Solved

Dynamic Cisco 837 to Static Cisco Pix501 VPN

Posted on 2004-10-19
13
405 Views
Last Modified: 2008-03-03
Hi Folks,

I have a Cisco PIX501 Firewall setup on a static VPN - it accepts VPN clients fine using the Cisco VPN Client Software (as well as PPTP clients if I want them to).

The problem I have at the moment is trying to get a Site to Site VPN working from a Cisco ADSL router (837) - it is currently setup on a dynamic IP and the guys are using the client software from behind it, but it would be really nice (and better on the workstation maintainence) if the VPN connection could be made by the 837.

I've tried fiddling with it a bit but get nothing - I'm really after some sample configs for each device.

I'm sure this would be easy doing Static - Static but unfortunatly that's not possible :(.

Cheers in advance

David.
0
Comment
Question by:commbdown
  • 7
  • 6
13 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12369440
0
 

Author Comment

by:commbdown
ID: 12374016
I've just tried that - no joy - it appears (from what I can tell) that the 837 isn't initiating the connection... Here are my configs....

Cisco 837 (Dynamic)
Building configuration...

Current configuration : 4837 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging queue-limit 100
enable secret 5 *************************/
!
username Router password 7 **********************
ip subnet-zero
ip name-server 195.10.102.11
ip name-server 195.10.102.12
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.3
ip dhcp excluded-address 10.10.10.150
!
ip dhcp pool CLIENT
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 195.10.102.11 195.10.102.12
   lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key 0 cisco123 address 217.23.173.211
!
!
crypto ipsec transform-set pix-set esp-des esp-md5-hmac
!
crypto map pix 10 ipsec-isakmp
 set peer 217.23.173.211
 set transform-set pix-set
 match address 110
!
!
!
!
interface Ethernet0
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 no ip mroute-cache
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface Dialer1
 ip address negotiated
 ip access-group 111 in
 ip nat outside
 ip inspect myfw out
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname 880713cj@homesurfer
 ppp chap password 7 141E00040200252436
 ppp pap sent-username 880713cj@homesurfer password 7 060F1D2E424A061617
 crypto map pix
 hold-queue 224 in
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source route-map nonat interface Ethernet0 overload
ip nat inside source static udp 10.10.10.150 14567 interface Dialer1 14567
ip nat inside source static udp 10.10.10.150 15567 interface Dialer1 15567
ip nat inside source static udp 10.10.10.150 14690 interface Dialer1 14690
ip nat inside source static udp 10.10.10.150 6112 interface Dialer1 6112
ip nat inside source static tcp 10.10.10.3 80 interface Dialer1 80
ip nat inside source static tcp 10.10.10.3 21 interface Dialer1 21
ip nat inside source static tcp 10.10.10.3 25 interface Dialer1 25
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 110 deny   ip 10.10.10.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any any eq www
access-list 111 permit udp any any eq 6112
access-list 111 permit udp any any eq 14690
access-list 111 permit udp any any eq 15567
access-list 111 permit udp any any eq 14567
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny   ip any any
dialer-list 1 protocol ip permit
route-map nonat permit 10
 match ip address 110
!
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login local
 length 0
!
scheduler max-task-time 5000
!
end

______________________________________________________-

Cisco PIX501 (Static)

Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ****************** encrypted
passwd ************. encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.10.10.0 Larivane
access-list servicetech_splitTunnelAcl permit ip 172.20.0.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 172.20.0.0 255.255.255.0 172.20.0
.240 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 172.20.0.240 255.255.255.240
access-list testgroup_splitTunnelAcl permit ip 172.20.0.0 255.255.255.0 any
access-list outside_cryptomap_dyn_40 permit ip any 172.20.0.240 255.255.255.240
access-list richard_splitTunnelAcl permit ip 172.20.0.0 255.255.255.0 any
access-list outside_cryptomap_dyn_60 permit ip any 172.20.0.240 255.255.255.240
access-list 222 permit ip 172.20.0.0 255.255.255.0 Larivane 255.255.255.0
access-list nonat permit ip 172.20.0.0 255.255.255.0 Larivane 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 217.23.173.211 255.255.255.240
ip address inside 172.20.0.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool dhcpvpn 172.20.0.240-172.20.0.250
pdm location 192.168.1.0 255.255.255.0 inside
pdm location Larivane 255.255.255.0 outside
pdm location 217.23.161.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 217.23.173.209 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.20.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set router-set esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map cisco 1 set transform-set router-set
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 10.0.0.10 netmask 255.255.255.255 no-xauth no-config
-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup testgroup address-pool dhcpvpn
vpngroup testgroup dns-server 172.20.0.10 217.23.160.30
vpngroup testgroup wins-server 172.20.0.10
vpngroup testgroup split-tunnel testgroup_splitTunnelAcl
vpngroup testgroup idle-time 1800
vpngroup testgroup password ********
vpngroup richard address-pool dhcpvpn
vpngroup richard dns-server 172.20.0.10 217.23.160.30
vpngroup richard wins-server 172.20.0.10
vpngroup richard split-tunnel richard_splitTunnelAcl
vpngroup richard idle-time 1800
vpngroup richard password ********
telnet 172.20.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:53ae648bff24a333ac4e4ca7e52b19d7
: end
[OK]

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12379853
>access-list 110 permit ip 10.10.10.0 0.0.0.255 172.20.0.0 0.0.0.255
>access-list 110 deny   ip 10.10.10.0 0.0.0.255 172.20.0.0 0.0.0.255
>access-list 110 permit ip 10.10.10.0 0.0.0.255 any

Remove the last two lines in this access list....  

You also need to make sure that NAT is disabled with respect to the above access list, and use SEPARATE ACLs :

route-map nonat permit 10
match ip address 120

access-list 120 deny   ip 10.10.10.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 120 permit ip 10.10.10.0 0.0.0.255 any

If things still aren't working out, then debug:

debug cry isa
debug cry ips
term mon

...and post up the output.
0
 

Author Comment

by:commbdown
ID: 12385946
Made the changes you suggested (see new config below...) still no joy + no error message get flagged on the monitor (I left it up for a good 30mins but nothing :( )

Pings to the 172.20.0.x network don't go through and the result of a tracert is as follows

Tracing route to terminal [172.20.0.14]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  10.10.10.1
  2    16 ms    16 ms    14 ms  195.10.119.95
  3    15 ms    16 ms    14 ms  195.10.107.34
  4    15 ms    15 ms    14 ms  195.10.107.33
  5    19 ms    20 ms    20 ms  213.38.230.189
  6  194.177.169.82  reports: Destination net unreachable.

To me that'd suggest the traffic is being encrypted / sent to the right place.

Cheers again.

Dave.


New Config....
_________________

Building configuration...

Current configuration : 4787 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging queue-limit 100
enable secret 5 ****************/
!
ip subnet-zero
ip name-server 195.10.102.11
ip name-server 195.10.102.12
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.3
ip dhcp excluded-address 10.10.10.150
!
ip dhcp pool CLIENT
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 195.10.102.11 195.10.102.12
   lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key 0 ****** address 217.23.173.211
!
!
crypto ipsec transform-set pix-set esp-des esp-md5-hmac
!
crypto map pix 10 ipsec-isakmp
 set peer 217.23.173.211
 set transform-set pix-set
 match address 110
!
!
!
!
interface Ethernet0
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 no ip mroute-cache
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface Dialer1
 ip address negotiated
 ip access-group 111 in
 ip nat outside
 ip inspect myfw out
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname 880713cj@homesurfer
 ppp chap password 7 141E00040200252436
 ppp pap sent-username 880713cj@homesurfer password 7 060F1D2E424A061617
 crypto map pix
 hold-queue 224 in
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source route-map nonat interface Ethernet0 overload
ip nat inside source static udp 10.10.10.150 14567 interface Dialer1 14567
ip nat inside source static udp 10.10.10.150 15567 interface Dialer1 15567
ip nat inside source static udp 10.10.10.150 14690 interface Dialer1 14690
ip nat inside source static udp 10.10.10.150 6112 interface Dialer1 6112
ip nat inside source static tcp 10.10.10.3 80 interface Dialer1 80
ip nat inside source static tcp 10.10.10.3 21 interface Dialer1 21
ip nat inside source static tcp 10.10.10.3 25 interface Dialer1 25
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any any eq www
access-list 111 permit udp any any eq 6112
access-list 111 permit udp any any eq 14690
access-list 111 permit udp any any eq 15567
access-list 111 permit udp any any eq 14567
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny   ip any any
access-list 120 deny   ip 10.10.10.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
 match ip address 120
!
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login local
 length 0
!
scheduler max-task-time 5000
!
end
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12387713
The traceroute is going straight out onto the internet.  Traffic is being NATted and not encrypted.

Try removing this line

>ip nat inside source list 102 interface Dialer1 overload

It might be flagging before the nonat statement below it kicks in.

Also, try removing the firewall - this could be interfering.

I'd still like to see those debugs -

debug cry isa
debug cry ips
term mon

They will tell me more or less straight away what the problem is (but sort the NAT stuff out first).

If all else fails, try some simple configurations, such as those @ http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094a87.shtml instead, and then build on top of them the extra bits you need.  The VPN will be far easier to troubleshoot this way.
0
 

Author Comment

by:commbdown
ID: 12405708
I simplified things somewhat (see configuration below)

I don't seem to get any debug messages from the debug commands except the following:

Router# debug cry isa
Crypto ISAKMP debugging is on
Router#debug cry ips
Crypto IPSEC debugging is on
Router#term mon

I did get this once though:
13w0d: %CRYPTO-4-IKMP_NO_SA: IKE message from 217.23.173.211  has no SA and is not an initialization offer

I removed ">ip nat inside source list 102 interface Dialer1 overload" and all it did was kill the internet connection and still no VPN came up. I had to go through http://www.cisco.com/warp/public/556/clear_nat_comments.html to get rid of it though...! (I did remember to put the ip nat inside statement back in)

Cheers

David.

_________________________________
'show crypto ipsec sa' results
_________________________________

Router#show crypto ipsec sa

interface: Dialer1
    Crypto map tag: pix, local addr. 80.65.241.80

   protected vrf:
   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.20.0.0/255.255.255.0/0/0)
   current_peer: 217.23.173.211:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 24, #pkts encrypt: 24, #pkts digest 24
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: 80.65.241.80, remote crypto endpt.: 217.23.173.211
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


interface: Virtual-Access2
    Crypto map tag: pix, local addr. 80.65.241.80

   protected vrf:
   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.20.0.0/255.255.255.0/0/0)
   current_peer: 217.23.173.211:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 24, #pkts encrypt: 24, #pkts digest 24
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: 80.65.241.80, remote crypto endpt.: 217.23.173.211
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


interface: Virtual-Access2
    Crypto map tag: pix, local addr. 80.65.241.80

   protected vrf:
   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.20.0.0/255.255.255.0/0/0)
   current_peer: 217.23.173.211:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 24, #pkts encrypt: 24, #pkts digest 24
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: 80.65.241.80, remote crypto endpt.: 217.23.173.211
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:




___________________________

New 837 Config:

Building configuration...

Current configuration : 2875 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging queue-limit 100
no logging buffered
enable secret 5 ****************/
!
ip dhcp pool CLIENT
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 195.10.102.11 195.10.102.12
   lease 0 2
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key 0 ******** address 217.23.173.211
!
!
crypto ipsec transform-set pix-set esp-des esp-md5-hmac
!
crypto map pix 10 ipsec-isakmp
 set peer 217.23.173.211
 set transform-set pix-set
 match address 110
!
!
!
!
interface Ethernet0
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 no ip mroute-cache
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface Dialer1
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname 880713cj@homesurfer
 ppp chap password 7 ***************
 ppp pap sent-username 880713cj@homesurfer password 7 ****************
 crypto map pix
 hold-queue 224 in
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source route-map nonat interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 120 deny   ip 10.10.10.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
 match ip address 120
!
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login local
 length 0
!
scheduler max-task-time 5000
!
end
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 12410485
How about if you run the debugs on the PIX - does this tell you anything ?

The debugs should be FULL of things when the VPN tunnel is (or isn't) established, so something is wrong here - either the feature set doesn't support the encryption algorithms, has no VPN support or the traffic you're sending is being routed instead of passing down the VPN tunnel.

What does a traceroute say from a PC in one encryption network trying to reach a PC in the other ?
0
 

Author Comment

by:commbdown
ID: 12415943
There isn't much on the PIX with respect to the logs - just informational stuff regarding the VPN clients (the Windows XP software stuff) from what I can tell (from the originating IP addresses).

From the trace route it looks like the packets are still being natted - however if I take the 'ip nat inside source list 102 interface Dialer1 overload' line out nothing goes anywhere :(

(ps. I'm on holiday for 7 days so I apoligise for the delay in my next response!)
__________________________________________________________

Route from 10.10.10.150 to 172.20.0.14

Tracing route to terminal [172.20.0.14]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  10.10.10.1
  2    18 ms    14 ms    14 ms  195.10.119.95
  3    12 ms    16 ms    14 ms  195.10.107.34
  4    14 ms    16 ms    14 ms  195.10.107.33
  5    17 ms    21 ms    21 ms  213.38.230.189
  6  194.177.169.82  reports: Destination net unreachable.

Trace complete.

______________________________________________________________

Results of 'show version' on the 837

Cisco Internetwork Operating System Software
IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.2(13)ZH2, EARLY DEPLOYMENT RE
LEASE SOFTWARE (fc1)
Synched to technology version 12.2(14.5)T
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 22-Jul-03 09:37 by ealyon
Image text-base: 0x800131E8, data-base: 0x80AA14DC

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: C837 Software (C837-K9O3Y6-M), Version 12.2(13)ZH2, EARLY DEPLOYMENT RELEAS
E SOFTWARE (fc1)

Router uptime is 13 weeks, 2 days, 23 hours, 13 minutes
System returned to ROM by power-on
System image file is "flash:c837-k9o3y6-mz.122-13.ZH2.bin"

CISCO C837 (MPC857DSL) processor (revision 0x400) with 29492K/3276K bytes of mem
ory.
Processor board ID AMB0731002U (323729587), with hardware revision 0000
CPU rev number 7
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102
______________________________________________________

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12436693
Do you have the correct encryption license ?
Usually, if nothing seems to work and appears disabled, is because the feature itself is disabled, and licensing / feature set is probably the key to this.
0
 

Author Comment

by:commbdown
ID: 12492338
How would I find out the installed encryption license? I was under the impression when I purchased the box from my local telecoms company that it should do what I'm trying to do (if not there will be hell to pay :) )
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12584000
Try it with DES.  DES should be natively licensed and does not require a key.
btw - change your user's passwords ASAP - you've posted them up.  Although they're hashed, they can be quickly reversed using Rainbow tables.
0
 

Author Comment

by:commbdown
ID: 12588881
Thanks, although they are only the ISP password - nothing to critical there...

I've changed the line "crypto ipsec transform-set pix-set esp-des esp-md5-hmac" to read

crypto ipsec transform-set pix-set esp-des

It still seems to be natting the 172.20.0.x traffic though? - instead of routing it through any tunnel...
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 12618951
Hmmm... it's as if your router is not VPN-enabled.  Can you verify with your supplier that the IOS version and router itself can support encryption ?  If it does, then get them to send you a new one, as something is broken here...
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Sonicwall VPN 17 61
vpn connection isssue 3 73
Host to host VPN issue 1 44
How to setup VPN onCisco RV016 8 41
When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now