501 to 501 VPN connection
I am trying to set up a 501 to 501 always on connection between 2 offices using DSL connections on both sides. i followed the article from cisco. However I cannot get it to run correctly.
Here are my configs for the 2 sites. Both have internet access. What I am not sure of and was depending on Cisco heavily for was the access-list, transform-set and the crypto map settings.
Thanks in advance
Cepolly
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******* encrypted
passwd ******* encrypted
hostname doamin-NEW
domain-name doamin
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.1.50 TEST
object-group service pcANY tcp
description pcANYwhere
port-object range 65301 65301
port-object eq pcanywhere-data
port-object range pcanywhere-data 5632
object-group service TermServ tcp
description RDP
port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list inside_access_in remark outbound
access-list letmein remark inbound traffic
access-list letmein permit icmp any any
access-list 90 permit ip x.x.241.56 255.255.255.248 x.x.44.120 255.255.255.248
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
access-group letmein in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set nellie esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 90
crypto map transam 1 set peer x.x.44.122
crypto map transam 1 set transform-set nellie
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.44.122 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.0.1.2-10.0.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:e3d22e57bfa
: end
AND HERE IS THE 2ND PIX -
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******* encrypted
passwd ******** encrypted
hostname doamin-NEW
domain-name domain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.2.50 TEST
object-group service pcANY tcp
description pcANYwhere
port-object range 65301 65301
port-object eq pcanywhere-data
port-object range pcanywhere-data 5632
object-group service TermServ tcp
description RDP
port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list inside_access_in remark outbound
access-list letmein remark inbound traffic
access-list letmein permit icmp any any
access-list 91 permit ip x.x.44.120 255.255.255.248 x.x.241.56 255.255.255.248
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 91
nat (inside) 1 10.0.2.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set nellie esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 91
crypto map transam 1 set peer x.x.241.59
crypto map transam 1 set transform-set nellie
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.241.59 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.0.2.2-10.0.2.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:***********
: end
Here are my configs for the 2 sites. Both have internet access. What I am not sure of and was depending on Cisco heavily for was the access-list, transform-set and the crypto map settings.
Thanks in advance
Cepolly
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******* encrypted
passwd ******* encrypted
hostname doamin-NEW
domain-name doamin
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.1.50 TEST
object-group service pcANY tcp
description pcANYwhere
port-object range 65301 65301
port-object eq pcanywhere-data
port-object range pcanywhere-data 5632
object-group service TermServ tcp
description RDP
port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list inside_access_in remark outbound
access-list letmein remark inbound traffic
access-list letmein permit icmp any any
access-list 90 permit ip x.x.241.56 255.255.255.248 x.x.44.120 255.255.255.248
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
access-group letmein in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set nellie esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 90
crypto map transam 1 set peer x.x.44.122
crypto map transam 1 set transform-set nellie
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.44.122 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.0.1.2-10.0.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:e3d22e57bfa
: end
AND HERE IS THE 2ND PIX -
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******* encrypted
passwd ******** encrypted
hostname doamin-NEW
domain-name domain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.2.50 TEST
object-group service pcANY tcp
description pcANYwhere
port-object range 65301 65301
port-object eq pcanywhere-data
port-object range pcanywhere-data 5632
object-group service TermServ tcp
description RDP
port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list inside_access_in remark outbound
access-list letmein remark inbound traffic
access-list letmein permit icmp any any
access-list 91 permit ip x.x.44.120 255.255.255.248 x.x.241.56 255.255.255.248
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 91
nat (inside) 1 10.0.2.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set nellie esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 91
crypto map transam 1 set peer x.x.241.59
crypto map transam 1 set transform-set nellie
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.241.59 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.0.2.2-10.0.2.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:***********
: end
ASKER
i was only able to ssh into one so i will do the other on monday.
i did do the show cry is sa and came up with a pending, so at least thats half.
thanks and i'll post back with result on monday.
i did do the show cry is sa and came up with a pending, so at least thats half.
thanks and i'll post back with result on monday.
I also see that you are using the same access-list for your NAT exemption as well as your IPSEC traffic. It is not recommended to to this. Instead create a separate access-list for the nat exemption. So in addition to lrmoore's suggestion also do the following
! PIX1
access-list no-nat permit 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
no nat (inside) 0 access-list 90
nat (inside) 0 access-list no-nat
! PIX2
access-list no-nat permit 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
no nat (inside) 0 access-list 91
nat (inside) 0 access-list no-nat
! PIX1
access-list no-nat permit 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
no nat (inside) 0 access-list 90
nat (inside) 0 access-list no-nat
! PIX2
access-list no-nat permit 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
no nat (inside) 0 access-list 91
nat (inside) 0 access-list no-nat
You should also consider using 3DES or better yet AES rather than the weak DES encryption. Cisco offers a free upgrade to the higher encryption standards.
ASKER
ok tried the above and still no go.
i keep getting an error saying:
WARNING: This crypto map is incomplete.
To remedy the situation add a peer and a valid access-list to this crypto map.
i also changed the host names because i saw they were the same which caused the keys to fail.
i think i need to start again. how do i reset this process?
i keep getting an error saying:
WARNING: This crypto map is incomplete.
To remedy the situation add a peer and a valid access-list to this crypto map.
i also changed the host names because i saw they were the same which caused the keys to fail.
i think i need to start again. how do i reset this process?
ASKER
while i'm waiting.
here's what i have done on both sides to reset. probably wrong.
no sysopt connection permit-ipsec
no crypto ipsec transform-set nellie esp-des esp-md5-hmac
no crypto map transam 1 ipsec-isakmp
no crypto map transam 1 set peer x.x.241.59
no crypto map transam 1 set transform-set nellie
no crypto map transam interface outside
no isakmp enable outside
no isakmp key xxxxx address x.x..241.59 netmask 255.255.255.255
no isakmp policy 1 authentication pre-share
no isakmp policy 1 encryption des
no isakmp policy 1 hash md5
no isakmp policy 1 group 2
no isakmp policy 1 lifetime 1000
here's what i have done on both sides to reset. probably wrong.
no sysopt connection permit-ipsec
no crypto ipsec transform-set nellie esp-des esp-md5-hmac
no crypto map transam 1 ipsec-isakmp
no crypto map transam 1 set peer x.x.241.59
no crypto map transam 1 set transform-set nellie
no crypto map transam interface outside
no isakmp enable outside
no isakmp key xxxxx address x.x..241.59 netmask 255.255.255.255
no isakmp policy 1 authentication pre-share
no isakmp policy 1 encryption des
no isakmp policy 1 hash md5
no isakmp policy 1 group 2
no isakmp policy 1 lifetime 1000
ASKER
ok i figured out the error was due to the crypto map not having the right access list defined
continuing on...
continuing on...
ASKER
here are the latest configs.
i am not receiving any errors but still no connection.
i am not sure if i have the access lists correct foir each side.
also should the peer address be the net or the address of the other PIX?
and should the address have a 255.255.255.255 or have the mask of 255.255.255.248 as provided by the ISP?
PIX 1 - OLD
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******* encrypted
passwd ********* encrypted
hostname NEL-OLD
domain-name nel
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.50 TEST
object-group service pcANY tcp
description pcANYwhere
port-object range 65301 65301
port-object eq pcanywhere-data
port-object range pcanywhere-data 5632
object-group service TermServ tcp
description RDP
port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list inside_access_in remark outbound
access-list letmein remark inbound traffic
access-list letmein permit icmp any any
access-list letmein permit tcp any host X.X.44.125 eq https
access-list letmein permit tcp any host X.X.44.125 eq pop3
access-list letmein permit tcp any host X.X.44.125 eq imap4
access-list letmein permit tcp any host X.X.44.125 eq pcanywhere-data
access-list letmein permit udp any host X.X.44.125 eq 65301
access-list letmein permit tcp any host X.X.44.125 eq 65301
access-list letmein permit udp any host X.X.44.125 eq 143
access-list letmein permit udp any host X.X.44.125 eq 220
access-list letmein permit tcp any host X.X.44.125 eq 220
access-list letmein permit tcp any host X.X.44.125 eq 585
access-list letmein permit udp any host X.X.44.125 eq 585
access-list letmein permit udp any host X.X.44.125 eq 993
access-list letmein permit tcp any host X.X.44.125 eq 993
access-list letmein permit tcp any host X.X.44.125 eq smtp
access-list letmein permit udp any host X.X.44.125 eq 3389
access-list letmein permit tcp any host X.X.44.125 eq 3389
access-list letmein permit tcp any host X.X.44.125 eq www
access-list letmein permit tcp any host X.X.44.125 eq ssh
access-list 91 permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list no-nat permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 91
nat (inside) 1 10.0.2.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 91
crypto map transam 1 set peer X.X.241.59
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address X.X.241.59 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.0.2.2-10.0.2.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
end
PIX 2 -NEW
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ****** encrypted
passwd ****** encrypted
hostname NELL-NEW
domain-name nell
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.50 TEST
object-group service pcANY tcp
description pcANYwhere
port-object range 65301 65301
port-object eq pcanywhere-data
port-object range pcanywhere-data 5632
object-group service TermServ tcp
description RDP
port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list inside_access_in remark outbound
access-list letmein remark inbound traffic
access-list letmein permit icmp any any
access-list letmein permit tcp any host x.x.241.59 eq ssh
access-list letmein permit tcp any host x.x.241.59 eq https
access-list letmein permit tcp any host x.x.241.59 eq pop3
access-list letmein permit tcp any host x.x.241.59 eq imap4
access-list letmein permit tcp any host x.x.241.59 eq pcanywhere-data
access-list letmein permit udp any host x.x.241.59 eq 65301
access-list letmein permit tcp any host x.x.241.59 eq 65301
access-list letmein permit udp any host x.x.241.59 eq 143
access-list letmein permit udp any host x.x.241.59 eq 220
access-list letmein permit tcp any host x.x.241.59 eq 220
access-list letmein permit tcp any host x.x.241.59 eq 585
access-list letmein permit udp any host x.x.241.59 eq 585
access-list letmein permit udp any host x.x.241.59 eq 993
access-list letmein permit tcp any host x.x.241.59 eq 993
access-list letmein permit tcp any host x.x.241.59 eq smtp
access-list letmein permit udp any host x.x.241.59 eq 3389
access-list letmein permit tcp any host x.x.241.59 eq 3389
access-list letmein permit tcp any host x.x.241.59 eq www
access-list 90 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
access-group letmein in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 90
crypto map transam 1 set peer x.x.44.125
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.44.125 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.0.1.2-10.0.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
i am not receiving any errors but still no connection.
i am not sure if i have the access lists correct foir each side.
also should the peer address be the net or the address of the other PIX?
and should the address have a 255.255.255.255 or have the mask of 255.255.255.248 as provided by the ISP?
PIX 1 - OLD
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******* encrypted
passwd ********* encrypted
hostname NEL-OLD
domain-name nel
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.50 TEST
object-group service pcANY tcp
description pcANYwhere
port-object range 65301 65301
port-object eq pcanywhere-data
port-object range pcanywhere-data 5632
object-group service TermServ tcp
description RDP
port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list inside_access_in remark outbound
access-list letmein remark inbound traffic
access-list letmein permit icmp any any
access-list letmein permit tcp any host X.X.44.125 eq https
access-list letmein permit tcp any host X.X.44.125 eq pop3
access-list letmein permit tcp any host X.X.44.125 eq imap4
access-list letmein permit tcp any host X.X.44.125 eq pcanywhere-data
access-list letmein permit udp any host X.X.44.125 eq 65301
access-list letmein permit tcp any host X.X.44.125 eq 65301
access-list letmein permit udp any host X.X.44.125 eq 143
access-list letmein permit udp any host X.X.44.125 eq 220
access-list letmein permit tcp any host X.X.44.125 eq 220
access-list letmein permit tcp any host X.X.44.125 eq 585
access-list letmein permit udp any host X.X.44.125 eq 585
access-list letmein permit udp any host X.X.44.125 eq 993
access-list letmein permit tcp any host X.X.44.125 eq 993
access-list letmein permit tcp any host X.X.44.125 eq smtp
access-list letmein permit udp any host X.X.44.125 eq 3389
access-list letmein permit tcp any host X.X.44.125 eq 3389
access-list letmein permit tcp any host X.X.44.125 eq www
access-list letmein permit tcp any host X.X.44.125 eq ssh
access-list 91 permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list no-nat permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 91
nat (inside) 1 10.0.2.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 91
crypto map transam 1 set peer X.X.241.59
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address X.X.241.59 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.0.2.2-10.0.2.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
end
PIX 2 -NEW
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ****** encrypted
passwd ****** encrypted
hostname NELL-NEW
domain-name nell
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.50 TEST
object-group service pcANY tcp
description pcANYwhere
port-object range 65301 65301
port-object eq pcanywhere-data
port-object range pcanywhere-data 5632
object-group service TermServ tcp
description RDP
port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list inside_access_in remark outbound
access-list letmein remark inbound traffic
access-list letmein permit icmp any any
access-list letmein permit tcp any host x.x.241.59 eq ssh
access-list letmein permit tcp any host x.x.241.59 eq https
access-list letmein permit tcp any host x.x.241.59 eq pop3
access-list letmein permit tcp any host x.x.241.59 eq imap4
access-list letmein permit tcp any host x.x.241.59 eq pcanywhere-data
access-list letmein permit udp any host x.x.241.59 eq 65301
access-list letmein permit tcp any host x.x.241.59 eq 65301
access-list letmein permit udp any host x.x.241.59 eq 143
access-list letmein permit udp any host x.x.241.59 eq 220
access-list letmein permit tcp any host x.x.241.59 eq 220
access-list letmein permit tcp any host x.x.241.59 eq 585
access-list letmein permit udp any host x.x.241.59 eq 585
access-list letmein permit udp any host x.x.241.59 eq 993
access-list letmein permit tcp any host x.x.241.59 eq 993
access-list letmein permit tcp any host x.x.241.59 eq smtp
access-list letmein permit udp any host x.x.241.59 eq 3389
access-list letmein permit tcp any host x.x.241.59 eq 3389
access-list letmein permit tcp any host x.x.241.59 eq www
access-list 90 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
access-group letmein in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 90
crypto map transam 1 set peer x.x.44.125
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.44.125 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.0.1.2-10.0.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
>should the peer address be the net or the address of the other PIX?
Peer = remote PIX public IP
>nat (inside) 0 access-list 90
>nat (inside) 0 access-list 91
It doesn't really matter much in your situation, but since you created a no-nat acl, go ahead and use it..
nat (inside) 0 access-list no-nat
Can you post result of "show cry is sa"
Peer = remote PIX public IP
>nat (inside) 0 access-list 90
>nat (inside) 0 access-list 91
It doesn't really matter much in your situation, but since you created a no-nat acl, go ahead and use it..
nat (inside) 0 access-list no-nat
Can you post result of "show cry is sa"
ASKER
gotcha on the peer. thx.
did i have these reversed?
>nat (inside) 0 access-list 90
>nat (inside) 0 access-list 91
should >'nat (inside) 0 access-list 90' go to PIX 2
should >'nat (inside) 0 access-list 91' go to PIX 1
here is the show cry"
pix 1 - old -
show cry isa sa
Total : 0
Embryonic : 0
dst src state pending created
pix 2 - new -
show cry isa sa
Total : 0
Embryonic : 0
dst src state pending created
did i have these reversed?
>nat (inside) 0 access-list 90
>nat (inside) 0 access-list 91
should >'nat (inside) 0 access-list 90' go to PIX 2
should >'nat (inside) 0 access-list 91' go to PIX 1
here is the show cry"
pix 1 - old -
show cry isa sa
Total : 0
Embryonic : 0
dst src state pending created
pix 2 - new -
show cry isa sa
Total : 0
Embryonic : 0
dst src state pending created
PIX 1:
no nat (inside) 0 access-list 91
nat (inside) 0 access-list no-nat
PIX2:
no nat (inside) 0 access-list 90
nat (inside) 0 access-list no-nat
Add to both:
isakmp identity address
Add this to PIX2 (it is already on PIX1):
sysopt connection permit-ipsec
Verify on both:
"peer" and key both point to remote PIX public IP:
PIX 2:
crypto map transam 1 set peer x.x.x.x
isakmp key ******** address x.x.x.x netmask 255.255.255.255
no nat (inside) 0 access-list 91
nat (inside) 0 access-list no-nat
PIX2:
no nat (inside) 0 access-list 90
nat (inside) 0 access-list no-nat
Add to both:
isakmp identity address
Add this to PIX2 (it is already on PIX1):
sysopt connection permit-ipsec
Verify on both:
"peer" and key both point to remote PIX public IP:
PIX 2:
crypto map transam 1 set peer x.x.x.x
isakmp key ******** address x.x.x.x netmask 255.255.255.255
ASKER
i ran and verififed all of the above.
do i now need to define the no-nat access-list in nthe crypto map?
like this?
>crypto map transam 1 match address no-nat
also after i ran the
crypto map transam 1 set peer x.x.x.x
isakmp key ******** address x.x.x.x netmask 255.255.255.255
i received the following error.
A pre-shared key for address x.x.44.125 netmask 255.255.255.255 already exists!
Error: Key insert failed.
do i now need to define the no-nat access-list in nthe crypto map?
like this?
>crypto map transam 1 match address no-nat
also after i ran the
crypto map transam 1 set peer x.x.x.x
isakmp key ******** address x.x.x.x netmask 255.255.255.255
i received the following error.
A pre-shared key for address x.x.44.125 netmask 255.255.255.255 already exists!
Error: Key insert failed.
>do i now need to define the no-nat access-list in nthe crypto map?
No.
What you have done is to create two distinct (although identical) access-lists.
Acl no-nat applies to nat 0 process, acl 90|91 applies to the crypto map.
>A pre-shared key for address x.x.44.125 netmask 255.255.255.255 already exists!
The error message is expected. I just wanted you to verify that the IP's were pointing to the remote site. You don't have to input it again..
If you want to change the key just to make sure they are the same:
no isakmp key <youroldkey> address x.x.x.x netmask 255.255.255.255
isakmp key <newsecretkey> address x.x.x.x netmask 255.255.255.255
Any change in status with "sho cry is sa" ?
No.
What you have done is to create two distinct (although identical) access-lists.
Acl no-nat applies to nat 0 process, acl 90|91 applies to the crypto map.
>A pre-shared key for address x.x.44.125 netmask 255.255.255.255 already exists!
The error message is expected. I just wanted you to verify that the IP's were pointing to the remote site. You don't have to input it again..
If you want to change the key just to make sure they are the same:
no isakmp key <youroldkey> address x.x.x.x netmask 255.255.255.255
isakmp key <newsecretkey> address x.x.x.x netmask 255.255.255.255
Any change in status with "sho cry is sa" ?
ASKER
i changed the crypto map to
>crypto map transam 1 match address no-nat
on both.
still no go.
if it works should i be able to ping the inside interface of the remote pix?
>crypto map transam 1 match address no-nat
on both.
still no go.
if it works should i be able to ping the inside interface of the remote pix?
ASKER
ok sry about that. i changed them back to the appropriate acl's
no change on show cry.
here are the latest configs just to be sure.(partial)
pix 1 - old
access-list 91 permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list no-nat permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 10.0.2.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 91
crypto map transam 1 set peer x.x.241.59
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.241.59 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
pix 2 - new
access-list 90 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
access-group letmein in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 90
crypto map transam 1 set peer x.x.44.125
crypto map transam 1 set peer 255.255.255.255
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.44.125 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
no change on show cry.
here are the latest configs just to be sure.(partial)
pix 1 - old
access-list 91 permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list no-nat permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 10.0.2.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 91
crypto map transam 1 set peer x.x.241.59
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.241.59 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
pix 2 - new
access-list 90 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
access-group letmein in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 90
crypto map transam 1 set peer x.x.44.125
crypto map transam 1 set peer 255.255.255.255
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.44.125 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
>if it works should i be able to ping the inside interface of the remote pix?
Absolutely not. You must test this from a PC on one side pinging a PC on the other.
Can you post result of "sho cry is sa" again?
Absolutely not. You must test this from a PC on one side pinging a PC on the other.
Can you post result of "sho cry is sa" again?
Can you re-apply the crypto map to the interface on both sides
Just re-enter it exactly as it is...
>crypto map transam interface outside
Just re-enter it exactly as it is...
>crypto map transam interface outside
Since both PIX's get a dynamic outside IP, are you sure you have the right IP address?
>ip address outside dhcp setroute
>ip address outside dhcp setroute
Just my observation, but your outside interface is DHCP defined. Are you given the same address everytime? Are you sure that the address that you are using for your IKE peers are correct? Do a show interface to verify the IP addresses.
If the addresses are correct, start debugging. Start with
debug crypto isakmp
If the addresses are correct, start debugging. Start with
debug crypto isakmp
Looks like lrmoore's got you covered! :-)
Just to let you know, I'm going to be off-line for the next couple of hours...
I'll get back as quick as I can..
I'll get back as quick as I can..
ASKER
i reapplied the crypto map to the outside interface.
i verified that the dhcp address is the same.
the show cry isa sa gives the following on both:
sho cry isa sa
Total : 0
Embryonic : 0
dst src state pending created
no prob on the time. i appreciate your help as always.
i verified that the dhcp address is the same.
the show cry isa sa gives the following on both:
sho cry isa sa
Total : 0
Embryonic : 0
dst src state pending created
no prob on the time. i appreciate your help as always.
Nothing there is not a good sign.
How about result of "sho cry ip sa" <== "ip" vs "is" will show us a whole lot more information
How about result of "sho cry ip sa" <== "ip" vs "is" will show us a whole lot more information
ASKER
here it is on PIX -1 OLD
show cry ip sa
interface: outside
Crypto map tag: transam, local addr. x.x.44.125
local ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/
remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/
current_peer: x.x.241.59:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: x.x.44.125, remote crypto endpt.: x.x.241.59
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
here is the same on
pix- 2 -new
show cry ip sa
interface: outside
Crypto map tag: transam, local addr. x.x.241.59
local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/
remote ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/
current_peer: x.x.44.125:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.241.59, remote crypto endpt.: 70.147.44.125
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: x.x.241.59, remote crypto endpt.: 255.255.255.255
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
seems as though PIX 2-new is getting more data than pix 1 - old
show cry ip sa
interface: outside
Crypto map tag: transam, local addr. x.x.44.125
local ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/
remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/
current_peer: x.x.241.59:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: x.x.44.125, remote crypto endpt.: x.x.241.59
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
here is the same on
pix- 2 -new
show cry ip sa
interface: outside
Crypto map tag: transam, local addr. x.x.241.59
local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/
remote ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/
current_peer: x.x.44.125:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.241.59, remote crypto endpt.: 70.147.44.125
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local crypto endpt.: x.x.241.59, remote crypto endpt.: 255.255.255.255
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
seems as though PIX 2-new is getting more data than pix 1 - old
ASKER
ok i realized i must have inadvertantly put in the line:
>crypto map transam 1 set peer 255.255.255.255
i removed it.
>crypto map transam 1 set peer 255.255.255.255
i removed it.
ASKER
do i need to have pc's on both sides to establish the connection or should it occur PIX to PIX alone.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
that did it. sorry for not setting up the pc's on both sides. as soon as that was done it came right up.
here is the show cry again:
sho cry isa sa
Total : 1
Embryonic : 0
dst src state pending created
x.x..44.125 x.x.241.59 QM_IDLE 0 1
hmm just a little better.
thanks again lrmoore. you da man.
cepolly
here is the show cry again:
sho cry isa sa
Total : 1
Embryonic : 0
dst src state pending created
x.x..44.125 x.x.241.59 QM_IDLE 0 1
hmm just a little better.
thanks again lrmoore. you da man.
cepolly
Wooo hooo!!
Nice working with you!
Nice working with you!
On Side 1:
access-list 90 permit 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
On Side 2:
access-list 91 permit 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
Change this to group 2 on both sides:
no isakmp policy 1 group 1
isakmp policy 1 group 2
To confirm, sho result of "show cry is sa" - look for remote IP and "QM_IDLE" = Good