Advertisement

05.26.2006 at 12:01AM PDT, ID: 21864734
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
6.8

HELP!!!! PIX 515e as VPN Server behind Router with static NAT

Asked by viridis_liew in Miscellaneous Security, IPSec Security Protocol, Cisco PIX Firewall

Tags: , ,

Hi, i have been trying to setup this at office for the past 2 weeks without success. The proposed setup is like this

VPN Client -> Internet -> 2600 Router (with static nat) -> PIX 515 -> Intranet

Currently the 2600 router is configured with static nat for the pix and the vpn client can ping the PIX. I have tried this setup VPN Client -> PIX 515 -> Intranet and it works perfectly. But once i introduce the router with static nat it does not work. To make sure that it is not an ACL problem i permited all traffic to the PIX, i have also permitted all IP any any on the outside of the PIX. The client is a windows xp with SP 2 default vpn client. I have given this question 500 points as i really need to get this up and running urgently. Anyone has any solutions or has done some similar configuration? Please help. Thanks a lot.

The PIX configuration for VPN :-

PIX Version 6.3(1)
.
.

ip address outside 192.168.1.121 255.255.255.248
nat (inside) 0 access-list Nat0Inside
access-list Nat0Inside permit ip 192.168.X.X 255.255.255.0 any
ip local pool vpnpool 192.168.X.X-192.168.X.X
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto dynamic-map vpn_dyn_map 20 set transform-set TRANS_ESP_DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic vpn_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
ca identity mssvr x.x.x.x:/certsrv/mscep/mscep.dll
ca configure mssvr ra 1 20 crloptional
vpdn group vpn-group accept dialin l2tp
vpdn group vpn-group ppp authentication chap
vpdn group vpn-group ppp authentication mschap
vpdn group vpn-group client configuration address local vpnpool
vpdn group vpn-group client configuration dns x.x.x.x
vpdn group vpn-group client authentication aaa RadiusSvr
vpdn enable outside

2600 Router configuration :-

interface FastEthernet0/0
 ip address 192.168.1.122 255.255.255.248
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 ip address X.X.X.X X.X.X.X
 ip nat outside
!
interface Serial0/1
 no ip address
 shutdown
!
ip nat pool vpnnatpool x.x.x.x x.x.x.x netmask x.x.x.x
ip nat inside source list 1 pool vpnnatpool
ip nat inside source static 192.168.1.121 x.x.x.x


The debug output :-

crypto_isakmp_process_block:src:x.x.x.x, dest:192.168.1.121 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      unknown DH group 14
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 20 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 1
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 20 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a MSWIN2K client

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing RSA signature authentication using id type ID_FQDN
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:192.168.1.121 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match MINE hash
hash received: 2d f 20 56 7f 32 2a 16 f0 f1 6 4a 36 c2 19 c7
my nat hash  : 24 da 2d c8 97 da ab 7 42 55 b1 43 15 5a 7 59
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match HIS hash
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:192.168.1.121 spt:4500 dpt:4500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing CERT payload. message ID = 0
ISAKMP (0): processing a CT_X509_SIGNATURE cert
ISAKMP (0): cert approved with warning
ISAKMP (0): processing SIG payload. message ID = 0
ISAKMP (0): processing CERT_REQ payload. message ID = 0
ISAKMP (0): peer wants a CT_X509_SIGNATURE cert
ISAKMP (0): SA has been authenticated

ISAKMP: Locking UDP_ENC struct 0x1139a6c from crypto_ikmp_udp_enc_ike_init, count 1
ISAKMP (0): ID payload
        next-payload : 6
        type         : 2
        protocol     : 17
        port         : 0
        length       : 21
ISAKMP (0): Total payload length: 25
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:192.168.1.121 spt:4500 dpt:4500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2346434647

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xe 0x10
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xd0 0x90
ISAKMP:      encaps is 61444
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 3
ISAKMP: transform 2, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xe 0x10
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xd0 0x90
ISAKMP:      encaps is 61444
ISAKMP:      authenticator is HMAC-SHA
ISAKMP (0): atts not acceptable. Next payload is 3
ISAKMP: transform 3, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xe 0x10
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xd0 0x90
ISAKMP:      encaps is 61444
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP (0): processing NONCE payload. message ID = 2346434647

ISAKMP (0): processing ID payload. message ID = 2346434647
ISAKMP (0): unknown src id_type 2
return status is IKMP_ERR_RETRANS
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:x.x.x.x/4500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:x.x.x.x/4500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:x.x.x.x, dest:192.168.1.121 spt:4500 dpt:4500
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

---------------------------------------------------------------------------------------------------------------

IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 1) not supported
IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 2) not supported
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 192.168.1.121, src= x.x.x.x,
    dest_proxy= 192.168.1.121/255.255.255.255/0/0 (type=1),
    src_proxy= x.x.x.x/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x800
Start Free Trial
 
Keywords: HELP!!!! PIX 515e as VPN Serv…
Title
1 Pix to Pix VPN
2 adding 2nd VPN to PIX
3 Remote access to a Pix from a Pix prot…
4 PIX
5 pix VPN
6 Dyamic to static site to site VPN with PI…
 
Loading Advertisement...
 
[+][-]05.26.2006 at 04:41AM PDT, ID: 16768273

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.26.2006 at 05:28AM PDT, ID: 16768502

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.26.2006 at 07:38AM PDT, ID: 16769406

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Miscellaneous Security, IPSec Security Protocol, Cisco PIX Firewall
Tags: pix, nat, vpn
Sign Up Now!
Solution Provided By: prashsax
Participating Experts: 6
Solution Grade: B
 
 
[+][-]05.26.2006 at 07:55AM PDT, ID: 16769556

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.27.2006 at 05:45PM PDT, ID: 16777529

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.28.2006 at 08:27AM PDT, ID: 16779613

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.28.2006 at 09:11AM PDT, ID: 16779732

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.28.2006 at 07:12PM PDT, ID: 16781520

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.29.2006 at 06:58AM PDT, ID: 16784209

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.30.2006 at 07:08AM PDT, ID: 16789835

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32