Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Pix to Pix vpn connection problem

Posted on 2004-04-02
9
Medium Priority
?
225 Views
Last Modified: 2013-11-16
I need solving site to site vpn connection between two pix firewalls.
Site A config:
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 217.204.93.44
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 217.204.93.44 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

SiteB config
access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_20 permit ip Oscars-Lan 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip Oscars-Lan 255.255.255.0 192.168.2.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list outside_cryptomap_20
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 194.131.0.185
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 194.131.0.185 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

debug crypto ipsec output:
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0


0
Comment
Question by:e007soremi
  • 4
  • 3
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 10740657
The tunnel will not fully establish unless and until you have two-way traffic
If you use a PC on Site A Lan, ping a PC on site B lan
C:\>ping 192.168.10.x

What is the default gateway setting of PCA? Does it point to the inside IP address of this PIX?
What is the default gateway setting of PCB? Does it point to the inside IP address of PIXB?

0
 

Author Comment

by:e007soremi
ID: 10740894
Pinging from PCA to an inside interface of the PIX in site B request timeout.
The default gateway of PCA is the 192.168.1.253 (inside Interface).
I am not sure that the tunnel is establish as the debug output is saying:
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10744266
>Pinging from PCA to an inside interface of the PIX in site B request timeout
This will always time out. It is a security feature of the PIX

You need to ping some other host/pc on the LAN at site B
You will not establish the tunnel without 2-way traffic.

0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:e007soremi
ID: 10761279
I have ping hosts alternatively from the sites, still same problem. The debug out is this:
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:194.131.0.185, dest:217.204.93.44 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 194.131.0.185, dst 217.204.93.44
ISADB: reaper checking SA 0x13b5d8c, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 194.131.0.185/500 not found - peers:0

Please help.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10761463
On SITEB, suggest creating a no_nat access-list carbon copy of the outside_cryptomap_20

Issue could be applying same access-list to two functions:
>nat (inside) 0 access-list outside_cryptomap_20
>crypto map outside_map 20 match address outside_cryptomap_20

On the other side you have:
>nat (inside) 0 access-list inside_outbound_nat0_acl
>crypto map outside_map 20 match address outside_cryptomap_20

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10807727
Are you still working on this? Do you need more information?
0
 

Author Comment

by:e007soremi
ID: 10811869
Thank you all for trying to help, I found out that my ISP is blocking traffic into the site A firewall. I am currently working with cisco TAC on resolution for this one.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12793159
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question