Solved

Pix to Pix vpn connection problem

Posted on 2004-04-02
9
151 Views
Last Modified: 2013-11-16
I need solving site to site vpn connection between two pix firewalls.
Site A config:
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 217.204.93.44
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 217.204.93.44 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

SiteB config
access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_20 permit ip Oscars-Lan 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip Oscars-Lan 255.255.255.0 192.168.2.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list outside_cryptomap_20
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 194.131.0.185
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 194.131.0.185 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

debug crypto ipsec output:
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0


0
Comment
Question by:e007soremi
  • 4
  • 3
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10740657
The tunnel will not fully establish unless and until you have two-way traffic
If you use a PC on Site A Lan, ping a PC on site B lan
C:\>ping 192.168.10.x

What is the default gateway setting of PCA? Does it point to the inside IP address of this PIX?
What is the default gateway setting of PCB? Does it point to the inside IP address of PIXB?

0
 

Author Comment

by:e007soremi
ID: 10740894
Pinging from PCA to an inside interface of the PIX in site B request timeout.
The default gateway of PCA is the 192.168.1.253 (inside Interface).
I am not sure that the tunnel is establish as the debug output is saying:
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10744266
>Pinging from PCA to an inside interface of the PIX in site B request timeout
This will always time out. It is a security feature of the PIX

You need to ping some other host/pc on the LAN at site B
You will not establish the tunnel without 2-way traffic.

0
 

Author Comment

by:e007soremi
ID: 10761279
I have ping hosts alternatively from the sites, still same problem. The debug out is this:
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 194.131.0.185, dst 217.204.93.44
ISADB: reaper checking SA 0x13b5d8c, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0

Please help.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 79

Expert Comment

by:lrmoore
ID: 10761463
On SITEB, suggest creating a no_nat access-list carbon copy of the outside_cryptomap_20

Issue could be applying same access-list to two functions:
>nat (inside) 0 access-list outside_cryptomap_20
>crypto map outside_map 20 match address outside_cryptomap_20

On the other side you have:
>nat (inside) 0 access-list inside_outbound_nat0_acl
>crypto map outside_map 20 match address outside_cryptomap_20

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10807727
Are you still working on this? Do you need more information?
0
 

Author Comment

by:e007soremi
ID: 10811869
Thank you all for trying to help, I found out that my ISP is blocking traffic into the site A firewall. I am currently working with cisco TAC on resolution for this one.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12793159
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now