hairy51
asked on
Configuring Site-Site VPN Pix 515 Cisco 837 ADSL Router- Desperate for Help!
Hi All,
I posted this question a while back, But the problem is still ongoing.
I am desperately trying to set up a Site to Site VPN between our main HQ Pix 515 and a remote site with ADSL and a Cisco 837 router. We currently accept remote access VPN connections through the PIX, and i want to set this connection up without disrupting this service. Unfortunately, I did not configure the PIX initially, and do not have much Cisco firewall experience.
The deatils are :
Main site is on 10.3.x.x/16 network.
Remote site is on 10.8.x.x/16 Network.
Remote site has 2 pc's that require access to our network for E-Mail, Documents etc. I would still like them to go straight out for internet access though.
Both have static IP's for the outside.
The PIX only has a license for des encryption. (?)
I am quite happy to attach the configs for both boxes so you can see where i am going wrong, I am really in need of some help here, Otherwise my Boss is gonna start getting quite annoyed!
If any one feels that they could help, Please please post back! and i will upload the configs etc.
Thanks in advance...
Jonathan
I posted this question a while back, But the problem is still ongoing.
I am desperately trying to set up a Site to Site VPN between our main HQ Pix 515 and a remote site with ADSL and a Cisco 837 router. We currently accept remote access VPN connections through the PIX, and i want to set this connection up without disrupting this service. Unfortunately, I did not configure the PIX initially, and do not have much Cisco firewall experience.
The deatils are :
Main site is on 10.3.x.x/16 network.
Remote site is on 10.8.x.x/16 Network.
Remote site has 2 pc's that require access to our network for E-Mail, Documents etc. I would still like them to go straight out for internet access though.
Both have static IP's for the outside.
The PIX only has a license for des encryption. (?)
I am quite happy to attach the configs for both boxes so you can see where i am going wrong, I am really in need of some help here, Otherwise my Boss is gonna start getting quite annoyed!
If any one feels that they could help, Please please post back! and i will upload the configs etc.
Thanks in advance...
Jonathan
grblades
Please post your configs and I will have a look.
ASKER
Here is the Pix Config as it stands, I have removed a few bits to make it a bit shorter, But let me know if you need any more info,
A16-PIX-FW1# sho run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 pix/intf3 security15
nameif ethernet4 pix/intf4 security20
nameif ethernet5 pix/intf5 security25
enable password m5lf2m393rgslhXN encrypted
passwd j/BezwIrzRqSU/u. encrypted
hostname A16-PIX-FW1
domain-name somerset.ac.uk
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sqlnet 1526
names
access-list inside_outbound_nat0_acl permit ip any 192.168.254.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.8.0.0 255.255.0.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.254.0 255.255.255.0
access-list canonsgrove permit ip any 10.8.0.0 255.255.0.0
**** All Inside_out and Outside_in Access lists removed****
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap debugging
logging host inside 10.3.254.45
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu pix/intf3 1500
mtu pix/intf4 1500
mtu pix/intf5 1500
ip address outside x.x.x.x 255.255.255.224
ip address inside 10.3.254.254 255.255.0.0
ip address dmz 192.168.1.1 255.255.255.0
no ip address pix/intf3
no ip address pix/intf4
no ip address pix/intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool support 192.168.254.1-192.168.254.
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address pix/intf3
no failover ip address pix/intf4
no failover ip address pix/intf5
**** PDM Location Commands removed****
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
****Static Route’s Removed****
access-group outside_in in interface outside
access-group inside_out in interface inside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.0.0.0 255.0.0.0 10.3.1.1 1
route inside 10.8.0.0 255.255.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65534 ipsec-isakmp
crypto map outside_map 65534 match address canonsgrove
crypto map outside_map 65534 set peer x.x.x.x
crypto map outside_map 65534 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
vpngroup support address-pool support
vpngroup support dns-server 10.3.254.9 10.3.254.10
vpngroup support wins-server 10.3.254.36
vpngroup support default-domain scat.somerset.ac.uk
vpngroup support idle-time 1800
vpngroup support password ********
vpngroup user address-pool support
vpngroup user dns-server 10.3.254.10
vpngroup user wins-server 10.3.254.36
vpngroup user default-domain scat.somerset.ac.uk
vpngroup user idle-time 1800
vpngroup user password ********
vpngroup canonsgrove address-pool support
vpngroup canonsgrove dns-server 10.3.254.10
vpngroup canonsgrove wins-server 10.3.254.36
vpngroup canonsgrove default-domain scat.somerset.ac.uk
vpngroup canonsgrove idle-time 1800
vpngroup canonsgrove password ********
vpngroup address-pool idle-time 1800
telnet 10.0.0.0 255.0.0.0 inside
telnet 10.0.0.0 255.0.0.0 dmz
telnet 10.0.0.0 255.0.0.0 pix/intf3
telnet 10.0.0.0 255.0.0.0 pix/intf4
telnet 10.0.0.0 255.0.0.0 pix/intf5
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:3796bcf4821
Here is the 837, Currently it is in its defualt state, I have tried configuring it for the VPN, But ended up resetting the factory defaults,
Current configuration : 1998 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
no logging buffered
!
username CRWS_Santhosh privilege 15 password 7 125D5453255A0A256E24752700
E475B55020F0F0A
no aaa new-model
ip subnet-zero
ip name-server 213.1.119.101
ip name-server 213.1.119.102
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 0 2
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname A497446@hg7.btclick.com
ppp chap password 7 111A1608120018091079
ppp pap sent-username A497446@hg7.btclick.com password 7 083243430C0B16120658
ppp ipcp dns request
ppp ipcp wins request
!
ip nat inside source list 102 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http secure server
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end
Jope it makes more sense to you than it does to me!
Cheers
Jonathan
A16-PIX-FW1# sho run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 pix/intf3 security15
nameif ethernet4 pix/intf4 security20
nameif ethernet5 pix/intf5 security25
enable password m5lf2m393rgslhXN encrypted
passwd j/BezwIrzRqSU/u. encrypted
hostname A16-PIX-FW1
domain-name somerset.ac.uk
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sqlnet 1526
names
access-list inside_outbound_nat0_acl permit ip any 192.168.254.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.8.0.0 255.255.0.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.254.0 255.255.255.0
access-list canonsgrove permit ip any 10.8.0.0 255.255.0.0
**** All Inside_out and Outside_in Access lists removed****
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap debugging
logging host inside 10.3.254.45
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu pix/intf3 1500
mtu pix/intf4 1500
mtu pix/intf5 1500
ip address outside x.x.x.x 255.255.255.224
ip address inside 10.3.254.254 255.255.0.0
ip address dmz 192.168.1.1 255.255.255.0
no ip address pix/intf3
no ip address pix/intf4
no ip address pix/intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool support 192.168.254.1-192.168.254.
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address pix/intf3
no failover ip address pix/intf4
no failover ip address pix/intf5
**** PDM Location Commands removed****
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
****Static Route’s Removed****
access-group outside_in in interface outside
access-group inside_out in interface inside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.0.0.0 255.0.0.0 10.3.1.1 1
route inside 10.8.0.0 255.255.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65534 ipsec-isakmp
crypto map outside_map 65534 match address canonsgrove
crypto map outside_map 65534 set peer x.x.x.x
crypto map outside_map 65534 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
vpngroup support address-pool support
vpngroup support dns-server 10.3.254.9 10.3.254.10
vpngroup support wins-server 10.3.254.36
vpngroup support default-domain scat.somerset.ac.uk
vpngroup support idle-time 1800
vpngroup support password ********
vpngroup user address-pool support
vpngroup user dns-server 10.3.254.10
vpngroup user wins-server 10.3.254.36
vpngroup user default-domain scat.somerset.ac.uk
vpngroup user idle-time 1800
vpngroup user password ********
vpngroup canonsgrove address-pool support
vpngroup canonsgrove dns-server 10.3.254.10
vpngroup canonsgrove wins-server 10.3.254.36
vpngroup canonsgrove default-domain scat.somerset.ac.uk
vpngroup canonsgrove idle-time 1800
vpngroup canonsgrove password ********
vpngroup address-pool idle-time 1800
telnet 10.0.0.0 255.0.0.0 inside
telnet 10.0.0.0 255.0.0.0 dmz
telnet 10.0.0.0 255.0.0.0 pix/intf3
telnet 10.0.0.0 255.0.0.0 pix/intf4
telnet 10.0.0.0 255.0.0.0 pix/intf5
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:3796bcf4821
Here is the 837, Currently it is in its defualt state, I have tried configuring it for the VPN, But ended up resetting the factory defaults,
Current configuration : 1998 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
no logging buffered
!
username CRWS_Santhosh privilege 15 password 7 125D5453255A0A256E24752700
E475B55020F0F0A
no aaa new-model
ip subnet-zero
ip name-server 213.1.119.101
ip name-server 213.1.119.102
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 0 2
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname A497446@hg7.btclick.com
ppp chap password 7 111A1608120018091079
ppp pap sent-username A497446@hg7.btclick.com password 7 083243430C0B16120658
ppp ipcp dns request
ppp ipcp wins request
!
ip nat inside source list 102 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http secure server
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end
Jope it makes more sense to you than it does to me!
Cheers
Jonathan
Your 837 is devoid of any VPN configuration (as you quite rightly point out !)...
Cisco's guides are here:
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html
Give it a go, if you get stuck, turn on PIX debugging ?
debug cry isa
debug cry ipsec
term mon
Then try and initiate the tunnel (ie ping the remote network), and turn off debugging afterwards:
term no mon
no debug all
Also change all of your passwords ! The encrypted hashes you've posted up are reversible... !
Cisco's guides are here:
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html
Give it a go, if you get stuck, turn on PIX debugging ?
debug cry isa
debug cry ipsec
term mon
Then try and initiate the tunnel (ie ping the remote network), and turn off debugging afterwards:
term no mon
no debug all
Also change all of your passwords ! The encrypted hashes you've posted up are reversible... !
ASKER
Have managed to ge tthe VPNB wWorking now, Ended up buying Cisco support pack, Only problem is, I can ping from inside interface of PIX to the remote network, And from the remote network back to the inside interface of the PIX, but cannot ping into the networks at each end!
If you can't reach the networks at either end, this suggests routing issues whereby internal routers don't realise they need to go via your PIX to reach the remote network.
ASKER
I thought it would be something to do with that, We use OSPF routing inside the LAN, and there is a static route on the router that the PIX is joined to as follows:
ip route 0.0.0.0 0.0.0.0 10.3.254.254
10.3.254.254 is the IP address of the inside interface of the pix, So, any traffic not destined for the internal network gets thrown at the Pix, But it doesn't appear to work for the VPN traffic.
Is this the right way of doing it? As far as i can tell, the pix should then look at the packet destined for the remote network and forward through the VPN tunnel.
The remote site only has the ADSL router, There are only 2 clients and they both connect straight into it, So as far as routing at that end goes, There is not much to setup. Any traffic for 10.3.x.x gets encrypted and sent through the tunnel, Anything else goes out to the internet.
ip route 0.0.0.0 0.0.0.0 10.3.254.254
10.3.254.254 is the IP address of the inside interface of the pix, So, any traffic not destined for the internal network gets thrown at the Pix, But it doesn't appear to work for the VPN traffic.
Is this the right way of doing it? As far as i can tell, the pix should then look at the packet destined for the remote network and forward through the VPN tunnel.
The remote site only has the ADSL router, There are only 2 clients and they both connect straight into it, So as far as routing at that end goes, There is not much to setup. Any traffic for 10.3.x.x gets encrypted and sent through the tunnel, Anything else goes out to the internet.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is this fixed now ?