We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Pix to Pix vpn connection problem

e007soremi
e007soremi asked
on
Medium Priority
238 Views
Last Modified: 2013-11-16
I need solving site to site vpn connection between two pix firewalls.
Site A config:
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 217.204.93.44
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 217.204.93.44 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

SiteB config
access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_20 permit ip Oscars-Lan 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip Oscars-Lan 255.255.255.0 192.168.2.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list outside_cryptomap_20
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 194.131.0.185
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 194.131.0.185 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

debug crypto ipsec output:
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0


Comment
Watch Question

Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
The tunnel will not fully establish unless and until you have two-way traffic
If you use a PC on Site A Lan, ping a PC on site B lan
C:\>ping 192.168.10.x

What is the default gateway setting of PCA? Does it point to the inside IP address of this PIX?
What is the default gateway setting of PCB? Does it point to the inside IP address of PIXB?

Author

Commented:
Pinging from PCA to an inside interface of the PIX in site B request timeout.
The default gateway of PCA is the 192.168.1.253 (inside Interface).
I am not sure that the tunnel is establish as the debug output is saying:
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
>Pinging from PCA to an inside interface of the PIX in site B request timeout
This will always time out. It is a security feature of the PIX

You need to ping some other host/pc on the LAN at site B
You will not establish the tunnel without 2-way traffic.

Author

Commented:
I have ping hosts alternatively from the sites, still same problem. The debug out is this:
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 194.131.0.185, dst 217.204.93.44
ISADB: reaper checking SA 0x13b5d8c, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0

Please help.
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
On SITEB, suggest creating a no_nat access-list carbon copy of the outside_cryptomap_20

Issue could be applying same access-list to two functions:
>nat (inside) 0 access-list outside_cryptomap_20
>crypto map outside_map 20 match address outside_cryptomap_20

On the other side you have:
>nat (inside) 0 access-list inside_outbound_nat0_acl
>crypto map outside_map 20 match address outside_cryptomap_20

Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Are you still working on this? Do you need more information?

Author

Commented:
Thank you all for trying to help, I found out that my ISP is blocking traffic into the site A firewall. I am currently working with cisco TAC on resolution for this one.
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.