e007soremi
asked on
Pix to Pix vpn connection problem
I need solving site to site vpn connection between two pix firewalls.
Site A config:
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 217.204.93.44
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 217.204.93.44 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
SiteB config
access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_20 permit ip Oscars-Lan 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip Oscars-Lan 255.255.255.0 192.168.2.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list outside_cryptomap_20
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 194.131.0.185
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 194.131.0.185 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
debug crypto ipsec output:
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0
Site A config:
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 217.204.93.44
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 217.204.93.44 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
SiteB config
access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_20 permit ip Oscars-Lan 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip Oscars-Lan 255.255.255.0 192.168.2.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list outside_cryptomap_20
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 194.131.0.185
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 194.131.0.185 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
debug crypto ipsec output:
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0
ASKER
Pinging from PCA to an inside interface of the PIX in site B request timeout.
The default gateway of PCA is the 192.168.1.253 (inside Interface).
I am not sure that the tunnel is establish as the debug output is saying:
crypto_isakmp_process_bloc
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0
The default gateway of PCA is the 192.168.1.253 (inside Interface).
I am not sure that the tunnel is establish as the debug output is saying:
crypto_isakmp_process_bloc
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0
>Pinging from PCA to an inside interface of the PIX in site B request timeout
This will always time out. It is a security feature of the PIX
You need to ping some other host/pc on the LAN at site B
You will not establish the tunnel without 2-way traffic.
This will always time out. It is a security feature of the PIX
You need to ping some other host/pc on the LAN at site B
You will not establish the tunnel without 2-way traffic.
ASKER
I have ping hosts alternatively from the sites, still same problem. The debug out is this:
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 194.131.0.185, dst 217.204.93.44
ISADB: reaper checking SA 0x13b5d8c, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0
Please help.
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 194.131.0.185, dst 217.204.93.44
ISADB: reaper checking SA 0x13b5d8c, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0
Please help.
On SITEB, suggest creating a no_nat access-list carbon copy of the outside_cryptomap_20
Issue could be applying same access-list to two functions:
>nat (inside) 0 access-list outside_cryptomap_20
>crypto map outside_map 20 match address outside_cryptomap_20
On the other side you have:
>nat (inside) 0 access-list inside_outbound_nat0_acl
>crypto map outside_map 20 match address outside_cryptomap_20
Issue could be applying same access-list to two functions:
>nat (inside) 0 access-list outside_cryptomap_20
>crypto map outside_map 20 match address outside_cryptomap_20
On the other side you have:
>nat (inside) 0 access-list inside_outbound_nat0_acl
>crypto map outside_map 20 match address outside_cryptomap_20
Are you still working on this? Do you need more information?
ASKER
Thank you all for trying to help, I found out that my ISP is blocking traffic into the site A firewall. I am currently working with cisco TAC on resolution for this one.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you use a PC on Site A Lan, ping a PC on site B lan
C:\>ping 192.168.10.x
What is the default gateway setting of PCA? Does it point to the inside IP address of this PIX?
What is the default gateway setting of PCB? Does it point to the inside IP address of PIXB?