Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 444
  • Last Modified:

Need help for Router IPSEC !!!

Let's get a clue of how my network structure looks like:

PC1 ---- Router A ----- Leased line -----Router B----FW1---PC2

IP Address:
PC1 - 192.168.2.1/27
Router A - 192.168.2.4/27(fa0), 192.168.3.1/30(s0)
Router B - 192.168.4.4/27(fa0), 192.168.3.2/30(s0)
FW1 - 192.168.4.5/27(outside), 192.168.88.1/28(inside)
PC2 - 192.168.88.2/28

I would like to establish a connection from PC1 to PC2, or vice-versa.  However, the 'ping' from PC1 to:
Router A - Failed (fa0 & s0)
Router B - Failed (fa0 & s0)
FW1 - Failed (outside & inside)
PC2 - Failed

I'm curious why i could not even ping from PC1 to the fa0 interface of the router.  Is it because of the IPSEC config of the routers (pls refer configuration below)? Pls help. Tks.


Configuration of Router A:
---------------------------------

version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router_A
!
enable secret 5 abcdefghijk
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 110
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key abcde address 192.168.3.2 255.255.255.252
!
!
crypto ipsec transform-set RouterA_trans ah-sha-hmac esp-3des esp-sha-hmac
!
crypto map RouterA_map 10 ipsec-isakmp
 set peer 192.168.3.2
 set transform-set RouterA_trans
 match address 102
!
!
interface FastEthernet0/0
 ip address 192.168.2.4 255.255.255.224
 speed 100
 full-duplex
 crypto map RouterA_map
!
interface Serial0/0
 bandwidth 256
 ip address 192.168.3.1 255.255.255.252
 keepalive 1
 no fair-queue
!
!
ip classless
ip route 192.168.4.0 255.255.255.224 192.168.3.2
ip route 192.168.88.0 255.255.255.240 192.168.3.2
ip http server
ip pim bidir-enable
!
!
access-list 1 deny   any
access-list 102 permit ip 192.168.2.0 0.0.0.21 192.168.88.0 0.0.0.21
access-list 102 permit ip 192.168.88.0 0.0.0.21 192.168.2.0 0.0.0.21

!
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
line con 0
 exec-timeout 1 30
 password 7 ABCDEFGH
 login
line aux 0
line vty 0 4
 access-class 1 in
 no login
!
!
end



Configuration of Router B:
--------------------------------
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router_B
!
logging buffered 4096 debugging
enable secret 5 ajgjl;adfjg!
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 110
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key abcde address 192.168.3.1 255.255.255.252
!
!
crypto ipsec transform-set RouterB_trans ah-sha-hmac esp-3des esp-sha-hmac
!
crypto map RouterB_map 10 ipsec-isakmp
 set peer 192.168.3.1
 set transform-set RouterB_trans
 match address 102
!
interface FastEthernet0/0
 ip address 192.168.4.4 255.255.255.224
 speed 100
 full-duplex
 crypto map RouterB_map
!
interface Serial0/0
 bandwidth 256000
 ip address 192.168.3.2 255.255.255.252
 keepalive 1
 fair-queue
!
ip classless
ip route 192.168.88.0 255.255.255.240 192.168.4.1
ip route 192.168.2.0 255.255.255.224 192.168.3.1
no ip http server
ip pim bidir-enable
!
!
access-list 1 deny   any
access-list 102 permit ip 192.168.2.0 0.0.0.21 192.168.88.0 0.0.0.21
access-list 102 permit ip 192.168.2.0 0.0.0.21 192.168.4.0 0.0.0.21
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
line con 0
 exec-timeout 1 30
 password 7 759073245943
 login
line vty 0 4
 access-class 1 in
 no login
!
end


The FW1 is open to all traffic (access-list permit ip any any).
0
viansoo
Asked:
viansoo
  • 4
  • 3
  • 2
  • +1
3 Solutions
 
peteysaCommented:
First step would be to set your access-lists to 0.0.0.31 vice 0.0.0.21.

I am lookin up the vpn config currently
dan
0
 
JFrederick29Commented:
Agree.  Inverse masks are wrong.  Access-lists should look like such:

access-list 102 permit ip 192.168.2.0 0.0.0.31 192.168.88.0 0.0.0.15
access-list 102 permit ip 192.168.88.0 0.0.0.15 192.168.2.0 0.0.0.31

At first glance, the rest of your VPN configuration looks correct.
0
 
JFrederick29Commented:
Actually, on second though.

Access-lists should look like this:

RouterA:

access-list 102 permit ip 192.168.2.0 0.0.0.31 192.168.88.0 0.0.0.15

RouterB:

access-list 102 permit ip 192.168.88.0 0.0.0.15 192.168.2.0 0.0.0.31

Are all interfaces up/up?  Yes, it is odd that you are not able to ping the FastEthernet0/0 interface of RouterA from PC1.  No other firewalls anywhere? On the PC?  You are sure?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
lrmooreCommented:
Agree with the access-list/inverse mask issue, but that's only part of the problem.

Hurdle #1:
>curious why i could not even ping from PC1 to the fa0 interface of the router.
until you can establish local connectivity, nothing else is going to work.
Can you post result of "show ip int brief"  from RtrA?

>crypto ipsec transform-set RouterB_trans ah-sha-hmac esp-3des esp-sha-hmac

Since you are using private IP addresses everywhere, I will assume that you have NAT taking place somewhere. If yes, then your transform using AH will not work. If this FW is using NAT, then your crypto between the routers should be from 192.168.2.0/27 to 192.168.4.0/27 (the network between router B and FW1) assuming that FW1 nats to its outside network.

>PC1 ---- Router A ----- Leased line -----Router B----FW1---PC2
                                                                             ^^^
                                                                            What kind of firewall?

So, the leased line is on the SERIAL interfaces?
 Then your crypto map should be applied on the serial interfaces (egress), not the Ethernet interfaces (ingress)
0
 
viansooAuthor Commented:
FW1 = Cisco PIX Firewall 515E

By the way, can anyone first explain what 0.0.0.21 (or 0.0.0.15, 0.0.0.31) means? I've only come across with access list with 255 in the netmask (e.g. 0.0.0.255) previously.
0
 
JFrederick29Commented:
Access-lists use the inverse mask to determine the scope of addresses the statement applies to.  For the mask 255.255.255.240, the inverse mask is 0.0.0.15.  To determine the inverse mask, subract the true mask from 255:

  255.255.255.255
- 255.255.255.240
_______________

   0.0.0.15

You are use to seeing 0.0.0.255 when using a 255.255.255.0 mask, which is calculated as such:

  255.255.255.255
- 255.255.255.0
________________

   0.0.0.255

0
 
lrmooreCommented:
Why don't you create the VPN tunnel between the PIX FW and RTR-A

0
 
lrmooreCommented:
Are you still working on this? Can I be of any more assistance?
0
 
viansooAuthor Commented:
Hi Guys, sorry for returning late, have been busy...... As for the question i've posted here, I think i'm just going to give up on that and request for assistance from third party vendor.  It's much more complicated than i could imagine.  Anyway, thanks for all the comments! As for the points, whoever can answer this will grab all ! This is very simple question:

DNS Server ---- Firewall ---- Router ----> Internet

IP Address & Hardware Types:
----------------------------------------

DNS Server(MS Windows NT 4.0)
192.168.0.34/27

Firewall (Cisco PIX)
DMZ int: 192.168.0.33/27
outside int: 210.218.93.166

Router (Cisco 2600 Series)


I wish to allow incoming DNS queries from outside to my DNS Server(in DMZ Lan).  When i did a nslookup to my DNS server, i got server time-out.  I suspect it's because of the accesss-list in my firewall and router.  There's a web server in the DMZ too, but it's working good.

Firewall:
access-list acl_outside permit tcp any host 219.93.229.166 eq domain

access-list acl_outside permit udp any host 219.93.229.166 eq domain

static (dmz,outside) udp 219.93.229.166  domain 192.168.0.34 domain netmask 255.255.255.255 0 0


Router:
interface Serial0
 ip address x.x.x.x 255.255.255.252
 ip access-group 101 in
 ip access-group 102 out
 no ip redirects
 no ip unreachables
 no ip directed-broadcast
 no ip proxy-arp
 encapsulation ppp
 no ip route-cache
 no logging event subif-link-status
 no fair-queue
 no cdp enable
ppp multilink

access-list 101 permit udp any host 219.93.229.166 eq domain
access-list 102 permit udp host 219.93.229.166 any eq domain


0
 
JFrederick29Commented:
You also need to permit TCP 53 inbound on the router in access-list 101:

access-list 101 permit tcp any host 219.93.229.166 eq domain

For access-list 102, add the following:

access-list 102 permit tcp host 219.93.229.166 eq domain any
access-list 102 permit udp host 219.93.229.166 eq domain any

I'd suggest removing the outbound access-list altogether unless you have a specific need to restrict internal hosts.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now