.168.2.252 netmask 255.255.255.0
nat (inside) 1 10.20.10.0 255.255.255.0
!--- Do not NAT traffic to Reston HQ:
nat (inside) 0 access-list VPN
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h323 0:05:00 sip 0:30:00 sip-media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public no
snmp-server enable traps
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
!--- Traffic to Reston HQ:
crypto map Dukem-Map 10 ipsec-isakmp
crypto map Dukem-Map 10 match address 110
crypto map Dukem-Map 10 set peer 192.168.1.2
crypto map Dukem-Map 10 set transform-set myset
crypto map Dukem-Map interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.2 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5 ssh timeout 5 terminal width 80
Cryptochecksum:d962d33d245ad89fb7c9b4f0db3c2dc0
Example 20-8 Minneapolis PIX Firewall Configuration (Continued)
Task 6: Configuring a Remote-Access VPN to HQ 645
show Commands
¦ show crypto ipsec sa—Displays the current status of the IPSec security associations. This
is useful in determining whether traffic is being encrypted.
¦ show crypto isakmp sa—Displays the current state of the Internet Key Exchange (IKE)
security associations (SA).