?
Solved

PIX 501 to PIX 501 VPN Has Tunnel but no access to network

Posted on 2005-03-07
5
Medium Priority
?
388 Views
Last Modified: 2013-11-16
I have a pair of PIX 501's that are creating a tunnel but I can't get anything from the HQ network servers through. I can't ping the servers or even the inside interface on the HQ 501 from the remote site. The HQ side is a fixed IP and the remote is a dynamic IP. I have read with interest some of the other questions (including my own) and have tried a number of ideas I read from lrmoore, skpruett and others. I am needing a programmer to be able to hook up to some mapped drives on a server as well as hook into a MSSql database. Before you ask, yes the tunnel is up and I can ping the outside interface of the HQ router and when I do  show cry is sa on the remote end I get the following:

Embryonic : 0
            dst                         src                 state     pending     created
    123.123.123.23     213.213.213.215    QM_IDLE         0           1

Of course the IPs are changed but .23 id the HQ PIX and .215 is the remote. The servers are Win2k3 servers with SQL2k. Thanks in advance.

mwhatley
0
Comment
Question by:mwhatley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 13480415
Did you create any ACLs that restrict anything on both side for your tunnel? or is it wide open? "access-list aclname permit ip any any"??
0
 
LVL 3

Expert Comment

by:skpruett
ID: 13480702
Hi mwhatley,
Any chance we can see the config's from each side?

The hard part is over, your tunnel is coming up. :)

The easy part is getting the NAT rules and matching traffic for the tunnel working.

Other questions:
1) Do you have a router in either network that might not be pointing to the PIX for these connections? I.E. You have an internet rotuter and the PIX is on a separate connection or IP. Do you have a route in the router to point traffic for the remote subnet back to the PIX?

2) Can you copy the output of a "show crypto ipsec sa" command for me from each side? Lets see if we are dropping on one side or the other.

-skpruett
0
 
LVL 1

Author Comment

by:mwhatley
ID: 13481235
I can show you the show crypto ipsec sa for the side I am currently at (which happens to be the HQ side right now) and here is the result:

Result of firewall command: "show cry ip sa"
 
interface: outside
    Crypto map tag: dyn-map, local addr. 123.123.123.23
   local  ident (addr/mask/prot/port): (HQOffice/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (RemoteOffice/255.255.255.0/0/0)
   current_peer: 213.213.213.215:500
   dynamic allocated peer ip: 0.0.0.0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 123.123.123.23, remote crypto endpt.: 213.213.213.215
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 5d31130b
     inbound esp sas:
      spi: 0x7c8fa369(2089788265)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: dyn-map
        sa timing: remaining key lifetime (k/sec): (4608000/24881)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x5d31130b(1563497227)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: dyn-map
        sa timing: remaining key lifetime (k/sec): (4607999/24881)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
     outbound pcp sas:

The only router is the internet router and it is doing it's job. At the remote end there is a dsl modem set to bridge.

I can give you the config from the HQ PIX and here ya go:

Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 12345678900 encrypted
passwd 121345678900 encrypted
hostname HQ
domain-name mycompany.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.1 server
name 192.168.1.0 HQOffice
name 192.168.2.0 RemoteOffice
access-list 100 permit ip RemoteOffice 255.255.255.0 HQOffice 255.255.255.0
access-list 100 permit ip HQOffice 255.255.255.0 RemoteOffice 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 123.123.123.23 255.255.255.128
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location HQOffice 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
conduit permit tcp any any
conduit permit tcp any RemoteOffice 255.255.255.0
conduit permit ip any TemoteOffice 255.255.255.0
route outside 0.0.0.0 0.0.0.0 123.123.123.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host server 1234567890 timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
ntp server 132.163.4.101 source outside prefer
ntp server 132.163.4.102 source outside
ntp server 131.107.1.10 source outside
ntp server 129.6.15.28 source outside
http server enable
http HQOffice 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.42 /
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set ESP-3DES-MD5
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh HQOffice 255.255.255.0 inside
ssh timeout 10
console timeout 0
dhcpd dns 198.6.1.4 198.6.1.5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain corp.mycompany.com
dhcpd auto_config outside
username support password XXXXXXXXXXX encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:68eb1390c7914847d944b9ed3e4814bc
: end
[OK]

There ya go. The tunnel seems to be stable and looks good on the PDM monitor. I can try to run back out to the remote and get the info you might need soon. Let me know ASAP if there is any bad errors on the HQ side.

Thanks
0
 
LVL 3

Accepted Solution

by:
skpruett earned 2000 total points
ID: 13481506
HQ side looks okay, at least nothing is jumping out at me right now. You have one unneeded line on the NONAT but that's okay for now.

Since the tunnel is coming up, you can try a few things.
1) Ping from a workstation on your side to a workstation on the remote site. (this may take a bit if you keep having to bring up the tunnel to try it.)
Directly afterward, do the "show crypto ipsec sa"
You want to look for the following section:
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

If you see pkts encaps and pkts encrypt but nothing on the line below it (decaps and decrypt), then your problem is at the remote. If you don't see any encaps or encrypt, then we need to drill down more on this end.

2) On the remote check your basics. The config will look a little different.
- the nonat ACL should be matching traffic FROM there TO your main office.
- the traffic match ACL should be identical to the nonat ACL but preferably a different number, like 101.
- nat (inside) 0 access-list # should be applied to match that ACL number
- Something similar to the following:
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 101 <<<or replace with your traffic match acl number
crypto map newmap 10 set peer 123.123.123.23  <<<replace with your actual PIX outside IP at the HQ office
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** 123.123.123.23 netmask 255.255.255.255 <<<replace with your actual PIX outside IP at the HQ office
isakmp identity hostname  <<<I'm hesitationg on this one, I think DHCP remtoe peers need it but if it does not work, try isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400


-skpruett
0
 
LVL 1

Author Comment

by:mwhatley
ID: 13485969
Hi skpruett,
I should just say duh huh because at you prodding I looked at the remote end last night and found the nonat messed up. I will be accepting your answer but I need to ask you or the other gurus what I can do to make the tunnel move data faster. The remote end has a 512/128k DSL and the HQ has 3072/1024k DSL. When I was moving some files or just browsing the HQ network it was painfully slow most of the time. Is there some setting I can tweek or something/ A bigger pipe will be very problematic because of the location (barely got broadband as it is). Any help would be appreciated
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question