?
Solved

501 to 501 VPN connection

Posted on 2005-02-26
29
Medium Priority
?
234 Views
Last Modified: 2013-11-16
I am trying to set up a 501 to 501  always on connection between 2 offices using DSL connections on both sides. i followed the article from cisco. However I cannot get it to run correctly.

Here are my configs for the 2 sites. Both have internet access. What I am not sure of and was depending on Cisco heavily for was the access-list, transform-set and the crypto map settings.

Thanks in advance
Cepolly


interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******* encrypted
passwd ******* encrypted
hostname doamin-NEW
domain-name doamin
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
name 10.0.1.50 TEST
object-group service pcANY tcp
  description pcANYwhere
  port-object range 65301 65301
  port-object eq pcanywhere-data
  port-object range pcanywhere-data 5632
object-group service TermServ tcp
  description RDP
  port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list inside_access_in remark outbound
access-list letmein remark inbound traffic
access-list letmein permit icmp any any
access-list 90 permit ip x.x.241.56 255.255.255.248 x.x.44.120 255.255.255.248
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
access-group letmein in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set nellie esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 90
crypto map transam 1 set peer x.x.44.122
crypto map transam 1 set transform-set nellie
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.44.122 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.0.1.2-10.0.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:e3d22e57bfa3aa7d0cd3214cfcf4b335
: end        

AND HERE IS THE 2ND PIX -

PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******* encrypted
passwd ******** encrypted
hostname doamin-NEW
domain-name domain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
name 10.0.2.50 TEST
object-group service pcANY tcp
  description pcANYwhere
  port-object range 65301 65301
  port-object eq pcanywhere-data
  port-object range pcanywhere-data 5632
object-group service TermServ tcp
  description RDP
  port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list inside_access_in remark outbound
access-list letmein remark inbound traffic
access-list letmein permit icmp any any
access-list 91 permit ip x.x.44.120 255.255.255.248 x.x.241.56 255.255.255.248
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 91
nat (inside) 1 10.0.2.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set nellie esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 91
crypto map transam 1 set peer x.x.241.59
crypto map transam 1 set transform-set nellie
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.241.59 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.0.2.2-10.0.2.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:********************
: end  

0
Comment
Question by:cepolly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 11
  • 4
29 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13412186
Try this:
On Side 1:
  access-list 90 permit 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

On Side 2:
  access-list 91 permit 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

Change this to group 2 on both sides:
  no isakmp policy 1 group 1
  isakmp policy 1 group 2

To confirm, sho result of "show cry is sa" - look for remote IP and "QM_IDLE" = Good

0
 
LVL 1

Author Comment

by:cepolly
ID: 13412328
i was only able to ssh into one so i will do the other on monday.

i did do the show cry is sa and came up with a pending, so at least thats half.

thanks and i'll post back with result on monday.
0
 
LVL 5

Expert Comment

by:pazmanpro
ID: 13414706
I also see that you are using the same access-list for your NAT exemption as well as your IPSEC traffic. It is not recommended to to this. Instead create a separate access-list for the nat exemption. So in addition to lrmoore's suggestion also do the following

! PIX1
access-list no-nat permit 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
no nat (inside) 0 access-list 90
nat (inside) 0 access-list no-nat

! PIX2
access-list no-nat permit 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
no nat (inside) 0 access-list 91
nat (inside) 0 access-list no-nat

0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 5

Expert Comment

by:pazmanpro
ID: 13414716
You should also consider using 3DES or better yet AES rather than the weak DES encryption. Cisco offers a free upgrade to the higher encryption standards.
0
 
LVL 1

Author Comment

by:cepolly
ID: 13419553
ok tried the above and still no go.

i keep getting an error saying:
WARNING: This crypto map is incomplete.
        To remedy the situation add a peer and a valid access-list to this crypto map.

i also changed the host names because i saw they were the same which caused the keys to fail.

i think i need to start again. how do i reset this process?
0
 
LVL 1

Author Comment

by:cepolly
ID: 13419560
while i'm waiting.
here's what i have done on both sides to reset. probably wrong.

no sysopt connection permit-ipsec
no crypto ipsec transform-set nellie esp-des esp-md5-hmac
no crypto map transam 1 ipsec-isakmp
no crypto map transam 1 set peer x.x.241.59
no crypto map transam 1 set transform-set nellie
no crypto map transam interface outside
no isakmp enable outside
no isakmp key xxxxx address x.x..241.59 netmask 255.255.255.255
no isakmp policy 1 authentication pre-share
no isakmp policy 1 encryption des
no isakmp policy 1 hash md5
no isakmp policy 1 group 2
no isakmp policy 1 lifetime 1000

0
 
LVL 1

Author Comment

by:cepolly
ID: 13419901
ok i figured out the error was due to the crypto map not having the right access list defined

continuing on...
0
 
LVL 1

Author Comment

by:cepolly
ID: 13420184
here are the latest configs.

i am not receiving any errors but still no connection.

i am not sure if i have the access lists correct foir each side.
also should the peer address be the net or the address of the other PIX?
and should the address have a 255.255.255.255 or have the mask of 255.255.255.248 as provided by the ISP?

PIX 1 - OLD

interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******* encrypted
passwd ********* encrypted
hostname NEL-OLD
domain-name nel
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
name 192.168.1.50 TEST
object-group service pcANY tcp
  description pcANYwhere
  port-object range 65301 65301
  port-object eq pcanywhere-data
  port-object range pcanywhere-data 5632
object-group service TermServ tcp
  description RDP
  port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list inside_access_in remark outbound
access-list letmein remark inbound traffic
access-list letmein permit icmp any any
access-list letmein permit tcp any host X.X.44.125 eq https
access-list letmein permit tcp any host X.X.44.125 eq pop3
access-list letmein permit tcp any host X.X.44.125 eq imap4
access-list letmein permit tcp any host X.X.44.125 eq pcanywhere-data
access-list letmein permit udp any host X.X.44.125 eq 65301
access-list letmein permit tcp any host X.X.44.125 eq 65301
access-list letmein permit udp any host X.X.44.125 eq 143
access-list letmein permit udp any host X.X.44.125 eq 220
access-list letmein permit tcp any host X.X.44.125 eq 220
access-list letmein permit tcp any host X.X.44.125 eq 585
access-list letmein permit udp any host X.X.44.125 eq 585
access-list letmein permit udp any host X.X.44.125 eq 993
access-list letmein permit tcp any host X.X.44.125 eq 993
access-list letmein permit tcp any host X.X.44.125 eq smtp
access-list letmein permit udp any host X.X.44.125 eq 3389
access-list letmein permit tcp any host X.X.44.125 eq 3389
access-list letmein permit tcp any host X.X.44.125 eq www
access-list letmein permit tcp any host X.X.44.125 eq ssh
access-list 91 permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list no-nat permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 91
nat (inside) 1 10.0.2.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 91
crypto map transam 1 set peer X.X.241.59
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address X.X.241.59 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.0.2.2-10.0.2.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
end  

PIX 2 -NEW
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ****** encrypted
passwd ****** encrypted
hostname NELL-NEW
domain-name nell
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
name 192.168.1.50 TEST
object-group service pcANY tcp
  description pcANYwhere
  port-object range 65301 65301
  port-object eq pcanywhere-data
  port-object range pcanywhere-data 5632
object-group service TermServ tcp
  description RDP
  port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list inside_access_in remark outbound
access-list letmein remark inbound traffic
access-list letmein permit icmp any any
access-list letmein permit tcp any host x.x.241.59 eq ssh
access-list letmein permit tcp any host x.x.241.59 eq https
access-list letmein permit tcp any host x.x.241.59 eq pop3
access-list letmein permit tcp any host x.x.241.59 eq imap4
access-list letmein permit tcp any host x.x.241.59 eq pcanywhere-data
access-list letmein permit udp any host x.x.241.59 eq 65301
access-list letmein permit tcp any host x.x.241.59 eq 65301
access-list letmein permit udp any host x.x.241.59 eq 143
access-list letmein permit udp any host x.x.241.59 eq 220
access-list letmein permit tcp any host x.x.241.59 eq 220
access-list letmein permit tcp any host x.x.241.59 eq 585
access-list letmein permit udp any host x.x.241.59 eq 585
access-list letmein permit udp any host x.x.241.59 eq 993
access-list letmein permit tcp any host x.x.241.59 eq 993
access-list letmein permit tcp any host x.x.241.59 eq smtp
access-list letmein permit udp any host x.x.241.59 eq 3389
access-list letmein permit tcp any host x.x.241.59 eq 3389
access-list letmein permit tcp any host x.x.241.59 eq www
access-list 90 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
access-group letmein in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 90
crypto map transam 1 set peer x.x.44.125
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.44.125 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.0.1.2-10.0.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13420253
>should the peer address be the net or the address of the other PIX?
Peer = remote PIX public IP

>nat (inside) 0 access-list 90
>nat (inside) 0 access-list 91

It doesn't really matter much in your situation, but since you created a no-nat acl, go ahead and use it..

nat (inside) 0 access-list no-nat

Can you post result of "show cry is sa"


0
 
LVL 1

Author Comment

by:cepolly
ID: 13420358
gotcha on the peer. thx.

did i have these reversed?
>nat (inside) 0 access-list 90
>nat (inside) 0 access-list 91

should >'nat (inside) 0 access-list 90' go to PIX 2
should >'nat (inside) 0 access-list 91' go to PIX 1

here is the show cry"

pix 1 - old -

show cry isa sa
Total     : 0
Embryonic : 0
        dst               src        state     pending     created

pix 2 - new -

show cry isa sa
Total     : 0
Embryonic : 0
        dst               src        state     pending     created


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13420496
PIX 1:
  no nat (inside) 0 access-list 91
  nat (inside) 0 access-list no-nat

PIX2:
  no nat (inside) 0 access-list 90
  nat (inside) 0 access-list no-nat

Add to both:
  isakmp identity address

Add this to PIX2 (it is already on PIX1):
sysopt connection permit-ipsec

Verify on both:
"peer" and key both point to remote PIX public IP:

PIX 2:
crypto map transam 1 set peer x.x.x.x
isakmp key ******** address x.x.x.x netmask 255.255.255.255



0
 
LVL 1

Author Comment

by:cepolly
ID: 13420657
i ran and verififed all of the above.

do i now need to define the no-nat access-list in nthe crypto map?

like this?
>crypto map transam 1 match address no-nat

also after i ran the
crypto map transam 1 set peer x.x.x.x
isakmp key ******** address x.x.x.x netmask 255.255.255.255

i received the following error.
A pre-shared key for address x.x.44.125 netmask 255.255.255.255 already exists!
Error: Key insert failed.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13420724
>do i now need to define the no-nat access-list in nthe crypto map?
No.
What you have done is to create two distinct (although identical) access-lists.
Acl no-nat applies to nat 0 process, acl 90|91 applies to the crypto map.

>A pre-shared key for address x.x.44.125 netmask 255.255.255.255 already exists!
The error message is expected. I just wanted you to verify that the IP's were pointing to the remote site. You don't have to input it again..
If you want to change the key just to make sure they are the same:

  no isakmp key <youroldkey> address x.x.x.x netmask 255.255.255.255
  isakmp key <newsecretkey> address x.x.x.x netmask 255.255.255.255

Any change in status with "sho cry is sa" ?
0
 
LVL 1

Author Comment

by:cepolly
ID: 13420727
i changed the crypto map to

>crypto map transam 1 match address no-nat

on both.

still no go.

if it works should i be able to ping the inside interface of the remote pix?
0
 
LVL 1

Author Comment

by:cepolly
ID: 13420812
ok sry about that. i changed them back to the appropriate acl's

no change on show cry.

here are the latest configs just to be sure.(partial)

pix 1 - old

access-list 91 permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list no-nat permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 10.0.2.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 91
crypto map transam 1 set peer x.x.241.59
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.241.59 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5

pix 2 - new

access-list 90 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
access-group letmein in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 90
crypto map transam 1 set peer x.x.44.125
crypto map transam 1 set peer 255.255.255.255
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.44.125 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13420848
>if it works should i be able to ping the inside interface of the remote pix?
Absolutely not. You must test this from a PC on one side pinging a PC on the other.

Can you post result of "sho cry is sa" again?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13420868
Can you re-apply the crypto map to the interface on both sides
Just re-enter it exactly as it is...
>crypto map transam interface outside

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13420876
Since both PIX's get a dynamic outside IP, are you sure you have the right IP address?
>ip address outside dhcp setroute
0
 
LVL 5

Expert Comment

by:pazmanpro
ID: 13420901
Just my observation, but your outside interface is DHCP defined. Are you given the same address everytime? Are you sure that the address that you are using for your IKE peers are correct? Do a show interface to verify the IP addresses.

If the addresses are correct, start debugging. Start with

debug crypto isakmp
0
 
LVL 5

Expert Comment

by:pazmanpro
ID: 13420919
Looks like lrmoore's got you covered! :-)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13420991
Just to let you know, I'm going to be off-line for the next couple of hours...
I'll get back as quick as I can..
0
 
LVL 1

Author Comment

by:cepolly
ID: 13421387
i reapplied the crypto map to the outside interface.

i verified that the dhcp address is the same.

the show cry isa sa gives the following on both:

 sho cry isa sa
Total     : 0
Embryonic : 0
        dst               src        state     pending     created

no prob on the time. i appreciate your help as always.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13421433
Nothing there is not a good sign.
How about result of "sho cry ip sa"  <== "ip" vs "is" will show us a whole lot more information

0
 
LVL 1

Author Comment

by:cepolly
ID: 13421657
here it is on PIX -1 OLD

show cry ip sa

interface: outside
    Crypto map tag: transam, local addr. x.x.44.125

   local  ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
   current_peer: x.x.241.59:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: x.x.44.125, remote crypto endpt.: x.x.241.59
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:
             
     inbound pcp sas:
 
     outbound esp sas:
             
     outbound ah sas:
       
     outbound pcp sas:


here is the same on
pix- 2 -new

show cry ip sa


interface: outside
    Crypto map tag: transam, local addr. x.x.241.59

   local  ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0)
   current_peer: x.x.44.125:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.241.59, remote crypto endpt.: 70.147.44.125
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:

             
     inbound pcp sas:
             
             
     outbound esp sas:
             
             
     outbound ah sas:
             
             
     outbound pcp sas:
             
             
     local crypto endpt.: x.x.241.59, remote crypto endpt.: 255.255.255.255
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
             
     inbound esp sas:
             
             
     inbound ah sas:
             
             
     inbound pcp sas:
             
             
     outbound esp sas:
             
             
     outbound ah sas:
             
             
     outbound pcp sas:
             
seems as though PIX 2-new is getting more data than pix 1 - old
0
 
LVL 1

Author Comment

by:cepolly
ID: 13421906
ok i realized i must have inadvertantly put in the line:

>crypto map transam 1 set peer 255.255.255.255

i removed it.
0
 
LVL 1

Author Comment

by:cepolly
ID: 13421964
do i need to have pc's on both sides to establish the connection or should it occur PIX to PIX alone.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13421986
You MUST have something on each side that can send/receive packets. The VPN tunnel is dynamic and will only be established if and when there is traffic.
0
 
LVL 1

Author Comment

by:cepolly
ID: 13422296
that did it. sorry for not setting up the pc's on both sides. as soon as that was done it came right up.

here is the show cry again:

sho cry isa sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
   x.x..44.125     x.x.241.59    QM_IDLE         0           1

hmm just a little better.

thanks again lrmoore. you da man.

cepolly
 
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13424096
Wooo hooo!!
Nice working with you!
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question