Solved

Help with IPSEC VPN between PIX 506E and Cisco 2600

Posted on 2004-09-28
10
356 Views
Last Modified: 2010-08-05
I'm sure there's a config piece I'm missing, but I'm not sure what.  I've done plenty of PIX-to-PIX IPSEC configs, but this is my first PIX-to-IOS IPSEC config.  My ACL (140) doesn't appear to trigger anything, and I'm not sure that the routing is set up correctly.

Quick info:
HQ 2600 IP: 1.2.3.4
HQ LAN: 172.16.0.1/16
Branch PIX 506E IP: 5.6.7.8
Branch LAN: 192.168.11.0/24

HQ Router config (sanitized):
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
ip subnet-zero
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ********* address 2.3.4.5
crypto isakmp key ********* address 3.4.5.6
crypto isakmp key ********* address 5.6.7.8
!
!
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
!
crypto map vpnmap 10 ipsec-isakmp
 description VPN to BCA
 set peer 2.3.4.5
 set transform-set vpnset
 match address 102
crypto map vpnmap 20 ipsec-isakmp
 set peer 3.4.5.6
 set transform-set vpnset
 match address 105
!
crypto map BWI-Branch 10 ipsec-isakmp
 set peer 5.6.7.8
 set transform-set vpnset
 match address 140
!
!
! (Multiple GRE Tunnels, each with Class C 192.168.x.0/30 range)
!
interface Tunnel0
interface Tunnel1
interface Tunnel2
.....
interface Tunnel10
!
interface FastEthernet0/0
 description Main Internet T-1
 ip address 9.8.7.6 255.255.255.0
 ip access-group 120 in
 ip access-group 101 out
 ip nat outside
 duplex auto
 speed auto
 keepalive 5
 crypto map vpnmap
!
interface FastEthernet0/1
 description Inside ethernet connection
 ip address 172.16.0.1 255.255.0.0
 ip nat inside
 duplex auto
 speed auto
!
interface Ethernet1/0
 description Internet T-1 for Branch Access
 ip address 1.2.3.4 255.255.255.248
 no ip route-cache
 ip nat outside
 half-duplex
 keepalive 5
 crypto map BWI-Branch
!
router eigrp 100
 network 172.16.0.0
 network 192.168.20.0 0.0.0.3
 network 192.168.30.0 0.0.0.3
 network 192.168.40.0 0.0.0.3
 network 192.168.50.0 0.0.0.3
 network 192.168.60.0 0.0.0.3
 network 192.168.80.0 0.0.0.3
 network 192.168.90.0 0.0.0.3
 network 192.168.130.0 0.0.0.3
 network 192.168.140.0 0.0.0.3
 no auto-summary
 no eigrp log-neighbor-changes
!
ip nat pool pool1 9.8.7.6 9.8.7.6 netmask 255.255.255.0
ip nat inside source route-map BranchNoNAT pool pool1 overload
ip nat inside source static 172.16.0.3 9.8.7.7 extendable
ip nat inside source static 172.16.0.4 9.8.7.8 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 9.8.7.10
ip route 5.6.7.8 255.255.255.248 1.2.3.5
!
!
(ip route all GRE Tunnel endpoints to 1.2.3.5 (Ethernet1/0))
!
!
ip access-list extended BranchNAT
 deny   ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
 deny   ip 192.168.0.0 0.0.255.255 192.168.11.0 0.0.0.255
 permit ip 172.16.0.0 0.0.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any
!
access-list 11 permit 172.16.0.0 0.0.255.255
access-list 11 permit 192.168.0.0 0.0.255.255
access-list 101 permit ip any any
access-list 101 permit tcp any any
access-list 102 permit ip host 64.119.78.32 host 10.0.0.2
access-list 105 permit ip host 64.119.78.32 host 10.0.5.5
access-list 120 permit tcp any host 162.39.177.59 range 8550 8650
access-list 120 permit ip any any
access-list 130 permit ip 172.16.0.0 0.0.255.255 10.1.0.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
access-list 140 permit ip 192.168.0.0 0.0.255.255 192.168.11.0 0.0.0.255
!
route-map BranchNoNAT permit 10
 match ip address BranchNAT
!

Branch PIX:
access-list 100 permit icmp any any echo-reply
access-list nonat permit ip 192.168.11.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.0.0
ip address outside 5.6.7.8 255.255.255.248
ip address inside 192.168.11.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
route outside 1.2.3.4 255.255.255.248 5.6.7.7 1

sysopt connection permit-ipsec
crypto ipsec transform-set BWI esp-3des esp-md5-hmac
crypto map BranchVPN 10 ipsec-isakmp
crypto map BranchVPN 10 match address nonat
crypto map BranchVPN 10 set peer 1.2.3.4
crypto map BranchVPN 10 set transform-set BWI
crypto map BranchVPN interface outside
isakmp enable outside
isakmp key ******** address 1.2.3.4 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Debugging key exchange on either end (debug crypto isakmp) displays nothing.  I'm guessing it's an ACL issue, but the current config seems logical (to me).

Thanks for any help!
0
Comment
Question by:arnetguru
  • 5
  • 3
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12172575
Let's start at the PIX and work back to the router.

First, take this out:
>route outside 1.2.3.4 255.255.255.248 5.6.7.7 1
Next, this looks awful funny:
>route outside 0.0.0.0 0.0.0.0 172.16.0.1 1

I would expect to see only:
   route outside 0.0.0.0 0.0.0.0 5.6.7.7 1

You have the same acl being used by two independent processes:
>nat (inside) 0 access-list nonat
>crypto map BranchVPN 10 match address nonat

Try creating a new acl identical to the nonat acl:

     access-list VPNmatch permit ip 192.168.11.0 255.255.255.0 172.16.0.0 255.255.0.0
     access-list VPNmatch permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.0.0

and apply it to the crypto map:
     crypto map BranchVPN 10 match address VPNmatch

On the ROUTER end, you're looking pretty good from what I can see...
 
0
 

Author Comment

by:arnetguru
ID: 12172874
Yep, I changed the ACL used by the crypto map.  It's identical to the "nonat" ACL.   Also removed default route to 172.16.0.1 for now.  The reason that was there is because the intent is for all Internet access to route through HQ for content monitoring purposes.  I've set 10 branches up like this with GRE tunnels (on 1721's).  

I've added a temporary default route to 5.6.7.7 (my DSL modem).  However, I still can't bring the tunnel up.  A debug on the router or the PIX shows nothing when I try to send traffic either way, and a "show access-list" doesn't show any counters on either side.

I'll try resetting the PIX, but not sure what else to try.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12172906
Make sure that you are trying to establish the tunnel by using a host behind the PIX to ping a host behind the router on th 172.16.x.x subnet, and that both hosts have the proper default gateway pointing directly to the local device (i.e 172.16.x.x client has 172.16.0.1 as the gateway, and 192.18.11.x client has 192.168.11.1 as the default gateway)
0
 

Author Comment

by:arnetguru
ID: 12173461
Could the existing crypto map (vpnmap) on the other Public interface be interfering in any way?  I've pinged from a PC behind the router to the PIX LAN IP, and the ACL counters for my crypto map are still zero.  

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12175764
>I've pinged from a PC behind the router to the PIX LAN IP
Won't work. You must ping something that is sitting behind the PIX.
0
 

Author Comment

by:arnetguru
ID: 12175950
Got it working.  Had two issues:

1.  Had to remove the ACL entry for 192.168.0.0 0.0.255.255.
2.  Had to add a route for 192.168.11.0 out Ethernet1/0

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12175968
Good job!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13688755
Do you need more information?
Have you resolved this problem?
Can you close this question?
Thanks!
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 16238153
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now