Solved

Unable to get ISAKMP negotiation between PIX and Cisco 831 router

Posted on 2004-08-29
3
706 Views
Last Modified: 2012-08-14
I've been trying to set up a VPN between a 831 Router at a remote office and the PIX firewall at the corporate office. I've stared at these configs until I'm blue in the face and cannot find the problem. I think it might be in the access list, but I'm not sure what to do. I have run debug crypto isakmp on both sides and cannot get any output indicating there is communication between the two. I do have vpdn set up and working so I can work from both sides of the connection. I have tried pinging from boxes on the inside of each network, but neither device will bring up the tunnel or show any output through debug.
Here are the configs:
-----------------------------------------------------------------------------------------
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password Ww0YZPh.iCQFGluP encrypted
passwd Ww0YZPh.iCQFGluP encrypted
hostname pix.133154-01
domain-name xxxxxxxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 20
names
access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.3.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.4.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.5.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.6.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.7.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.8.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list emiller permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
pager lines 24
interface ethernet0 100full
interface ethernet1 100basetx
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 69.11.xxx.xxx 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool clients 192.168.200.100-192.168.200.119
pdm history enable
arp timeout 14400
global (outside) 1 69.11.xxx.xxx
nat (inside) 0 access-list VPN
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 69.11.xxx.xxx 1
route inside 10.138.88.0 255.255.255.0 192.168.1.2 1
route inside 192.168.2.0 255.255.255.0 192.168.1.2 1
route inside 192.168.3.0 255.255.255.0 192.168.1.2 1
route inside 192.168.4.0 255.255.255.0 192.168.1.2 1
route inside 192.168.5.0 255.255.255.0 192.168.1.2 1
route inside 192.168.6.0 255.255.255.0 192.168.1.2 1
route inside 192.168.10.0 255.255.255.0 192.168.1.2 1
route inside 192.168.100.0 255.255.255.0 192.168.1.2 1
route inside 192.168.101.0 255.255.255.0 192.168.1.2 1
route inside 192.168.102.0 255.255.255.0 192.168.1.2 1
route inside 192.168.200.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map emiller 21 ipsec-isakmp
crypto map emiller 21 match address emiller
crypto map emiller 21 set peer 24.94.xxx.x
crypto map emiller 21 set transform-set strong
crypto map emiller interface outside
isakmp enable outside
isakmp key ******** address 24.94.xxx.x netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 24.94.xxx.x 255.255.255.255 outside
ssh timeout 15
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto required
vpdn group 1 client configuration address local clients
vpdn group 1 client configuration dns 192.168.1.25
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username xxxxxxxx password *********
vpdn username xxxxxx password *********
vpdn enable outside
terminal width 80
Cryptochecksum:86eeb0849b6741ffb23f298d9f4b08d7
: end

-------------------------------------------------------------------------------------------------
!This is the running config of the router: 192.168.8.1
!----------------------------------------------------------------------------
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname BrownDeer
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$VJ6t$PTMACj/MR9aRy0ntlZUhv0
!
username Eric privilege 15 password 7 141A010E1E127F78
clock timezone Chicago -6
clock summer-time Chicago date Apr 3 2004 2:00 Oct 31 2004 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip domain lookup source-interface Ethernet1
ip domain name xxxxxxx.com
ip dhcp excluded-address 192.168.8.1 192.168.8.100
ip dhcp excluded-address 192.168.8.200 192.168.8.254
!
ip dhcp pool CLIENT
   import all
   network 192.168.8.0 255.255.255.0
   default-router 192.168.8.1
   lease infinite
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 0 xxxxx address 69.11.xxx.xxx
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to 69.11.xxx.xxx
 set peer 69.11.xxx.xxx
 set transform-set strong
 match address 103
!
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $ETH-LAN$$FW_INSIDE$
 ip address 192.168.8.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 no cdp enable
!
interface Ethernet1
 description $FW_OUTSIDE$
 ip address dhcp client-id Ethernet1
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip route-cache flow
 duplex auto
 no cdp enable
 crypto map SDM_CMAP_1
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload
ip classless
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
logging trap debugging
logging 192.168.8.101
access-list 1 permit 192.168.8.101
access-list 1 remark SDM_ACL Category=17
access-list 1 permit 192.168.8.0 0.0.0.255
access-list 1 deny   any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark IPSec Rule
access-list 100 deny   ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit tcp host 192.168.8.101 host 192.168.8.1 eq telnet
access-list 100 permit tcp host 192.168.8.101 host 192.168.8.1 eq 22
access-list 100 permit tcp host 192.168.8.101 host 192.168.8.1 eq www
access-list 100 permit tcp host 192.168.8.101 host 192.168.8.1 eq 443
access-list 100 permit tcp host 192.168.8.101 host 192.168.8.1 eq cmd
access-list 100 deny   tcp any host 192.168.8.1 eq telnet
access-list 100 deny   tcp any host 192.168.8.1 eq 22
access-list 100 deny   tcp any host 192.168.8.1 eq www
access-list 100 deny   tcp any host 192.168.8.1 eq 443
access-list 100 deny   tcp any host 192.168.8.1 eq cmd
access-list 100 deny   udp any host 192.168.8.1 eq snmp
access-list 100 deny   ip 24.94.xxx.x 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 101 permit udp host 69.11.xxx.xxx any eq non500-isakmp
access-list 101 permit udp host 69.11.xxx.xxx any eq isakmp
access-list 101 permit esp host 69.11.xxx.xxx any
access-list 101 permit ahp host 69.11.xxx.xxx any
access-list 101 permit tcp host 69.11.xxx.xxx host 24.94.xxx.x eq 22
access-list 101 permit tcp host 69.11.xxx.xxx host 24.94.xxx.x eq 443
access-list 101 permit tcp host 69.11.xxx.xxx host 24.94.xxx.x eq cmd
access-list 101 permit gre host 69.11.xxx.xxx host 24.94.xxx.x
access-list 101 deny   tcp any host 24.94.xxx.x eq telnet
access-list 101 deny   tcp any host 24.94.xxx.x eq www
access-list 101 deny   udp any host 24.94.xxx.x eq snmp
access-list 101 remark Auto generated by SDM for NTP (123) 132.163.4.101
access-list 101 permit udp host 132.163.4.101 eq ntp any eq ntp
access-list 101 deny   ip 192.168.8.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=17
access-list 102 permit ip host 192.168.8.101 any
access-list 102 permit ip host 69.11.232.202 any
access-list 102 deny   ip any any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
banner login ^C
Unauthorized access to this router is forbidden.
If you violate this policy, you may be prosecuted to the full extent of the law.

^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class 102 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 132.163.4.101
!
end
-----------------------------------------------------------------------

Any help you can give would be greatly appreciated.
0
Comment
Question by:e_miller53
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
>access-list emiller permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
>crypto map emiller 21 match address emiller
>crypto map emiller 21 set peer 24.94.xxx.x

With those entries, can I assume that this is for the LAN-LAN tunnel to the router?

I would expect to also see an addition to the nat zero acl that matches the "emiller" acl:
access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0

On the router side:

Given:
>interface Ethernet1
> description $FW_OUTSIDE$
> ip access-group 101 in

Your access-list is specifically permitting the network on the other side of the PIX (Good!)
>access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255

Your tunnel match acl is mirror of the PIX (Good!)
>access-list 103 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255

Route-map for NAT is OK on the router (Good!)

Everything else looks good. Two more things to check:

PC on 192.168.8.x side has default gateway pointing to 192.168.8.1 (router) - Check?
PC on 192.168.1.x side has default gateway pointing to 192.168.1.1 (pix) - Check?
PC on 192.168.1.x side has default gateway pointing to 192.168.1.2 (router?) - Does this router have a route statement in it pointing to the PIX for the 192.168.8.x subnet?





0
 

Author Comment

by:e_miller53
Comment Utility
Thank You!

The access-list VPN did the trick! As soon as I pinged the other inside interface (8.1) the VPN came up immediately. This is the first time I've ever tried to set up a VPN and needing to do it with Cisco equipment has definitely been a learning experience. And of course it was needed yesterday.

Thanks again.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Glad to help!
0

Featured Post

NetScaler Deployment Guides and Resources

Citrix NetScaler is certified to support many of the most commonly deployed enterprise applications. Deployment guides provide in-depth recommendations on configuring NetScaler to meet specific application requirements.

Join & Write a Comment

Suggested Solutions

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now