Link to home
Start Free TrialLog in
Avatar of arnetguru
arnetguru

asked on

Help with IPSEC VPN between PIX 506E and Cisco 2600

I'm sure there's a config piece I'm missing, but I'm not sure what.  I've done plenty of PIX-to-PIX IPSEC configs, but this is my first PIX-to-IOS IPSEC config.  My ACL (140) doesn't appear to trigger anything, and I'm not sure that the routing is set up correctly.

Quick info:
HQ 2600 IP: 1.2.3.4
HQ LAN: 172.16.0.1/16
Branch PIX 506E IP: 5.6.7.8
Branch LAN: 192.168.11.0/24

HQ Router config (sanitized):
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
ip subnet-zero
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ********* address 2.3.4.5
crypto isakmp key ********* address 3.4.5.6
crypto isakmp key ********* address 5.6.7.8
!
!
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
!
crypto map vpnmap 10 ipsec-isakmp
 description VPN to BCA
 set peer 2.3.4.5
 set transform-set vpnset
 match address 102
crypto map vpnmap 20 ipsec-isakmp
 set peer 3.4.5.6
 set transform-set vpnset
 match address 105
!
crypto map BWI-Branch 10 ipsec-isakmp
 set peer 5.6.7.8
 set transform-set vpnset
 match address 140
!
!
! (Multiple GRE Tunnels, each with Class C 192.168.x.0/30 range)
!
interface Tunnel0
interface Tunnel1
interface Tunnel2
.....
interface Tunnel10
!
interface FastEthernet0/0
 description Main Internet T-1
 ip address 9.8.7.6 255.255.255.0
 ip access-group 120 in
 ip access-group 101 out
 ip nat outside
 duplex auto
 speed auto
 keepalive 5
 crypto map vpnmap
!
interface FastEthernet0/1
 description Inside ethernet connection
 ip address 172.16.0.1 255.255.0.0
 ip nat inside
 duplex auto
 speed auto
!
interface Ethernet1/0
 description Internet T-1 for Branch Access
 ip address 1.2.3.4 255.255.255.248
 no ip route-cache
 ip nat outside
 half-duplex
 keepalive 5
 crypto map BWI-Branch
!
router eigrp 100
 network 172.16.0.0
 network 192.168.20.0 0.0.0.3
 network 192.168.30.0 0.0.0.3
 network 192.168.40.0 0.0.0.3
 network 192.168.50.0 0.0.0.3
 network 192.168.60.0 0.0.0.3
 network 192.168.80.0 0.0.0.3
 network 192.168.90.0 0.0.0.3
 network 192.168.130.0 0.0.0.3
 network 192.168.140.0 0.0.0.3
 no auto-summary
 no eigrp log-neighbor-changes
!
ip nat pool pool1 9.8.7.6 9.8.7.6 netmask 255.255.255.0
ip nat inside source route-map BranchNoNAT pool pool1 overload
ip nat inside source static 172.16.0.3 9.8.7.7 extendable
ip nat inside source static 172.16.0.4 9.8.7.8 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 9.8.7.10
ip route 5.6.7.8 255.255.255.248 1.2.3.5
!
!
(ip route all GRE Tunnel endpoints to 1.2.3.5 (Ethernet1/0))
!
!
ip access-list extended BranchNAT
 deny   ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
 deny   ip 192.168.0.0 0.0.255.255 192.168.11.0 0.0.0.255
 permit ip 172.16.0.0 0.0.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any
!
access-list 11 permit 172.16.0.0 0.0.255.255
access-list 11 permit 192.168.0.0 0.0.255.255
access-list 101 permit ip any any
access-list 101 permit tcp any any
access-list 102 permit ip host 64.119.78.32 host 10.0.0.2
access-list 105 permit ip host 64.119.78.32 host 10.0.5.5
access-list 120 permit tcp any host 162.39.177.59 range 8550 8650
access-list 120 permit ip any any
access-list 130 permit ip 172.16.0.0 0.0.255.255 10.1.0.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
access-list 140 permit ip 192.168.0.0 0.0.255.255 192.168.11.0 0.0.0.255
!
route-map BranchNoNAT permit 10
 match ip address BranchNAT
!

Branch PIX:
access-list 100 permit icmp any any echo-reply
access-list nonat permit ip 192.168.11.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.0.0
ip address outside 5.6.7.8 255.255.255.248
ip address inside 192.168.11.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
route outside 1.2.3.4 255.255.255.248 5.6.7.7 1

sysopt connection permit-ipsec
crypto ipsec transform-set BWI esp-3des esp-md5-hmac
crypto map BranchVPN 10 ipsec-isakmp
crypto map BranchVPN 10 match address nonat
crypto map BranchVPN 10 set peer 1.2.3.4
crypto map BranchVPN 10 set transform-set BWI
crypto map BranchVPN interface outside
isakmp enable outside
isakmp key ******** address 1.2.3.4 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Debugging key exchange on either end (debug crypto isakmp) displays nothing.  I'm guessing it's an ACL issue, but the current config seems logical (to me).

Thanks for any help!
Avatar of Les Moore
Les Moore
Flag of United States of America image

Let's start at the PIX and work back to the router.

First, take this out:
>route outside 1.2.3.4 255.255.255.248 5.6.7.7 1
Next, this looks awful funny:
>route outside 0.0.0.0 0.0.0.0 172.16.0.1 1

I would expect to see only:
   route outside 0.0.0.0 0.0.0.0 5.6.7.7 1

You have the same acl being used by two independent processes:
>nat (inside) 0 access-list nonat
>crypto map BranchVPN 10 match address nonat

Try creating a new acl identical to the nonat acl:

     access-list VPNmatch permit ip 192.168.11.0 255.255.255.0 172.16.0.0 255.255.0.0
     access-list VPNmatch permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.0.0

and apply it to the crypto map:
     crypto map BranchVPN 10 match address VPNmatch

On the ROUTER end, you're looking pretty good from what I can see...
 
Avatar of arnetguru
arnetguru

ASKER

Yep, I changed the ACL used by the crypto map.  It's identical to the "nonat" ACL.   Also removed default route to 172.16.0.1 for now.  The reason that was there is because the intent is for all Internet access to route through HQ for content monitoring purposes.  I've set 10 branches up like this with GRE tunnels (on 1721's).  

I've added a temporary default route to 5.6.7.7 (my DSL modem).  However, I still can't bring the tunnel up.  A debug on the router or the PIX shows nothing when I try to send traffic either way, and a "show access-list" doesn't show any counters on either side.

I'll try resetting the PIX, but not sure what else to try.
Make sure that you are trying to establish the tunnel by using a host behind the PIX to ping a host behind the router on th 172.16.x.x subnet, and that both hosts have the proper default gateway pointing directly to the local device (i.e 172.16.x.x client has 172.16.0.1 as the gateway, and 192.18.11.x client has 192.168.11.1 as the default gateway)
Could the existing crypto map (vpnmap) on the other Public interface be interfering in any way?  I've pinged from a PC behind the router to the PIX LAN IP, and the ACL counters for my crypto map are still zero.  

>I've pinged from a PC behind the router to the PIX LAN IP
Won't work. You must ping something that is sitting behind the PIX.
Got it working.  Had two issues:

1.  Had to remove the ACL entry for 192.168.0.0 0.0.255.255.
2.  Had to add a route for 192.168.11.0 out Ethernet1/0

Good job!
Do you need more information?
Have you resolved this problem?
Can you close this question?
Thanks!
ASKER CERTIFIED SOLUTION
Avatar of CetusMOD
CetusMOD
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial