mazzarito
asked on
Cisco SR 520 site-to-site VPN with PIX
Currently trying to setup a site-to-site VPN between an SR520 and a PIX501 unit... PIX currently says it's connected but I'm really not familiar with the SR520 and I'm unsure how to even view connections from that end... Here is the config for the SR520:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname mvpmain
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$e98I$bzbldgUfjhDM2c4wFO B911
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login Foxtrot_sdm_easyvpn_xauth_ ml_1 local
aaa authorization exec default local
aaa authorization network Foxtrot_sdm_easyvpn_group_ ml_1 local
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
!
crypto pki trustpoint TP-self-signed-566879410
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-56687 9410
revocation-check none
rsakeypair TP-self-signed-566879410
!
!
crypto pki certificate chain TP-self-signed-566879410
certificate self-signed 01
3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35363638 37393431 30301E17 0D303230 33303130 30303530
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3536 36383739
34313030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
A4226A8B 5B8B0D56 64BDE87A F1B53031 84D37534 6ED4EE43 3C936F8E 9F5323E2
80CE7183 556DC5E1 FBED1139 DCC1EBAA 53DB35ED C7F171C0 53BF16F0 46EBF06D
09556CFC 6539010D D7C35335 43DF6846 1A39A8B5 09E57D65 56E7E79D ABB65978
DE6C0187 42A25AC3 E178379E AB987F35 F7E9D08C 55FA7C64 CF79EC55 30721445
02030100 01A36530 63300F06 03551D13 0101FF04 05300301 01FF3010 0603551D
11040930 07820553 52353230 301F0603 551D2304 18301680 1412530A 4D66A0C5
F643D6C8 A482EEDA 76C14589 5A301D06 03551D0E 04160414 12530A4D 66A0C5F6
43D6C8A4 82EEDA76 C145895A 300D0609 2A864886 F70D0101 04050003 81810096
D9A809B6 A75E820F 1FF354DE AF14AFC8 70F47F41 8F4CA1F7 4CBE8CE0 17D45EB3
C4A4EDB8 428DBF9E C2F1F47E 2245EA57 A41C7458 2FBD8FA4 C2449912 B1A07B47
54F8988A CA796307 A97FE70C C5B3B18E 56FC4180 9935C7DD 49083894 CDEB6761
8CEA92A6 FC514A78 4194C6B6 F75ABAE0 7319F953 32BDF0DF CCC73CEA 280AB0
quit
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.75.1 192.168.75.10
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!
ip dhcp pool inside
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server xxx.xxx.1.1
!
!
ip cef
ip name-server xxx.xxx.1.1
ip name-server xxx.xxx.1.2
ip inspect log drop-pkt
!
no ipv6 cef
multilink bundle-name authenticated
parameter-map type inspect z1-z2-pmap
audit-trail on
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail. com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yaho o.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo .com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
!
!
username mavp privilege 15 secret 5 $1$7Jiu$D9URDehuIxSIii5ykv tO/0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key letmvpin address xxx.xxx.xxx.50
!
crypto isakmp client configuration group EZVPN_GROUP_1
key mvpvpn55
dns 192.168.0.220 192.168.0.221
pool SDM_POOL_1
acl 101
save-password
max-users 10
crypto isakmp profile sdm-ike-profile-1
match identity group EZVPN_GROUP_1
client authentication list Foxtrot_sdm_easyvpn_xauth_ ml_1
isakmp authorization list Foxtrot_sdm_easyvpn_group_ ml_1
client configuration address respond
virtual-template 2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set mvpstatic esp-3des esp-md5-hmac
crypto ipsec transform-set mvpclient esp-3des esp-md5-hmac
!
crypto ipsec profile SDM_Profile1
set security-association lifetime seconds 3600
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto map VPNSTATIC 10 ipsec-isakmp
set peer xxx.xxx.xxx.50
set transform-set mvpstatic
set pfs group2
match address crypto-list
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect gnutella match-any sdm-app-gnutella
match file-transfer
class-map type inspect match-any SDM-Voice-permit
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFI C
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFI C
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservice s
match service any
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
match service any
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
match service any
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect match-all sdm-nat-h323-1
match access-group 104
match protocol h323
class-map type inspect kazaa2 match-any sdm-app-kazaa2
match file-transfer
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all SDM-inspect-staticnat-in
match access-group name staticnat
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect ymsgr match-any sdm-app-yahoo
match service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
match service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-all dhcp_out_self
match access-group name dhcp-resp-permit
class-map type inspect match-all dhcp_self_out
match access-group name dhcp-req-permit
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect http match-any sdm-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any sdm-app-fasttrack
match file-transfer
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-sip-2
match access-group 103
match protocol sip
class-map type inspect match-all sdm-nat-sip-1
match access-group 102
match protocol sip
class-map type inspect edonkey match-any sdm-app-edonkeydownload
match file-transfer
class-map type inspect match-all sdm-protocol-imap
match protocol imap
class-map type inspect aol match-any sdm-app-aol
match service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect dhcp_self_out
pass
class type inspect sdm-cls-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p sdm-action-app-p2p
class type inspect edonkey sdm-app-edonkeychat
log
allow
class type inspect edonkey sdm-app-edonkeydownload
log
allow
class type inspect fasttrack sdm-app-fasttrack
log
allow
class type inspect gnutella sdm-app-gnutella
log
allow
class type inspect kazaa2 sdm-app-kazaa2
log
allow
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-http-allowparam
log
allow
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
policy-map type inspect im sdm-action-app-im
class type inspect aol sdm-app-aol
log
allow
class type inspect msnmsgr sdm-app-msn
log
allow
class type inspect ymsgr sdm-app-yahoo
log
allow
class type inspect aol sdm-app-aol-otherservices
log
reset
class type inspect msnmsgr sdm-app-msn-otherservices
log
reset
class type inspect ymsgr sdm-app-yahoo-otherservice s
log
reset
policy-map type inspect sdm-inspect
class type inspect SDM-Voice-permit
pass
class type inspect sdm-cls-insp-traffic
inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect z1-z2-pmap
service-policy http sdm-action-app-http
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-p2p
inspect
service-policy p2p sdm-action-app-p2p
class type inspect sdm-protocol-im
inspect
service-policy im sdm-action-app-im
class class-default
pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
pass
class type inspect SDM-Voice-permit
pass
class type inspect sdm-nat-sip-1
inspect
class type inspect sdm-nat-sip-2
inspect
class type inspect sdm-nat-h323-1
inspect
class class-default
drop
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect dhcp_out_self
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address xxx.xxx.60.102 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map VPNSTATIC
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan75
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
no ip address
!
interface Vlan75
description $FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.15
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.60.97
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static udp 192.168.75.2 5060 interface FastEthernet4 5060
ip nat inside source static tcp 192.168.75.2 1720 interface FastEthernet4 1720
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
ip access-list extended crypto-list
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended dhcp-req-permit
remark SDM_ACL Category=1
permit udp any eq bootpc any eq bootps
ip access-list extended dhcp-resp-permit
remark SDM_ACL Category=1
permit udp any eq bootps any eq bootpc
ip access-list extended staticnat
remark SDM_ACL Category=1
permit tcp any host xxx.xxx.60.102 eq 5060
permit udp any host xxx.xxx.60.102 eq 5060
permit tcp any host xxx.xxx.60.102 eq 1720
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip xxx.xxx.60.96 0.0.0.7 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.75.2
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.75.2
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.75.2
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
!
route-map nonat permit 10
match ip address 110
!
!
control-plane
!
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
end
PIX 501 Configuration:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password q6aOW4oqCTXeVaBr encrypted
passwd q6aOW4oqCTXeVaBr encrypted
hostname MVPNC-PIX
domain-name mvp.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list VPN_NONAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list VPN_Static permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.202.50 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.255.0 outside
pdm location xxx.xxx.60.96 255.255.255.248 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN_NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.202.49 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set mvpstatic esp-3des esp-md5-hmac
crypto map vpnmap 10 ipsec-isakmp
crypto map vpnmap 10 match address VPN_Static
crypto map vpnmap 10 set peer xxx.xxx.60.102
crypto map vpnmap 10 set transform-set mvpstatic
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.60.102 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcprelay server 192.168.0.221 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 90
terminal width 100
Cryptochecksum:d7f83581d6e 0f0b04cee9 a285683cdf 1
currently on the PIX:
MVPNC-PIX# show isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
xxx.xxx.xxx.102 xxx.xxx.xxx.50 QM_IDLE 0 1
Any help would be appreciated, I know that in particular the SR520 configuration is a complete mess...
Thanks again.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname mvpmain
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$e98I$bzbldgUfjhDM2c4wFO
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login Foxtrot_sdm_easyvpn_xauth_
aaa authorization exec default local
aaa authorization network Foxtrot_sdm_easyvpn_group_
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
!
crypto pki trustpoint TP-self-signed-566879410
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-566879410
!
!
crypto pki certificate chain TP-self-signed-566879410
certificate self-signed 01
3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35363638 37393431 30301E17 0D303230 33303130 30303530
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3536 36383739
34313030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
A4226A8B 5B8B0D56 64BDE87A F1B53031 84D37534 6ED4EE43 3C936F8E 9F5323E2
80CE7183 556DC5E1 FBED1139 DCC1EBAA 53DB35ED C7F171C0 53BF16F0 46EBF06D
09556CFC 6539010D D7C35335 43DF6846 1A39A8B5 09E57D65 56E7E79D ABB65978
DE6C0187 42A25AC3 E178379E AB987F35 F7E9D08C 55FA7C64 CF79EC55 30721445
02030100 01A36530 63300F06 03551D13 0101FF04 05300301 01FF3010 0603551D
11040930 07820553 52353230 301F0603 551D2304 18301680 1412530A 4D66A0C5
F643D6C8 A482EEDA 76C14589 5A301D06 03551D0E 04160414 12530A4D 66A0C5F6
43D6C8A4 82EEDA76 C145895A 300D0609 2A864886 F70D0101 04050003 81810096
D9A809B6 A75E820F 1FF354DE AF14AFC8 70F47F41 8F4CA1F7 4CBE8CE0 17D45EB3
C4A4EDB8 428DBF9E C2F1F47E 2245EA57 A41C7458 2FBD8FA4 C2449912 B1A07B47
54F8988A CA796307 A97FE70C C5B3B18E 56FC4180 9935C7DD 49083894 CDEB6761
8CEA92A6 FC514A78 4194C6B6 F75ABAE0 7319F953 32BDF0DF CCC73CEA 280AB0
quit
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.75.1 192.168.75.10
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!
ip dhcp pool inside
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server xxx.xxx.1.1
!
!
ip cef
ip name-server xxx.xxx.1.1
ip name-server xxx.xxx.1.2
ip inspect log drop-pkt
!
no ipv6 cef
multilink bundle-name authenticated
parameter-map type inspect z1-z2-pmap
audit-trail on
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yaho
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
!
!
username mavp privilege 15 secret 5 $1$7Jiu$D9URDehuIxSIii5ykv
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key letmvpin address xxx.xxx.xxx.50
!
crypto isakmp client configuration group EZVPN_GROUP_1
key mvpvpn55
dns 192.168.0.220 192.168.0.221
pool SDM_POOL_1
acl 101
save-password
max-users 10
crypto isakmp profile sdm-ike-profile-1
match identity group EZVPN_GROUP_1
client authentication list Foxtrot_sdm_easyvpn_xauth_
isakmp authorization list Foxtrot_sdm_easyvpn_group_
client configuration address respond
virtual-template 2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set mvpstatic esp-3des esp-md5-hmac
crypto ipsec transform-set mvpclient esp-3des esp-md5-hmac
!
crypto ipsec profile SDM_Profile1
set security-association lifetime seconds 3600
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto map VPNSTATIC 10 ipsec-isakmp
set peer xxx.xxx.xxx.50
set transform-set mvpstatic
set pfs group2
match address crypto-list
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect gnutella match-any sdm-app-gnutella
match file-transfer
class-map type inspect match-any SDM-Voice-permit
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFI
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFI
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservice
match service any
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
match service any
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
match service any
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect match-all sdm-nat-h323-1
match access-group 104
match protocol h323
class-map type inspect kazaa2 match-any sdm-app-kazaa2
match file-transfer
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all SDM-inspect-staticnat-in
match access-group name staticnat
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect ymsgr match-any sdm-app-yahoo
match service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
match service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-all dhcp_out_self
match access-group name dhcp-resp-permit
class-map type inspect match-all dhcp_self_out
match access-group name dhcp-req-permit
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect http match-any sdm-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any sdm-app-fasttrack
match file-transfer
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-sip-2
match access-group 103
match protocol sip
class-map type inspect match-all sdm-nat-sip-1
match access-group 102
match protocol sip
class-map type inspect edonkey match-any sdm-app-edonkeydownload
match file-transfer
class-map type inspect match-all sdm-protocol-imap
match protocol imap
class-map type inspect aol match-any sdm-app-aol
match service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect dhcp_self_out
pass
class type inspect sdm-cls-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p sdm-action-app-p2p
class type inspect edonkey sdm-app-edonkeychat
log
allow
class type inspect edonkey sdm-app-edonkeydownload
log
allow
class type inspect fasttrack sdm-app-fasttrack
log
allow
class type inspect gnutella sdm-app-gnutella
log
allow
class type inspect kazaa2 sdm-app-kazaa2
log
allow
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-http-allowparam
log
allow
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
policy-map type inspect im sdm-action-app-im
class type inspect aol sdm-app-aol
log
allow
class type inspect msnmsgr sdm-app-msn
log
allow
class type inspect ymsgr sdm-app-yahoo
log
allow
class type inspect aol sdm-app-aol-otherservices
log
reset
class type inspect msnmsgr sdm-app-msn-otherservices
log
reset
class type inspect ymsgr sdm-app-yahoo-otherservice
log
reset
policy-map type inspect sdm-inspect
class type inspect SDM-Voice-permit
pass
class type inspect sdm-cls-insp-traffic
inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect z1-z2-pmap
service-policy http sdm-action-app-http
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-p2p
inspect
service-policy p2p sdm-action-app-p2p
class type inspect sdm-protocol-im
inspect
service-policy im sdm-action-app-im
class class-default
pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
pass
class type inspect SDM-Voice-permit
pass
class type inspect sdm-nat-sip-1
inspect
class type inspect sdm-nat-sip-2
inspect
class type inspect sdm-nat-h323-1
inspect
class class-default
drop
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect dhcp_out_self
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address xxx.xxx.60.102 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map VPNSTATIC
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan75
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
no ip address
!
interface Vlan75
description $FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.15
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.60.97
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static udp 192.168.75.2 5060 interface FastEthernet4 5060
ip nat inside source static tcp 192.168.75.2 1720 interface FastEthernet4 1720
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
ip access-list extended crypto-list
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended dhcp-req-permit
remark SDM_ACL Category=1
permit udp any eq bootpc any eq bootps
ip access-list extended dhcp-resp-permit
remark SDM_ACL Category=1
permit udp any eq bootps any eq bootpc
ip access-list extended staticnat
remark SDM_ACL Category=1
permit tcp any host xxx.xxx.60.102 eq 5060
permit udp any host xxx.xxx.60.102 eq 5060
permit tcp any host xxx.xxx.60.102 eq 1720
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip xxx.xxx.60.96 0.0.0.7 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.75.2
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.75.2
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.75.2
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
!
route-map nonat permit 10
match ip address 110
!
!
control-plane
!
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
end
PIX 501 Configuration:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password q6aOW4oqCTXeVaBr encrypted
passwd q6aOW4oqCTXeVaBr encrypted
hostname MVPNC-PIX
domain-name mvp.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list VPN_NONAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list VPN_Static permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.202.50 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.255.0 outside
pdm location xxx.xxx.60.96 255.255.255.248 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN_NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.202.49 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set mvpstatic esp-3des esp-md5-hmac
crypto map vpnmap 10 ipsec-isakmp
crypto map vpnmap 10 match address VPN_Static
crypto map vpnmap 10 set peer xxx.xxx.60.102
crypto map vpnmap 10 set transform-set mvpstatic
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.60.102 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcprelay server 192.168.0.221 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 90
terminal width 100
Cryptochecksum:d7f83581d6e
currently on the PIX:
MVPNC-PIX# show isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
xxx.xxx.xxx.102 xxx.xxx.xxx.50 QM_IDLE 0 1
Any help would be appreciated, I know that in particular the SR520 configuration is a complete mess...
Thanks again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh I see above you show one as "pending." Try sending "interesting" traffic for that tunnel toward the device for it to bring the tunnel up.
ASKER
Tried to remove pfs group2, no dice. Here is additional output from ipsec and isakmp
mvpmain#show crypto ipsec sa
interface: FastEthernet4
Crypto map tag: VPNSTATIC, local addr xxx.xxx.xxx.102
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0 /0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0 /0/0)
current_peer xxx.xxx.xxx.50 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xxx.xxx.xxx.102, remote crypto endpt.: xxx.xxx.xxx.50
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
mvpmain#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
mvpmain#show crypto ipsec sa
interface: FastEthernet4
Crypto map tag: VPNSTATIC, local addr xxx.xxx.xxx.102
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer xxx.xxx.xxx.50 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xxx.xxx.xxx.102, remote crypto endpt.: xxx.xxx.xxx.50
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
mvpmain#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
The interesting thing here is that your IPsec SA shows no packets encrypted or decrypted. Can you try connecting to the 192.168.1.0/24 network from the 192.168.0.0/24 network as JDLoaner suggested? Do the packet counts on the SA go up when you do?
Can you try pinging something in the 192.168.1.0 from a machine in the 192.168.0.0 and show those again?
lol.. were on the same page today jodylemoine
ASKER
When I attempt to ping anything in the 192.168.1.x network the packet count does NOT go up (still 0). Seems traffic is not being routed through the tunnel properly
Does show crypto isakmp sa show anything right after doing this?
ASKER
Thanks for the help I was able to solve the problem with help from a friend...