arnetguru
asked on
Help with IPSEC VPN between PIX 506E and Cisco 2600
I'm sure there's a config piece I'm missing, but I'm not sure what. I've done plenty of PIX-to-PIX IPSEC configs, but this is my first PIX-to-IOS IPSEC config. My ACL (140) doesn't appear to trigger anything, and I'm not sure that the routing is set up correctly.
Quick info:
HQ 2600 IP: 1.2.3.4
HQ LAN: 172.16.0.1/16
Branch PIX 506E IP: 5.6.7.8
Branch LAN: 192.168.11.0/24
HQ Router config (sanitized):
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
ip subnet-zero
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ********* address 2.3.4.5
crypto isakmp key ********* address 3.4.5.6
crypto isakmp key ********* address 5.6.7.8
!
!
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
!
crypto map vpnmap 10 ipsec-isakmp
description VPN to BCA
set peer 2.3.4.5
set transform-set vpnset
match address 102
crypto map vpnmap 20 ipsec-isakmp
set peer 3.4.5.6
set transform-set vpnset
match address 105
!
crypto map BWI-Branch 10 ipsec-isakmp
set peer 5.6.7.8
set transform-set vpnset
match address 140
!
!
! (Multiple GRE Tunnels, each with Class C 192.168.x.0/30 range)
!
interface Tunnel0
interface Tunnel1
interface Tunnel2
.....
interface Tunnel10
!
interface FastEthernet0/0
description Main Internet T-1
ip address 9.8.7.6 255.255.255.0
ip access-group 120 in
ip access-group 101 out
ip nat outside
duplex auto
speed auto
keepalive 5
crypto map vpnmap
!
interface FastEthernet0/1
description Inside ethernet connection
ip address 172.16.0.1 255.255.0.0
ip nat inside
duplex auto
speed auto
!
interface Ethernet1/0
description Internet T-1 for Branch Access
ip address 1.2.3.4 255.255.255.248
no ip route-cache
ip nat outside
half-duplex
keepalive 5
crypto map BWI-Branch
!
router eigrp 100
network 172.16.0.0
network 192.168.20.0 0.0.0.3
network 192.168.30.0 0.0.0.3
network 192.168.40.0 0.0.0.3
network 192.168.50.0 0.0.0.3
network 192.168.60.0 0.0.0.3
network 192.168.80.0 0.0.0.3
network 192.168.90.0 0.0.0.3
network 192.168.130.0 0.0.0.3
network 192.168.140.0 0.0.0.3
no auto-summary
no eigrp log-neighbor-changes
!
ip nat pool pool1 9.8.7.6 9.8.7.6 netmask 255.255.255.0
ip nat inside source route-map BranchNoNAT pool pool1 overload
ip nat inside source static 172.16.0.3 9.8.7.7 extendable
ip nat inside source static 172.16.0.4 9.8.7.8 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 9.8.7.10
ip route 5.6.7.8 255.255.255.248 1.2.3.5
!
!
(ip route all GRE Tunnel endpoints to 1.2.3.5 (Ethernet1/0))
!
!
ip access-list extended BranchNAT
deny ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 192.168.11.0 0.0.0.255
permit ip 172.16.0.0 0.0.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
!
access-list 11 permit 172.16.0.0 0.0.255.255
access-list 11 permit 192.168.0.0 0.0.255.255
access-list 101 permit ip any any
access-list 101 permit tcp any any
access-list 102 permit ip host 64.119.78.32 host 10.0.0.2
access-list 105 permit ip host 64.119.78.32 host 10.0.5.5
access-list 120 permit tcp any host 162.39.177.59 range 8550 8650
access-list 120 permit ip any any
access-list 130 permit ip 172.16.0.0 0.0.255.255 10.1.0.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
access-list 140 permit ip 192.168.0.0 0.0.255.255 192.168.11.0 0.0.0.255
!
route-map BranchNoNAT permit 10
match ip address BranchNAT
!
Branch PIX:
access-list 100 permit icmp any any echo-reply
access-list nonat permit ip 192.168.11.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.0.0
ip address outside 5.6.7.8 255.255.255.248
ip address inside 192.168.11.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
route outside 1.2.3.4 255.255.255.248 5.6.7.7 1
sysopt connection permit-ipsec
crypto ipsec transform-set BWI esp-3des esp-md5-hmac
crypto map BranchVPN 10 ipsec-isakmp
crypto map BranchVPN 10 match address nonat
crypto map BranchVPN 10 set peer 1.2.3.4
crypto map BranchVPN 10 set transform-set BWI
crypto map BranchVPN interface outside
isakmp enable outside
isakmp key ******** address 1.2.3.4 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Debugging key exchange on either end (debug crypto isakmp) displays nothing. I'm guessing it's an ACL issue, but the current config seems logical (to me).
Thanks for any help!
Quick info:
HQ 2600 IP: 1.2.3.4
HQ LAN: 172.16.0.1/16
Branch PIX 506E IP: 5.6.7.8
Branch LAN: 192.168.11.0/24
HQ Router config (sanitized):
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
ip subnet-zero
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ********* address 2.3.4.5
crypto isakmp key ********* address 3.4.5.6
crypto isakmp key ********* address 5.6.7.8
!
!
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
!
crypto map vpnmap 10 ipsec-isakmp
description VPN to BCA
set peer 2.3.4.5
set transform-set vpnset
match address 102
crypto map vpnmap 20 ipsec-isakmp
set peer 3.4.5.6
set transform-set vpnset
match address 105
!
crypto map BWI-Branch 10 ipsec-isakmp
set peer 5.6.7.8
set transform-set vpnset
match address 140
!
!
! (Multiple GRE Tunnels, each with Class C 192.168.x.0/30 range)
!
interface Tunnel0
interface Tunnel1
interface Tunnel2
.....
interface Tunnel10
!
interface FastEthernet0/0
description Main Internet T-1
ip address 9.8.7.6 255.255.255.0
ip access-group 120 in
ip access-group 101 out
ip nat outside
duplex auto
speed auto
keepalive 5
crypto map vpnmap
!
interface FastEthernet0/1
description Inside ethernet connection
ip address 172.16.0.1 255.255.0.0
ip nat inside
duplex auto
speed auto
!
interface Ethernet1/0
description Internet T-1 for Branch Access
ip address 1.2.3.4 255.255.255.248
no ip route-cache
ip nat outside
half-duplex
keepalive 5
crypto map BWI-Branch
!
router eigrp 100
network 172.16.0.0
network 192.168.20.0 0.0.0.3
network 192.168.30.0 0.0.0.3
network 192.168.40.0 0.0.0.3
network 192.168.50.0 0.0.0.3
network 192.168.60.0 0.0.0.3
network 192.168.80.0 0.0.0.3
network 192.168.90.0 0.0.0.3
network 192.168.130.0 0.0.0.3
network 192.168.140.0 0.0.0.3
no auto-summary
no eigrp log-neighbor-changes
!
ip nat pool pool1 9.8.7.6 9.8.7.6 netmask 255.255.255.0
ip nat inside source route-map BranchNoNAT pool pool1 overload
ip nat inside source static 172.16.0.3 9.8.7.7 extendable
ip nat inside source static 172.16.0.4 9.8.7.8 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 9.8.7.10
ip route 5.6.7.8 255.255.255.248 1.2.3.5
!
!
(ip route all GRE Tunnel endpoints to 1.2.3.5 (Ethernet1/0))
!
!
ip access-list extended BranchNAT
deny ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 192.168.11.0 0.0.0.255
permit ip 172.16.0.0 0.0.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
!
access-list 11 permit 172.16.0.0 0.0.255.255
access-list 11 permit 192.168.0.0 0.0.255.255
access-list 101 permit ip any any
access-list 101 permit tcp any any
access-list 102 permit ip host 64.119.78.32 host 10.0.0.2
access-list 105 permit ip host 64.119.78.32 host 10.0.5.5
access-list 120 permit tcp any host 162.39.177.59 range 8550 8650
access-list 120 permit ip any any
access-list 130 permit ip 172.16.0.0 0.0.255.255 10.1.0.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
access-list 140 permit ip 192.168.0.0 0.0.255.255 192.168.11.0 0.0.0.255
!
route-map BranchNoNAT permit 10
match ip address BranchNAT
!
Branch PIX:
access-list 100 permit icmp any any echo-reply
access-list nonat permit ip 192.168.11.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.0.0
ip address outside 5.6.7.8 255.255.255.248
ip address inside 192.168.11.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
route outside 1.2.3.4 255.255.255.248 5.6.7.7 1
sysopt connection permit-ipsec
crypto ipsec transform-set BWI esp-3des esp-md5-hmac
crypto map BranchVPN 10 ipsec-isakmp
crypto map BranchVPN 10 match address nonat
crypto map BranchVPN 10 set peer 1.2.3.4
crypto map BranchVPN 10 set transform-set BWI
crypto map BranchVPN interface outside
isakmp enable outside
isakmp key ******** address 1.2.3.4 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Debugging key exchange on either end (debug crypto isakmp) displays nothing. I'm guessing it's an ACL issue, but the current config seems logical (to me).
Thanks for any help!
ASKER
Yep, I changed the ACL used by the crypto map. It's identical to the "nonat" ACL. Also removed default route to 172.16.0.1 for now. The reason that was there is because the intent is for all Internet access to route through HQ for content monitoring purposes. I've set 10 branches up like this with GRE tunnels (on 1721's).
I've added a temporary default route to 5.6.7.7 (my DSL modem). However, I still can't bring the tunnel up. A debug on the router or the PIX shows nothing when I try to send traffic either way, and a "show access-list" doesn't show any counters on either side.
I'll try resetting the PIX, but not sure what else to try.
I've added a temporary default route to 5.6.7.7 (my DSL modem). However, I still can't bring the tunnel up. A debug on the router or the PIX shows nothing when I try to send traffic either way, and a "show access-list" doesn't show any counters on either side.
I'll try resetting the PIX, but not sure what else to try.
Make sure that you are trying to establish the tunnel by using a host behind the PIX to ping a host behind the router on th 172.16.x.x subnet, and that both hosts have the proper default gateway pointing directly to the local device (i.e 172.16.x.x client has 172.16.0.1 as the gateway, and 192.18.11.x client has 192.168.11.1 as the default gateway)
ASKER
Could the existing crypto map (vpnmap) on the other Public interface be interfering in any way? I've pinged from a PC behind the router to the PIX LAN IP, and the ACL counters for my crypto map are still zero.
>I've pinged from a PC behind the router to the PIX LAN IP
Won't work. You must ping something that is sitting behind the PIX.
Won't work. You must ping something that is sitting behind the PIX.
ASKER
Got it working. Had two issues:
1. Had to remove the ACL entry for 192.168.0.0 0.0.255.255.
2. Had to add a route for 192.168.11.0 out Ethernet1/0
1. Had to remove the ACL entry for 192.168.0.0 0.0.255.255.
2. Had to add a route for 192.168.11.0 out Ethernet1/0
Good job!
Do you need more information?
Have you resolved this problem?
Can you close this question?
Thanks!
Have you resolved this problem?
Can you close this question?
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
First, take this out:
>route outside 1.2.3.4 255.255.255.248 5.6.7.7 1
Next, this looks awful funny:
>route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
I would expect to see only:
route outside 0.0.0.0 0.0.0.0 5.6.7.7 1
You have the same acl being used by two independent processes:
>nat (inside) 0 access-list nonat
>crypto map BranchVPN 10 match address nonat
Try creating a new acl identical to the nonat acl:
access-list VPNmatch permit ip 192.168.11.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list VPNmatch permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.0.0
and apply it to the crypto map:
crypto map BranchVPN 10 match address VPNmatch
On the ROUTER end, you're looking pretty good from what I can see...