PIX 501 to PIX 501 VPN Has Tunnel but no access to network
I have a pair of PIX 501's that are creating a tunnel but I can't get anything from the HQ network servers through. I can't ping the servers or even the inside interface on the HQ 501 from the remote site. The HQ side is a fixed IP and the remote is a dynamic IP. I have read with interest some of the other questions (including my own) and have tried a number of ideas I read from lrmoore, skpruett and others. I am needing a programmer to be able to hook up to some mapped drives on a server as well as hook into a MSSql database. Before you ask, yes the tunnel is up and I can ping the outside interface of the HQ router and when I do show cry is sa on the remote end I get the following:
Embryonic : 0
dst src state pending created
123.123.123.23 213.213.213.215 QM_IDLE 0 1
Of course the IPs are changed but .23 id the HQ PIX and .215 is the remote. The servers are Win2k3 servers with SQL2k. Thanks in advance.
mwhatley
Embryonic : 0
dst src state pending created
123.123.123.23 213.213.213.215 QM_IDLE 0 1
Of course the IPs are changed but .23 id the HQ PIX and .215 is the remote. The servers are Win2k3 servers with SQL2k. Thanks in advance.
mwhatley
Did you create any ACLs that restrict anything on both side for your tunnel? or is it wide open? "access-list aclname permit ip any any"??
Hi mwhatley,
Any chance we can see the config's from each side?
The hard part is over, your tunnel is coming up. :)
The easy part is getting the NAT rules and matching traffic for the tunnel working.
Other questions:
1) Do you have a router in either network that might not be pointing to the PIX for these connections? I.E. You have an internet rotuter and the PIX is on a separate connection or IP. Do you have a route in the router to point traffic for the remote subnet back to the PIX?
2) Can you copy the output of a "show crypto ipsec sa" command for me from each side? Lets see if we are dropping on one side or the other.
-skpruett
Any chance we can see the config's from each side?
The hard part is over, your tunnel is coming up. :)
The easy part is getting the NAT rules and matching traffic for the tunnel working.
Other questions:
1) Do you have a router in either network that might not be pointing to the PIX for these connections? I.E. You have an internet rotuter and the PIX is on a separate connection or IP. Do you have a route in the router to point traffic for the remote subnet back to the PIX?
2) Can you copy the output of a "show crypto ipsec sa" command for me from each side? Lets see if we are dropping on one side or the other.
-skpruett
ASKER
I can show you the show crypto ipsec sa for the side I am currently at (which happens to be the HQ side right now) and here is the result:
Result of firewall command: "show cry ip sa"
interface: outside
Crypto map tag: dyn-map, local addr. 123.123.123.23
local ident (addr/mask/prot/port): (HQOffice/255.255.255.0/0/
remote ident (addr/mask/prot/port): (RemoteOffice/255.255.255.
current_peer: 213.213.213.215:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 123.123.123.23, remote crypto endpt.: 213.213.213.215
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 5d31130b
inbound esp sas:
spi: 0x7c8fa369(2089788265)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: dyn-map
sa timing: remaining key lifetime (k/sec): (4608000/24881)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5d31130b(1563497227)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: dyn-map
sa timing: remaining key lifetime (k/sec): (4607999/24881)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
The only router is the internet router and it is doing it's job. At the remote end there is a dsl modem set to bridge.
I can give you the config from the HQ PIX and here ya go:
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 12345678900 encrypted
passwd 121345678900 encrypted
hostname HQ
domain-name mycompany.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.1 server
name 192.168.1.0 HQOffice
name 192.168.2.0 RemoteOffice
access-list 100 permit ip RemoteOffice 255.255.255.0 HQOffice 255.255.255.0
access-list 100 permit ip HQOffice 255.255.255.0 RemoteOffice 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 123.123.123.23 255.255.255.128
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location HQOffice 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
conduit permit tcp any any
conduit permit tcp any RemoteOffice 255.255.255.0
conduit permit ip any TemoteOffice 255.255.255.0
route outside 0.0.0.0 0.0.0.0 123.123.123.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host server 1234567890 timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
ntp server 132.163.4.101 source outside prefer
ntp server 132.163.4.102 source outside
ntp server 131.107.1.10 source outside
ntp server 129.6.15.28 source outside
http server enable
http HQOffice 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.42 /
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set ESP-3DES-MD5
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh HQOffice 255.255.255.0 inside
ssh timeout 10
console timeout 0
dhcpd dns 198.6.1.4 198.6.1.5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain corp.mycompany.com
dhcpd auto_config outside
username support password XXXXXXXXXXX encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:68eb1390c79
: end
[OK]
There ya go. The tunnel seems to be stable and looks good on the PDM monitor. I can try to run back out to the remote and get the info you might need soon. Let me know ASAP if there is any bad errors on the HQ side.
Thanks
Result of firewall command: "show cry ip sa"
interface: outside
Crypto map tag: dyn-map, local addr. 123.123.123.23
local ident (addr/mask/prot/port): (HQOffice/255.255.255.0/0/
remote ident (addr/mask/prot/port): (RemoteOffice/255.255.255.
current_peer: 213.213.213.215:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 123.123.123.23, remote crypto endpt.: 213.213.213.215
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 5d31130b
inbound esp sas:
spi: 0x7c8fa369(2089788265)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: dyn-map
sa timing: remaining key lifetime (k/sec): (4608000/24881)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5d31130b(1563497227)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: dyn-map
sa timing: remaining key lifetime (k/sec): (4607999/24881)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
The only router is the internet router and it is doing it's job. At the remote end there is a dsl modem set to bridge.
I can give you the config from the HQ PIX and here ya go:
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 12345678900 encrypted
passwd 121345678900 encrypted
hostname HQ
domain-name mycompany.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.1 server
name 192.168.1.0 HQOffice
name 192.168.2.0 RemoteOffice
access-list 100 permit ip RemoteOffice 255.255.255.0 HQOffice 255.255.255.0
access-list 100 permit ip HQOffice 255.255.255.0 RemoteOffice 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 123.123.123.23 255.255.255.128
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location HQOffice 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
conduit permit tcp any any
conduit permit tcp any RemoteOffice 255.255.255.0
conduit permit ip any TemoteOffice 255.255.255.0
route outside 0.0.0.0 0.0.0.0 123.123.123.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host server 1234567890 timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
ntp server 132.163.4.101 source outside prefer
ntp server 132.163.4.102 source outside
ntp server 131.107.1.10 source outside
ntp server 129.6.15.28 source outside
http server enable
http HQOffice 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.42 /
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set ESP-3DES-MD5
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh HQOffice 255.255.255.0 inside
ssh timeout 10
console timeout 0
dhcpd dns 198.6.1.4 198.6.1.5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain corp.mycompany.com
dhcpd auto_config outside
username support password XXXXXXXXXXX encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:68eb1390c79
: end
[OK]
There ya go. The tunnel seems to be stable and looks good on the PDM monitor. I can try to run back out to the remote and get the info you might need soon. Let me know ASAP if there is any bad errors on the HQ side.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi skpruett,
I should just say duh huh because at you prodding I looked at the remote end last night and found the nonat messed up. I will be accepting your answer but I need to ask you or the other gurus what I can do to make the tunnel move data faster. The remote end has a 512/128k DSL and the HQ has 3072/1024k DSL. When I was moving some files or just browsing the HQ network it was painfully slow most of the time. Is there some setting I can tweek or something/ A bigger pipe will be very problematic because of the location (barely got broadband as it is). Any help would be appreciated
I should just say duh huh because at you prodding I looked at the remote end last night and found the nonat messed up. I will be accepting your answer but I need to ask you or the other gurus what I can do to make the tunnel move data faster. The remote end has a 512/128k DSL and the HQ has 3072/1024k DSL. When I was moving some files or just browsing the HQ network it was painfully slow most of the time. Is there some setting I can tweek or something/ A bigger pipe will be very problematic because of the location (barely got broadband as it is). Any help would be appreciated