[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 451
  • Last Modified:

Cisco IPSEC VPN works for one endpoint, but not another

I have 2 IPSEC VPNs established.  I can communicate with devices on the other side of one endpoint without issues.  I cannot communicate with any devices beyond the 2nd endpoint.  I can ping the inside interface of endpoint #2, though.  This was working fine until this morning, and I'm sure what could have changed (I certainly didn't knowingly change anything).

Here's the setup & cleaned configs:

2600XM -------->(IPSEC)------->PIX 506E (#1)
             -------->(IPSEC)------->PIX 506E (#2)

2600 Internal IP: 172.16.0.0/16
PIX #1 Internal IP: 192.168.11.1/24
PIX #2 Internal IP: 192.168.7.1/24

I've replaced PIX #1's public IP with A.B.C.D.  I've replaced PIX #2's public IP with E.F.G.H.

Here are the current configs for the 2600 and PIX #2:

Current configuration : 10516 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key ******* address A.B.C.D
crypto isakmp key ******* address E.F.G.H
!
!
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
!
crypto map BWI-Branch 10 ipsec-isakmp
 set peer A.B.C.D
 set transform-set vpnset
 match address 140
crypto map BWI-Branch 20 ipsec-isakmp
 set peer E.F.G.H
 set transform-set vpnset
 match address 150
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 description Connection to Internet
 ip address <public ip#1> 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
 keepalive 5
!
interface FastEthernet0/1
 description Inside ethernet connection
 ip address 172.16.0.1 255.255.0.0
 ip nat inside
 ip policy route-map nonat
 duplex auto
 speed auto
!
interface Ethernet1/0
 description Branch Access
 ip address <public IP#2> 255.255.255.248
 ip nat outside
 no ip route-cache
 half-duplex
 no keepalive
 crypto map BWI-Branch
!
ip nat pool pool1 <public ip#1> <public ip#1> netmask 255.255.255.0
ip nat pool pool2 <public IP#2> <public IP#2> netmask 255.255.255.248
ip nat inside source route-map BranchNAT-map pool pool2 overload
ip nat inside source route-map InternetNAT-map pool pool1 overload
ip nat inside source static 172.16.0.3 <public ip> extendable
ip nat inside source static 172.16.0.4 <public ip> extendable
ip classless
ip route 0.0.0.0 0.0.0.0 <public IP#1 Gateway>
ip route A.B.C.D 255.255.255.255 <public IP#2 Gateway>
ip route E.F.G.H 255.255.255.255 <public IP#2 Gateway>
!
no ip http server
ip http authentication local
ip http secure-server
!
ip access-list extended BranchNAT
 deny   ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
 deny   ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
 permit ip host A.B.C.D
 permit ip host E.F.G.H
ip access-list extended InternetNAT
 deny   ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
 deny   ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
 deny      ip host A.B.C.D
 deny      ip host E.F.G.H
 permit ip 172.16.0.0 0.0.255.255 any

!
access-list 123 permit ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 123 permit ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.11.0 0.0.0.255
access-list 150 permit ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
!
route-map InternetNAT-map permit 10
 match ip address InternetNAT
!
route-map BranchNAT-map permit 10
 match ip address BranchNAT
!
route-map nonat permit 10
 match ip address 123
 set ip next-hop 1.1.1.2
!
!

PIX #2:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname APIX506
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list IPSEC permit ip 192.168.7.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.7.0 255.255.255.0 172.16.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside E.F.G.H 255.255.255.248
ip address inside 192.168.7.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list nonat 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 <E.G.F.G Gateway> 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community BWI
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set BWI esp-3des esp-md5-hmac
crypto map BranchVPN 10 ipsec-isakmp
crypto map BranchVPN 10 match address IPSEC
crypto map BranchVPN 10 set peer <2600 Public IP #2>
crypto map BranchVPN 10 set transform-set BWI
crypto map BranchVPN interface outside
isakmp enable outside
isakmp key ******** address <2600 Public IP #2> netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.7.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.7.3-192.168.7.254 inside
dhcpd dns 64.7.11.2 66.80.130.23
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:1eb07720b1d2072496bb94c291b2a560
: end
PIX2#


RESULTS:

2600#ping
Protocol [ip]:
Target IP address: 192.168.7.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.0.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.7.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/165/180 ms
2600#ping
Protocol [ip]:
Target IP address: 192.168.7.8
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.0.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.7.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1
.....
Success rate is 0 percent (0/5)


Thanks for any direction you can provide.

0
arnetguru
Asked:
arnetguru
  • 2
1 Solution
 
lrmooreCommented:
Can you post result of
2600#sho cry is sa

0
 
arnetguruAuthor Commented:
Both tunnels are in QM_IDLE state.  I can see the inside interface of PIX #2 from the 2600, but nothing beyond it.  I can also see all the 172.16.0.0 network behind the 2600 from the inside interface of PIX #2.

0
 
lrmooreCommented:
In your testing
   >Target IP address: 192.168.7.8
What is this IP? Is it a PC or server? Is it's default gateway set correctly?

Appears to be one-way visibility?
>I can also see all the 172.16.0.0 network behind the 2600 from the inside interface of PIX #2.
How are you determining this?

It appears to be pointing to a routing issue behind PIX2....
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now