arnetguru
asked on
Cisco IPSEC VPN works for one endpoint, but not another
I have 2 IPSEC VPNs established. I can communicate with devices on the other side of one endpoint without issues. I cannot communicate with any devices beyond the 2nd endpoint. I can ping the inside interface of endpoint #2, though. This was working fine until this morning, and I'm sure what could have changed (I certainly didn't knowingly change anything).
Here's the setup & cleaned configs:
2600XM -------->(IPSEC)------->PI
-------->(IPSEC)------->PI
2600 Internal IP: 172.16.0.0/16
PIX #1 Internal IP: 192.168.11.1/24
PIX #2 Internal IP: 192.168.7.1/24
I've replaced PIX #1's public IP with A.B.C.D. I've replaced PIX #2's public IP with E.F.G.H.
Here are the current configs for the 2600 and PIX #2:
Current configuration : 10516 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ******* address A.B.C.D
crypto isakmp key ******* address E.F.G.H
!
!
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
!
crypto map BWI-Branch 10 ipsec-isakmp
set peer A.B.C.D
set transform-set vpnset
match address 140
crypto map BWI-Branch 20 ipsec-isakmp
set peer E.F.G.H
set transform-set vpnset
match address 150
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
description Connection to Internet
ip address <public ip#1> 255.255.255.0
ip nat outside
duplex auto
speed auto
keepalive 5
!
interface FastEthernet0/1
description Inside ethernet connection
ip address 172.16.0.1 255.255.0.0
ip nat inside
ip policy route-map nonat
duplex auto
speed auto
!
interface Ethernet1/0
description Branch Access
ip address <public IP#2> 255.255.255.248
ip nat outside
no ip route-cache
half-duplex
no keepalive
crypto map BWI-Branch
!
ip nat pool pool1 <public ip#1> <public ip#1> netmask 255.255.255.0
ip nat pool pool2 <public IP#2> <public IP#2> netmask 255.255.255.248
ip nat inside source route-map BranchNAT-map pool pool2 overload
ip nat inside source route-map InternetNAT-map pool pool1 overload
ip nat inside source static 172.16.0.3 <public ip> extendable
ip nat inside source static 172.16.0.4 <public ip> extendable
ip classless
ip route 0.0.0.0 0.0.0.0 <public IP#1 Gateway>
ip route A.B.C.D 255.255.255.255 <public IP#2 Gateway>
ip route E.F.G.H 255.255.255.255 <public IP#2 Gateway>
!
no ip http server
ip http authentication local
ip http secure-server
!
ip access-list extended BranchNAT
deny ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
deny ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
permit ip host A.B.C.D
permit ip host E.F.G.H
ip access-list extended InternetNAT
deny ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
deny ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
deny ip host A.B.C.D
deny ip host E.F.G.H
permit ip 172.16.0.0 0.0.255.255 any
!
access-list 123 permit ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 123 permit ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
access-list 150 permit ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
!
route-map InternetNAT-map permit 10
match ip address InternetNAT
!
route-map BranchNAT-map permit 10
match ip address BranchNAT
!
route-map nonat permit 10
match ip address 123
set ip next-hop 1.1.1.2
!
!
PIX #2:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname APIX506
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list IPSEC permit ip 192.168.7.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.7.0 255.255.255.0 172.16.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside E.F.G.H 255.255.255.248
ip address inside 192.168.7.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list nonat 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 <E.G.F.G Gateway> 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community BWI
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set BWI esp-3des esp-md5-hmac
crypto map BranchVPN 10 ipsec-isakmp
crypto map BranchVPN 10 match address IPSEC
crypto map BranchVPN 10 set peer <2600 Public IP #2>
crypto map BranchVPN 10 set transform-set BWI
crypto map BranchVPN interface outside
isakmp enable outside
isakmp key ******** address <2600 Public IP #2> netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.7.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.7.3-192.168.7.254 inside
dhcpd dns 64.7.11.2 66.80.130.23
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:1eb07720b1d
: end
PIX2#
RESULTS:
2600#ping
Protocol [ip]:
Target IP address: 192.168.7.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.0.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.7.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/165/180 ms
2600#ping
Protocol [ip]:
Target IP address: 192.168.7.8
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.0.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.7.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1
.....
Success rate is 0 percent (0/5)
Thanks for any direction you can provide.
Here's the setup & cleaned configs:
2600XM -------->(IPSEC)------->PI
-------->(IPSEC)------->PI
2600 Internal IP: 172.16.0.0/16
PIX #1 Internal IP: 192.168.11.1/24
PIX #2 Internal IP: 192.168.7.1/24
I've replaced PIX #1's public IP with A.B.C.D. I've replaced PIX #2's public IP with E.F.G.H.
Here are the current configs for the 2600 and PIX #2:
Current configuration : 10516 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ******* address A.B.C.D
crypto isakmp key ******* address E.F.G.H
!
!
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
!
crypto map BWI-Branch 10 ipsec-isakmp
set peer A.B.C.D
set transform-set vpnset
match address 140
crypto map BWI-Branch 20 ipsec-isakmp
set peer E.F.G.H
set transform-set vpnset
match address 150
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
description Connection to Internet
ip address <public ip#1> 255.255.255.0
ip nat outside
duplex auto
speed auto
keepalive 5
!
interface FastEthernet0/1
description Inside ethernet connection
ip address 172.16.0.1 255.255.0.0
ip nat inside
ip policy route-map nonat
duplex auto
speed auto
!
interface Ethernet1/0
description Branch Access
ip address <public IP#2> 255.255.255.248
ip nat outside
no ip route-cache
half-duplex
no keepalive
crypto map BWI-Branch
!
ip nat pool pool1 <public ip#1> <public ip#1> netmask 255.255.255.0
ip nat pool pool2 <public IP#2> <public IP#2> netmask 255.255.255.248
ip nat inside source route-map BranchNAT-map pool pool2 overload
ip nat inside source route-map InternetNAT-map pool pool1 overload
ip nat inside source static 172.16.0.3 <public ip> extendable
ip nat inside source static 172.16.0.4 <public ip> extendable
ip classless
ip route 0.0.0.0 0.0.0.0 <public IP#1 Gateway>
ip route A.B.C.D 255.255.255.255 <public IP#2 Gateway>
ip route E.F.G.H 255.255.255.255 <public IP#2 Gateway>
!
no ip http server
ip http authentication local
ip http secure-server
!
ip access-list extended BranchNAT
deny ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
deny ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
permit ip host A.B.C.D
permit ip host E.F.G.H
ip access-list extended InternetNAT
deny ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
deny ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
deny ip host A.B.C.D
deny ip host E.F.G.H
permit ip 172.16.0.0 0.0.255.255 any
!
access-list 123 permit ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 123 permit ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
access-list 150 permit ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
!
route-map InternetNAT-map permit 10
match ip address InternetNAT
!
route-map BranchNAT-map permit 10
match ip address BranchNAT
!
route-map nonat permit 10
match ip address 123
set ip next-hop 1.1.1.2
!
!
PIX #2:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname APIX506
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list IPSEC permit ip 192.168.7.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.7.0 255.255.255.0 172.16.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside E.F.G.H 255.255.255.248
ip address inside 192.168.7.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list nonat 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 <E.G.F.G Gateway> 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community BWI
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set BWI esp-3des esp-md5-hmac
crypto map BranchVPN 10 ipsec-isakmp
crypto map BranchVPN 10 match address IPSEC
crypto map BranchVPN 10 set peer <2600 Public IP #2>
crypto map BranchVPN 10 set transform-set BWI
crypto map BranchVPN interface outside
isakmp enable outside
isakmp key ******** address <2600 Public IP #2> netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.7.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.7.3-192.168.7.254 inside
dhcpd dns 64.7.11.2 66.80.130.23
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:1eb07720b1d
: end
PIX2#
RESULTS:
2600#ping
Protocol [ip]:
Target IP address: 192.168.7.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.0.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.7.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/165/180 ms
2600#ping
Protocol [ip]:
Target IP address: 192.168.7.8
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.0.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.7.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1
.....
Success rate is 0 percent (0/5)
Thanks for any direction you can provide.
ASKER
Both tunnels are in QM_IDLE state. I can see the inside interface of PIX #2 from the 2600, but nothing beyond it. I can also see all the 172.16.0.0 network behind the 2600 from the inside interface of PIX #2.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
2600#sho cry is sa