Solved

Pix 501 VPN

Posted on 2004-08-13
12
325 Views
Last Modified: 2013-11-16
Hi Guys,

I am attempting to configure a VPN between two of our offices. The idea is to have one PIX 501 as the headend and then to connect other offices and remote workers by other PIX's or the Cisco VPN client (software). The remote offices need only traverse the VPN to access rescources on the remote LAN.

I have used the VPN wizards from the PDM to set up the headend and the remote office but i cant get them to connect, i cant say as im much of an expert with the PIX and only just getting to grips with the command line method of configuration. but from what i have read on other posts, that not so much can be acheived via the PDM?

Anyways, please peruse my configs and tell me why i cannot connect, a quick answer would be appreciated as i want to go home this weekend!!!

London Config: Headend

Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  encrypted
passwd encrypted
hostname pixfirewall
domain-name .co.uk
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 212.240.155.194 Watkins_Gray
name 212.240.155.253 Wgi-comms
name 212.240.155.254 FW-Proxy
name 212.240.155.0 wgilocal
access-list 101 permit ip wgilocal 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any wgilocal 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 212.240.155.128 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 212.240.155.128 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 62.xx.xx.xx 255.255.255.0
ip address inside 212.240.155.247 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Pool1 212.240.155.150-212.240.155.160
pdm location 213. 255.255.255.255 outside
pdm location Watkins_Gray 255.255.255.255 inside
pdm location Wgi-comms 255.255.255.255 inside
pdm location FW-Proxy 255.255.255.255 inside
pdm location wgilocal 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 62.244.183.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http wgilocal 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 195.xx.xx.xx netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Remote address-pool Pool1
vpngroup Remote dns-server 62.244.176.176 62.244.177.177
vpngroup Remote default-domain .co.uk
vpngroup Remote split-tunnel outside_cryptomap_dyn_20
vpngroup Remote idle-time 1800
vpngroup Remote password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 212.240.155.248-FW-Proxy inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
vpnclient server 213.xx.xx.xx
vpnclient mode client-mode
vpnclient vpngroup remote password ********
vpnclient username user password ********
terminal width 80
Cryptochecksum:cd30f78e41483766531f000f988589fc
: end
[OK]


Leeds Config: site to site

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  encrypted
passwd encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 212.240.155.0 WGI-London
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 WGI-London 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 WGI-London 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 195.xx.xx.xx 255.255.255.0
ip address inside 192.168.0.101 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location WGI-London 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 195.xxc.xx.xx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 62.xx.xx.xx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 62.xx.xx.xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.102-192.168.0.229 inside
dhcpd dns 195.147.246.75 195.147.248.102
dhcpd lease 3600
dhcpd ping_timeout 4300
dhcpd domain .co.uk
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:2a582abb3952bdc628026bb41b69fe07
: end
[OK]

Thanks in advance

EastNine








0
Comment
Question by:eastnine
  • 7
  • 5
12 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11793309
London needs matching entries like you have in Leeds:
Leeds:
>crypto map outside_map 20 ipsec-isakmp
>crypto map outside_map 20 match address outside_cryptomap_20
>crypto map outside_map 20 set peer 62.xx.xx.xx
>crypto map outside_map 20 set transform-set ESP-3DES-MD5

Add these to London:
access-list 101 permit ip wgilocal 255.255.255.0 192.168.0.0 255.255.255.0
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 101
crypto map outside_map 20 set peer 195.xx.xx.xx
crypto map outside_map 20 set transform-set ESP-3DES-MD5

Re-apply the crypto map to the interface:
crypto map outside_map interface outside

0
 

Author Comment

by:eastnine
ID: 11818531
Thanks Irmoore,

I will get onto this today


eastnine
0
 

Author Comment

by:eastnine
ID: 11830979
Hi Guys,

Still cant get this working, the London Pix locked me out and had to be rebooted after I gave it the commands! I have done a config factory-default and then applied the commands you specified but still the vpn does not come up, any ideas?

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password YDSjdnX5m19K4EJo encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Leeds
domain-name .co.uk
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 212.240.155.0 WGI-London
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 WGI-London 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 WGI-London 255.255.255.0
pager lines 24
icmp permit any echo-reply outside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside .60 255.255.255.0
ip address inside 192.168.0.101 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 .57 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer .137
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 212.240.155.137 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh .246 255.255.255.255 outside
ssh timeout 10
console timeout 0
dhcpd address 192.168.0.102-192.168.0.229 inside
dhcpd dns .147.246.75 .147.248.102
dhcpd lease 3600
dhcpd ping_timeout 4300
dhcpd domain .co.uk
dhcpd auto_config outside
dhcpd enable inside
username Mark password 38fEvBplhPavfM9j encrypted privilege 15
terminal width 80
Cryptochecksum:20b87a23b8b6f47c6fae5c5032ceee71
: end
[OK]


Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  encrypted
passwd  encrypted
hostname pixfirewall
domain-name .co.uk
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip 212.240.155.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside .137 255.255.255.0
ip address inside 212.240.155.247 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 .129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http .231 255.255.255.255 outside
http 212.240.155.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 101
crypto map outside_map 20 set peer .60
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address .60 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 212.240.155.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcprelay server 212.240.155.194 inside
terminal width 80
Cryptochecksum:f6f55f6d36856c566a2ffb30d641ab90
: end
[OK]



Thanks

EastNine
0
 

Author Comment

by:eastnine
ID: 11846200
Any Ideas Irmoore? cos i am lost.......................
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11846393

Add these to London:


access-list inside_outbound_nat0_acl permit ip 212.240.155.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
0
 

Author Comment

by:eastnine
ID: 11846796
I got this?

Result of firewall command: "nat (inside) 0 access-list inside_outbound_nat0_ac"
 
ERROR: access-list <inside_outbound_nat0_ac> does not exist
Command failed
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 79

Expert Comment

by:lrmoore
ID: 11846884
Did you input the acl first?

access-list inside_outbound_nat0_acl permit ip 212.240.155.0 255.255.255.0 192.168.0.0 255.255.255.0

then

nat (inside) 0 access-list inside_outbound_nat0_acl
0
 

Author Comment

by:eastnine
ID: 11847107


My apologies, tried a second time and it went in.

Still No VPN tho?

I guess i need to get some logging info for the VPN attempts, how can i acheive this? I have a syslog client which i have used to troubleshoot the access rules but i dont see how to apply that to the VPN side of things.

Eastnine

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11852457
What is result of "show cry is sa" ?
QM_IDLE = good
MM_xxxx = it's trying, something not jiving (incorrect shared key?)

Nothing at all... not even trying, but try the command several times. It may have timed out and will try to reestablish in a minute or two.. still nothing? Is there traffic getting generated at one end or the other that would trigger the tunnel, i.e. continuous ping from PC at one end to PC at the other end?

You can enable debug crypto isakmp
and set the logging level to debug to capture in your syslog..
0
 

Author Comment

by:eastnine
ID: 11891977
Result of firewall command: "show cry is sa"
 
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
  62.244.183.137   195.147.126.60    QM_IDLE         0           1


It would seem the tunnel is established, but i cannot access any host either side.

Bearing in mind in the London Office the PIX does not provide internet access for all users, so i have placed a static route on the main router which is the def gateway for the entire network. which takes any trraffic bound for 192.168.0.0 via the PIX.

I have noticed that there are lots of  decapsulation packets but no encapsulation packets.

Regards

Eastnine
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11892260
>are lots of  decapsulation packets but no encapsulation packets.
Points to a routing issue, or a missing nat (inside) 0 statement ...

0
 

Author Comment

by:eastnine
ID: 11952237
Thanks again Irmoore, yeah it was indeed a local routing issue, infact it was an incorrect  mask!

Regards


EastNine
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now