[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 227
  • Last Modified:

Pix to Pix vpn connection problem

I need solving site to site vpn connection between two pix firewalls.
Site A config:
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 217.204.93.44
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 217.204.93.44 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

SiteB config
access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_20 permit ip Oscars-Lan 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip Oscars-Lan 255.255.255.0 192.168.2.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list outside_cryptomap_20
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 194.131.0.185
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 194.131.0.185 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

debug crypto ipsec output:
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0


0
e007soremi
Asked:
e007soremi
  • 4
  • 3
1 Solution
 
lrmooreCommented:
The tunnel will not fully establish unless and until you have two-way traffic
If you use a PC on Site A Lan, ping a PC on site B lan
C:\>ping 192.168.10.x

What is the default gateway setting of PCA? Does it point to the inside IP address of this PIX?
What is the default gateway setting of PCB? Does it point to the inside IP address of PIXB?

0
 
e007soremiAuthor Commented:
Pinging from PCA to an inside interface of the PIX in site B request timeout.
The default gateway of PCA is the 192.168.1.253 (inside Interface).
I am not sure that the tunnel is establish as the debug output is saying:
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0
0
 
lrmooreCommented:
>Pinging from PCA to an inside interface of the PIX in site B request timeout
This will always time out. It is a security feature of the PIX

You need to ping some other host/pc on the LAN at site B
You will not establish the tunnel without 2-way traffic.

0
The eGuide to Automating Firewall Change Control

Today‚Äôs IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

 
e007soremiAuthor Commented:
I have ping hosts alternatively from the sites, still same problem. The debug out is this:
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 194.131.0.185, dst 217.204.93.44
ISADB: reaper checking SA 0x13b5d8c, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0

Please help.
0
 
lrmooreCommented:
On SITEB, suggest creating a no_nat access-list carbon copy of the outside_cryptomap_20

Issue could be applying same access-list to two functions:
>nat (inside) 0 access-list outside_cryptomap_20
>crypto map outside_map 20 match address outside_cryptomap_20

On the other side you have:
>nat (inside) 0 access-list inside_outbound_nat0_acl
>crypto map outside_map 20 match address outside_cryptomap_20

0
 
lrmooreCommented:
Are you still working on this? Do you need more information?
0
 
e007soremiAuthor Commented:
Thank you all for trying to help, I found out that my ISP is blocking traffic into the site A firewall. I am currently working with cisco TAC on resolution for this one.
0
 
moduloCommented:
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now