[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco 2600 config problem, both with PPPoE and without.  :)

Posted on 2005-04-19
22
Medium Priority
?
2,163 Views
Last Modified: 2008-01-09
I'm currently in a DSL dilemma.  I have a Cisco 2621 (IOS 12.3) connecting to a DSL line that ultimately connects by PPPoE which is used to connect to the home office by a site to site VPN tunnel.  I initially tried configuring the Cisco with its PPPoE client, with the DSL modem in bridge mode.  Nothing.  So then I took the DSL modem out of bridge mode, enabled port forwarding on the DSL modem, and gave the 2600 an internal address.  With this I was able to ping the outside word, and ping the inside network connected to the Cisco, but NAT is screwed up, so the 2600 isn't routing.  Plus, I'm sure that my VPN tunnel isn't functioning in this layout either. Also, I'm pretty sure neither setup is currently using any of my access lists.  I've been working at this for a few hours, I can't look at it any more...and it know the mistakes are idiotic one line misses, but I can't think.  Anyway, my apologies for the long post, but I'm going drop in both configs.  If anyone has an idea on either config, or both, it would be appreciated (I put it at 500 pts, not because this should be very hard, but it's quite time sensitive).

PPPoE Client Config:


show conf
Using 3670 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 **********************
enable password 7 *****************
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
no ip domain lookup
ip dhcp excluded-address 172.200.200.1 172.200.200.50
ip dhcp excluded-address 172.200.200.200 172.200.200.254
ip dhcp excluded-address 172.200.200.75
!
ip dhcp pool jf
   network 172.200.200.0 255.255.255.0
   dns-server 10.1.254.23 4.2.2.2
   netbios-name-server 10.1.254.23 10.1.254.22
   netbios-node-type p-node
   domain-name virginmega.com
   default-router 172.200.200.10
!
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ******** address ************
!
!
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
!
crypto map to_vpn 10 ipsec-isakmp
 set peer **********
 set transform-set to_vpn
 match address 101
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
 ip address 172.200.200.10 255.255.255.0
 ip nat inside
 no ip mroute-cache
 duplex auto
 speed auto
 crypto map to_vpn
!
interface Async1
 no ip address
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 ppp authentication pap
 ppp pap sent-username **************** password 7 **************
!
ip nat inside source list 1 interface Dialer1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
logging history debugging
no logging trap
access-list 1 permit 172.200.200.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 110 permit ip 172.200.200.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
 match ip address 110
!
!
line con 0
 timeout login response 1
 password 7 *****************
line 1
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 exec-timeout 5 0
 password 7 *****************
 modem InOut
 transport input all
 speed 38400
 flowcontrol hardware
line vty 0 4
 password 7 *****************
 login
!
!
end

---------------------------------------------------------

Non-PPPoE Config:

show conf
Using 3275 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 ******************
enable password 7 ******************
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
no ip domain lookup
ip dhcp excluded-address 172.200.200.1 172.200.200.50
ip dhcp excluded-address 172.200.200.200 172.200.200.254
ip dhcp excluded-address 172.200.200.75
!
ip dhcp pool jf
   network 172.200.200.0 255.255.255.0
   dns-server 10.1.254.23 4.2.2.2
   netbios-name-server 10.1.254.23 10.1.254.22
   netbios-node-type p-node
   domain-name virginmega.com
   default-router 172.200.200.10
!
ip audit po max-events 100
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ******** address ************
!
!
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
!
crypto map to_vpn 10 ipsec-isakmp
 set peer **************
 set transform-set to_vpn
 match address 101
!
!
interface FastEthernet0/0
 ip address 192.168.1.10 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.200.200.10 255.255.255.0
 ip nat inside
 no ip mroute-cache
 duplex auto
 speed auto
 crypto map to_vpn
!
interface Async1
 no ip address
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
logging history debugging
no logging trap
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 110 permit ip 172.200.200.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 110
!
!
line con 0
 timeout login response 1
 password 7 ****************
line 1
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 exec-timeout 5 0
 password 7 ****************
 modem InOut
 transport input all
 speed 38400
 flowcontrol hardware
line vty 0 4
 password 7 ****************
 login
!
!
end
0
Comment
Question by:RyanMielke
  • 11
  • 11
22 Comments
 
LVL 7

Expert Comment

by:minmei
ID: 13823350
pppoe

ip nat inside source list 1 interface Dialer1 overload

should be

ip nat inside source list 110 interface Dialer1 overload

so as not to nat the vpn traffic.

crypto map to_vpn needs to be on the dialer1 interface.


-----------------------------------------------

non pppoe

The inside config has NAT rules on the niterfaces, but no ip nat inside .... rules. The DSL modem probably expects everything to come from it's 192.168.1.x address rnage, and has no way of knowing how to get packets to 172.200.
(172.200 is a valid public ip address, just so you know. The RFC1918 range is 172.16 to 172.31)

0
 

Author Comment

by:RyanMielke
ID: 13824021
minmei,

I made the changes to the pppoe config, since this would be my preference to use.  I'm still not getting a connection...  I'm going to post the changed config, just so you can have a look at it.  What commands can I run to check the connection?  I ran "show int dialer1" and "show vpdn" (which I'll post as well), but I'm not really sure what I'm looking at.  Thanks for your help.

Ryan

----------------------------------
show conf
Using 3627 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 **************
enable password 7 **************
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip dhcp excluded-address 172.200.200.1 172.200.200.50
ip dhcp excluded-address 172.200.200.200 172.200.200.254
ip dhcp excluded-address 172.200.200.75
!
ip dhcp pool jf
   network 172.200.200.0 255.255.255.0
   dns-server 10.1.254.23 4.2.2.2
   netbios-name-server 10.1.254.23 10.1.254.22
   netbios-node-type p-node
   domain-name ***********
   default-router 172.200.200.10
!
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ******* address **********
!
!
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
!
crypto map to_vpn 10 ipsec-isakmp
 set peer *************
 set transform-set to_vpn
 match address 101
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
 ip address 172.200.200.10 255.255.255.0
 ip nat inside
 no ip mroute-cache
 duplex auto
 speed auto
!
 interface Async1
 no ip address
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 ppp authentication pap
 ppp pap sent-username ***************** password 7 **************
 crypto map to_vpn
!
ip nat inside source list 110 interface Dialer1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
logging history debugging
no logging trap
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 110 deny   ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 110 permit ip 172.200.200.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 110
!
!
!
!
!
!
line con 0
 timeout login response 1
 password 7 ******************
line 1
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 exec-timeout 5 0
 password 7 ******************
 modem InOut
 transport input all
 speed 38400
 flowcontrol hardware
line vty 0 4
 password 7 ******************
login
!
!
end




****#show int dialer1
Dialer1 is up, line protocol is up (spoofing)
  Hardware is Unknown
  Internet address will be negotiated using IPCP
  MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, loopback not set
  DTR is pulsed for 1 seconds on reset
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:12:44
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/0/16 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 42 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes
     0 packets output, 0 bytes




****#show vpdn

%No active L2TP tunnels

%No active L2F tunnels

%No active PPTP tunnels

PPPoE Tunnel and Session Information Total tunnels 1 sessions 1

PPPoE Session Information
UID    SID    RemMAC         OIntf          Intf      Session
              LocMAC                        VASt      state  
0      395    000e.4040.e002 Fa0/0          N/A       N/A
              000b.be99.8c20                        
NoJf#
0
 
LVL 7

Expert Comment

by:minmei
ID: 13824208
RyanMielke,

> ppp authentication pap

change to "ppp authentication pap callin"

the route-map doesn't do anything - you can get rid of it.

Everything else looks great to me, will continue to check.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:RyanMielke
ID: 13824421
minmei,

I changed the ppp auth, and took out the route-map...still nothing.  Is there any logging I can turn on to see if it's actually initiating the pppoe call?  Or maybe somewhere where it will show at which point it's erroring out?  I'm at a loss...

Thanks,

Ryan
0
 
LVL 7

Expert Comment

by:minmei
ID: 13824878
terminal monitor

debug ppp authentication

0
 

Author Comment

by:RyanMielke
ID: 13824976
This is what I get.  :)

*Mar  1 00:47:26.455: %DIALER-6-BIND: Interface Vi1 bound to profile Di1
*Mar  1 00:47:26.455: Vi1 PPP: Using dialer call direction
*Mar  1 00:47:26.455: Vi1 PPP: Treating connection as a callout
*Mar  1 00:47:26.459: Vi1 PPP: Authorization required
*Mar  1 00:47:26.459: Vi1 PPP: No remote authentication for call-out
*Mar  1 00:47:26.459: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state t
o up
*Mar  1 00:47:26.471: Vi1 PPP: No authorization without authentication
*Mar  1 00:47:26.483: Vi1 CHAP: I CHALLENGE id 1 len 32 from "nworlama76w"
*Mar  1 00:47:26.483: Vi1 CHAP: Unable to authenticate for peer
*Mar  1 00:47:26.503: %DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1
*Mar  1 00:47:26.511: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state t
o down

Bad username/password?  My username is an email address, and the password is a number sequence...
0
 
LVL 7

Expert Comment

by:minmei
ID: 13825015
Change authentication to CHAP

ppp authentication pap callin

becomes

ppp authentication chap

0
 

Author Comment

by:RyanMielke
ID: 13825132
Do I need to make changes on this line as well?

ppp pap sent-username ***************** password 7 **************
0
 
LVL 7

Expert Comment

by:minmei
ID: 13825177
yes- chap uses a different command - sorry, missed it.

ppp chap hostname xxxxxxx
ppp chap password yyyyyyy
0
 

Author Comment

by:RyanMielke
ID: 13825278
Looks like the same thing.  Sould I repost the config so you can take a look at it?

*Mar  1 01:06:49.415: %DIALER-6-BIND: Interface Vi1 bound to profile Di1
*Mar  1 01:06:49.415: Vi1 PPP: Using dialer call direction
*Mar  1 01:06:49.415: Vi1 PPP: Treating connection as a callout
*Mar  1 01:06:49.415: Vi1 PPP: Authorization required
*Mar  1 01:06:49.419: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state t
o up
*Mar  1 01:06:49.567: %DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1
*Mar  1 01:06:49.575: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state t
o down
0
 
LVL 7

Accepted Solution

by:
minmei earned 2000 total points
ID: 13825393
add the callin at the end of the ppp chap string again.
0
 

Author Comment

by:RyanMielke
ID: 13825621
Awesome awesome awesome!  We're up with internet from the router, and from a client, so the NAT's working great.  What makes me mad about this is that I called BellSouth, and the tech told me it was pap, not chap.  Oh well, that's what I get for not asking for second or third level (not that all first level techs are poor).  

The only problem left is the VPN tunnel.

When I do a "show crypto isakmp sa" on the 2600 I get:

oJf#show crypto isakmp sa
dst           src           state                    conn-id slot
Home IP   Cleint IP    MM_KEY_EXCH          3    0
Home IP   Client IP    MM_NO_STATE          2    0 (deleted)

But on the Home Pix (525)

crypto_isakmp_process_block: src Cleint IP, dest Home IP
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload

I also get this:

ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src Cleint IP, dest Home IP
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

return status is IKMP_NO_ERROR
0
 
LVL 7

Expert Comment

by:minmei
ID: 13825650
Looks like isakmp (phase 1) is ok, but ipsec (phase 2) isn't matching.

Post the crypto commands for both sides so we can see what doesn't match
0
 

Author Comment

by:RyanMielke
ID: 13825774
On the 525:

crypto  map  vpn-map  26  set  peer  Client IP
isakmp  key  ********  address  Cleint IP  netmask  255.255.255.255
isakmp  identity  address
isakmp  policy  10  authentication  pre-share
sakmp  policy  10  encryption  3des
isakmp  policy  10  hash  md5
isakmp  policy  10  group  2
isakmp  policy  10  lifetime  86400
isakmp  policy  20  authentication  pre-share
isakmp  policy  20  encryption  3des
isakmp  policy  20  hash  sha
isakmp  policy  20  group  2
isakmp  policy  20  lifetime  86400

On the 2600:

crypto  isakmp  policy  1
encr  3des
hash  md5
authentication  pre-share
group  2
crypto  isakmp  key  *******  address  Home IP
crypto  ipsec  transform-set  to_vpn  esp-3des  esp-md5-hmac
crypto  map  to_vpn  10  ipsec-isakmp
set  peer Home IP
set  transform-set  to_vpn
match  address  101

interface  Dialer1
crypto  map  to_vpn
0
 
LVL 7

Expert Comment

by:minmei
ID: 13825818
The 525 has a lifetime on the isakmp policy 10

Do you have the same on the 2600 policy 1?
0
 

Author Comment

by:RyanMielke
ID: 13826001
Yep.  I remember when I set this up in the lab that if I changed the IP address of the client (2600) that it took some time for it to change on the PIX.  Example:

When I do a "show crypto ipsec sa" it shows this:

 local  ident (addr/mask/prot/port): (10.1.252.0/255.255.252.0/0/0)
 remote ident (addr/mask/prot/port): (172.200.200.0/255.255.255.0/0/0)
 current_peer: Old Lab IP address
   PERMIT, flags={origin_is_acl,}
  #pkts encaps: 3955, #pkts encrypt: 3955, #pkts digest 3955
  #pkts decaps: 3708, #pkts decrypt: 3708, #pkts verify 3708
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
  #send errors 15, #recv errors 0

   local crypto endpt.: 209.223.113.2, remote crypto endpt.: Old Lab IP address
   path mtu 1500, ipsec overhead 56, media mtu 1500
   current outbound spi: 0

   inbound esp sas:

   inbound ah sas:

   inbound pcp sas:

   outbound esp sas:

   outbound ah sas:

   outbound pcp sas:

Beyond that, I haven't changed any crypto configs since this was working under a static IP (non-PPPoE) in the lab last week.
0
 
LVL 7

Expert Comment

by:minmei
ID: 13826552
Can you give me a better straight paste out of the configs? please keep the ip addresses obfuscated.
0
 

Author Comment

by:RyanMielke
ID: 13826599
Certainly.  It'll take about 20 minutes for me to get the config for the HQ to you, it's several pages long and will take a while to edit.

Thanks again for your help.

Ryan
0
 

Author Comment

by:RyanMielke
ID: 13826936
Well, here's 440 Lines worth.  The crypto for the 2600 client is lines 413 and 422.  If I marked out too much, just let me know.  Good luck!

    1     !
    2     ! Telconi Terminal v0.94a
    3     ! direct TELNET to ********254.9 [********254.9] from ********253.51
    4     ! PIX device detected.
    5     :
    6     PIX Version 6.2(3)
    7     nameif ethernet0 outside security0
    8     nameif ethernet1 inside security100
    9     nameif ethernet2 intf2 security10
   10     nameif ethernet3 intf3 security15
   11     nameif ethernet4 intf4 security20
   12     nameif ethernet5 state security20
   13     enable password ************* encrypted
   14     passwd ************ encrypted
   15     hostname pixfirewall
   16     domain-name **************
   17     clock timezone pacific 0
   18     fixup protocol ftp 21
   19     fixup protocol http 80
   20     fixup protocol h323 h225 1720
   21     fixup protocol h323 ras 1718-1719
   22     fixup protocol ils 389
   23     fixup protocol rsh 514
   24     fixup protocol rtsp 554
   25     fixup protocol sqlnet 1521
   26     fixup protocol sip 5060
   27     fixup protocol skinny 2000
   28     fixup protocol smtp 25
   29     fixup protocol sip udp 5060
   30     names
   31     access-list zm permit ip host *********** *********** 255.255.255.0
   32     access-list internelnet permit tcp host ************** any eq 6882
   33     access-list 1721 permit ip host ********************* host ********254.27
   34     access-list 1721 permit ip host ********************* host ********254.23
   35     access-list 1721 permit ip host ********************* host ********254.22
   36     access-list 1721 permit ip host ********************* host ********254.42
   37     access-list 1721 permit ip host ********************* host ********254.45
   38     access-list 1721 permit ip host ********************* host ********254.30
   39     access-list 1721 permit ip host ********************* host ********254.20
   40     access-list 1721 permit ip host ********************* host ********254.168
   41     access-list 1721 permit ip host ********************* host ********253.100
   42     access-list 1721 permit ip host ********************* host ********254.142
   43     access-list 1721 permit ip host ********************* host ********254.41
   44     access-list 1721 permit ip host ********.1.18 host ********252.142
   45     access-list 1721 permit tcp host ********************* any eq www
   46     access-list 1721 permit udp host ********************* any eq www
   47     access-list 1721 permit tcp host ********************* host ********252.3 eq 1984
   48     access-list 1721 permit tcp host ********.1.71 host ********252.3 eq 1984
   49     access-list 1721 permit tcp host ********.1.73 host ********252.3 eq 1984
   50     access-list 1721 permit tcp host ********.1.18 host ********252.3 eq 1984
   51     access-list 1721 permit icmp host ********************* host ********252.3
   52     access-list 1721 permit icmp host ********.1.71 host ********252.3
   53     access-list 1721 permit icmp host ********.1.73 host ********252.3
   54     access-list 1721 permit icmp host ********.1.18 host ********252.3
   55     access-list 1721 permit icmp ********.1.0 255.255.255.0 ********252.0 255.255.252.0 echo-reply
   56     access-list 1721 deny ip any any
   57     access-list any permit ip any any
   58     access-list nonat permit ip ********252.0 255.255.252.0 172.200.200.0 255.255.255.0
   59     access-list nonat permit ip ********32.0 255.255.240.0 172.200.200.0 255.255.255.0
   60     access-list nonat permit ip ********99.0 255.255.255.0 172.200.200.0 255.255.255.0
   61     access-list nonat permit ip 86.85.2.0 255.255.255.0 172.200.200.0 255.255.255.0
   62     access-list nonat permit ip 86.85.50.0 255.255.255.0 172.200.200.0 255.255.255.0
   63     access-list nonat permit ip ********190.0 255.255.255.0 172.200.200.0 255.255.255.0
   64     access-list nonat permit ip any ********.0.0 255.255.0.0
   65     access-list nonat permit ip any ********.0.0 255.255.0.0
   66     access-list nonat permit ip any ********0.0 255.255.0.0
   67     access-list nonat permit ip any 85.85.0.0 255.255.0.0
   68     access-list nonat permit ip ********.2.0 255.255.255.0 172.200.200.0 255.255.255.0
   69     access-list nonat permit ip ********16.0 255.255.255.0 172.200.200.0 255.255.255.0
   70     access-list hv permit ip host ********** host 10.********
   71     access-list VM permit ip host *********** host **********
   72     access-list Im permit ip host ********** 192.168.8.0 255.255.252.0
   73     access-list internalnet permit ip any ********.1.0 255.255.255.0
   74     access-list internalnet permit ip any ********.2.0 255.255.255.0
   75     access-list internalnet permit tcp any any eq domain
   76     access-list internalnet permit udp any any eq domain
   77     access-list internalnet permit tcp any any eq ftp
   78     access-list internalnet permit tcp any any eq ssh
   79     access-list internalnet permit tcp any any eq telnet
   80     access-list internalnet permit tcp any any eq whois
   81     access-list internalnet permit tcp any any eq www
   82     access-list internalnet permit tcp any any eq pop3
   83     access-list internalnet permit tcp any any eq imap4
   84     access-list internalnet permit tcp any any eq https
   85     access-list internalnet permit tcp any any eq ldaps
   86     access-list internalnet permit udp any any eq isakmp
   87     access-list internalnet permit udp any any eq ntp
   88     access-list internalnet permit tcp any any eq ldap
   89     access-list internalnet permit tcp any any eq 1474
   90     access-list internalnet permit tcp any any eq h323
   91     access-list internalnet permit tcp any any eq 3389
   92     access-list internalnet permit tcp any any eq 8080
   93     access-list internalnet permit tcp any any eq 8081
   94     access-list internalnet permit tcp any any eq 1755
   95     access-list internalnet permit tcp any any eq 7000
   96     access-list internalnet permit tcp any any eq 14579
   97     access-list internalnet permit tcp any any eq 15217
   98     access-list internalnet permit tcp any any eq 16660
   99     access-list internalnet permit tcp any any eq 16662
  100     access-list internalnet permit udp host ********252.3 any eq snmp
  101     access-list internalnet permit tcp any any eq 2703
  102     access-list internalnet permit tcp any any eq sqlnet
  103     access-list internalnet permit tcp any any eq 1433
  104     access-list internalnet permit tcp host ********252.3 any eq smtp
  105     access-list internalnet permit tcp host ********190.254 any eq smtp
  106     access-list internalnet permit tcp any any eq 20000
  107     access-list internalnet permit tcp any any eq 8000
  108     access-list internalnet permit tcp any any eq 889
  109     access-list internalnet deny udp any any eq tftp
  110     access-list internalnet deny udp any any eq 4444
  111     access-list internalnet permit tcp any any eq 5556
  112     access-list internalnet permit udp any any eq 5556
  113     access-list internalnet permit tcp any any eq 1863
  114     access-list internalnet permit tcp any any eq 2082
  115     access-list internalnet permit tcp any any eq 2083
  116     access-list internalnet permit tcp any any eq 2086
  117     access-list internalnet permit tcp any any eq 2095
  118     access-list internalnet permit udp host ********253.86 any eq 10000
  119     access-list internalnet permit udp host ********253.113 any eq 10000
  120     access-list internalnet deny ip 66.151.158.0 255.255.255.0 any
  121     access-list internalnet deny ip any 66.151.158.0 255.255.255.0
  122     access-list internalnet deny udp any any eq 1214
  123     access-list internalnet deny tcp any any eq 1214
  124     access-list internalnet deny tcp any any eq 6660
  125     access-list internalnet deny tcp any any eq 6661
  126     access-list internalnet deny tcp any any eq 6662
  127     access-list internalnet deny tcp any any eq 6663
  128     access-list internalnet deny tcp any any eq 6664
  129     access-list internalnet deny tcp any any eq 6665
  130     access-list internalnet deny tcp any any eq 6666
  131     access-list internalnet deny tcp any any eq 6667
  132     access-list internalnet deny tcp any any eq 6668
  133     access-list internalnet deny tcp any any eq 6669
  134     access-list internalnet deny tcp any any eq 6670
  135     access-list internalnet deny tcp any any eq 2018
  136     access-list internalnet deny tcp any any eq 2019
  137     access-list internalnet deny tcp any any eq 2020
  138     access-list internalnet deny tcp any any eq 2021
  139     access-list internalnet permit tcp host ********253.22 any eq smtp
  140     access-list internalnet permit ip any host *********
  141     access-list internalnet permit ip 172.200.200.0 255.255.255.0 any
  142     access-list internalnet permit icmp any any
  143     access-list internalnet permit tcp host ********253.13 any eq smtp
  144     access-list internalnet deny tcp any any eq 5559
  145     access-list internalnet deny udp any any eq 5559
  146     access-list internalnet permit tcp host ********253.7 any eq smtp
  147     access-list internalnet permit tcp host ********253.17 any eq smtp
  148     access-list internalnet permit udp host ********253.95 any eq isakmp
  149     access-list internalnet deny tcp any any eq 5050
  150     access-list internalnet deny tcp any any eq aol
  151     access-list internalnet permit tcp host ********253.15 any eq smtp
  152     access-list internalnet permit tcp host ********254.41 any eq smtp
  153     access-list internalnet permit tcp host ********252.90 any eq smtp
  154     access-list internalnet permit tcp host ********252.91 any eq smtp
  155     access-list internalnet permit ip host ********252.3 ********.2.0 255.255.255.0
  156     access-list internalnet permit tcp host ********254.47 any eq smtp
  157     access-list internalnet permit tcp host ********254.168 any eq smtp
  158     access-list internalnet permit tcp host ********253.59 any eq smtp
  159     access-list internalnet permit tcp host ********253.51 any eq smtp
  160     access-list internalnet permit tcp host ********253.30 any eq smtp
  161     access-list internalnet permit ip host ********253.81 any
  162     access-list internalnet permit tcp any host 66.113.93.26 eq 8100
  163     access-list internalnet permit tcp host ********252.89 any eq smtp
  164     access-list internalnet permit tcp host ********252.100 any
  165     access-list internalnet permit tcp host ********252.98 any
  166     access-list internalnet permit tcp host ********252.99 any
  167     access-list internalnet permit tcp any any eq 9100
  168     access-list VMT permit ip host ************.113.21 host 63.251.99.220
  169     access-list VMT permit ip host ************.113.21 host 63.251.99.216
  170     access-list VMT permit ip host ************.113.21 host 205.239.223.74
  171     access-list internet permit tcp host 209.209.9.127 host ************.113.42 eq pop3
  172     access-list internet permit tcp any host ************.113.195 eq www
  173     access-list internet permit tcp any host ************.113.196 eq www
  174     access-list internet permit tcp any host ************.113.197 eq www
  175     access-list internet permit tcp any host ************.113.201 eq www
  176     access-list internet permit tcp any host ************.113.201 eq ftp
  177     access-list internet permit tcp any host ************.113.71 eq ftp
  178     access-list internet permit tcp host 12.8.2.2 host ************.113.73 eq ssh
  179     access-list internet permit tcp host 209.142.244.66 host ************.113.73 eq ssh
  180     access-list internet permit tcp host 12.42.142.180 host ************.113.73 eq ssh
  181     access-list internet permit tcp host 207.208.157.29 host ************.113.73 eq ssh
  182     access-list internet permit tcp host 207.208.157.27 host ************.113.73 eq ssh
  183     access-list internet permit tcp host 64.1.90.29 host ************.113.73 eq ssh
  184     access-list internet permit tcp host 12.1.237.131 host ************.113.73 eq ssh
  185     access-list internet permit tcp host 12.1.237.135 host ************.113.73 eq ssh
  186     access-list internet permit tcp host 64.236.243.31 host ************.113.73 eq ssh
  187     access-list internet permit tcp host 12.46.139.162 host ************.113.73 eq ssh
  188     access-list internet permit tcp host 65.197.209.2 host ************.113.21 eq ssh
  189     access-list internet permit tcp host 65.219.52.22 host ************.113.38 eq ftp
  190     access-list internet permit tcp host 65.223.39.25 host ************.113.73 eq ssh
  191     access-list internet permit tcp host 64.173.92.11 host ************.113.73 eq ssh
  192     access-list internet permit tcp host 65.119.0.68 host ************.113.73 eq ssh
  193     access-list internet deny udp any any eq tftp
  194     access-list internet deny udp any any eq 4444
  195     access-list internet permit tcp any host ************.113.18 eq ftp
  196     access-list internet permit tcp host 210.175.246.65 host ************.113.73 eq ssh
  197     access-list internet deny ip host ************.113.220 any
  198     access-list internet deny icmp host ************.113.220 any
  199     access-list internet permit tcp host 64.165.135.130 host ************.113.73 eq ftp
  200     access-list internet permit tcp host 64.165.135.132 host ************.113.73 eq ftp
  201     access-list internet permit tcp host 167.229.23.12 host ************.113.73 eq ftp
  202     access-list internet permit tcp host 167.229.23.76 host ************.113.73 eq ftp
  203     access-list internet permit tcp host 65.223.39.2 host ************.113.73 eq ftp
  204     access-list internet permit tcp host 65.223.39.25 host ************.113.73 eq ftp
  205     access-list internet permit tcp host 208.253.155.193 host ************.113.73 eq ftp
  206     access-list internet permit tcp any host ************.113.19 eq ftp
  207     access-list internet permit tcp any host ************.113.20 eq ftp
  208     access-list internet permit tcp host 199.201.1.18 host ************.113.73 eq ftp
  209     access-list internet permit tcp host 63.80.59.249 host ************.113.73 eq ftp
  210     access-list internet permit tcp host 66.91.145.147 host ************.113.73 eq ftp
  211     access-list internet permit tcp host 203.63.39.9 host ************.113.73 eq ssh
  212     access-list internet deny udp any any eq 1214
  213     access-list internet deny tcp any any eq 1214
  214     access-list internet deny tcp any any eq 6660
  215     access-list internet deny tcp any any eq 6661
  216     access-list internet deny tcp any any eq 6662
  217     access-list internet deny tcp any any eq 6663
  218     access-list internet deny tcp any any eq 6664
  219     access-list internet deny tcp any any eq 6665
  220     access-list internet deny tcp any any eq 6666
  221     access-list internet deny tcp any any eq 6667
  222     access-list internet deny tcp any any eq 6668
  223     access-list internet deny tcp any any eq 6669
  224     access-list internet deny tcp any any eq 6670
  225     access-list internet deny tcp any any eq 2018
  226     access-list internet deny tcp any any eq 2019
  227     access-list internet deny tcp any any eq 2020
  228     access-list internet deny tcp any any eq 2021
  229     access-list internet deny ip host 66.151.158.183 any
  230     access-list internet permit ip host 64.164.227.198 any
  231     access-list internet permit tcp host 207.207.170.150 host ************.113.73 eq ftp
  232     access-list internet permit tcp host 203.63.39.10 host ************.113.73 eq ssh
  233     access-list internet permit icmp host 64.164.227.197 any
  234     access-list internet permit icmp host 64.164.227.199 any
  235     access-list internet permit icmp host 64.164.227.198 any
  236     access-list internet permit icmp host 64.164.227.200 any
  237     access-list internet permit ip any host ************.113.132
  238     access-list internet permit ip any host ************.113.190
  239     access-list internet permit tcp host 155.44.84.163 host ************.113.73 eq ftp
  240     access-list internet permit tcp host 155.44.83.137 host ************.113.73 eq ftp
  241     access-list internet permit tcp host 151.198.243.82 host ************.113.73 eq ftp
  242     access-list internet permit tcp host 205.166.37.100 host ************.113.73 eq ftp
  243     access-list internet permit tcp host 203.63.39.10 host ************.113.73 eq ftp
  244     access-list internet permit tcp host 203.63.39.9 host ************.113.73 eq ftp
  245     access-list internet permit tcp host 63.93.126.54 host ************.113.73 eq ftp
  246     access-list internet permit tcp host 12.46.139.166 host ************.113.73 eq ssh
  247     access-list internet permit tcp host 12.174.92.2 host ************.113.73 eq ftp
  248     access-list internet permit tcp host 66.88.100.147 host ************.113.73 eq ftp
  249     access-list internet deny tcp any any eq 5050
  250     access-list internet permit tcp any host ************.113.68 eq smtp
  251     access-list internet permit tcp any host ************.113.68 eq www
  252     access-list internet permit tcp any host ************.113.247 eq www
  253     access-list internet permit tcp 64.164.227.192 255.255.255.248 host ************.113.251 eq www
  254     access-list internet permit icmp any host ************.113.4 echo-reply
  255     access-list internet permit tcp host 64.236.233.243 host ************.113.73 eq ssh
  256     access-list internet permit tcp host 64.236.233.180 host ************.113.73 eq ssh
  257     access-list internet permit tcp host 64.236.233.207 host ************.113.73 eq ssh
  258     access-list internet permit tcp host 205.158.63.38 host ************.113.42 eq pop3
  259     access-list internet permit tcp host 81.144.246.194 host ************.113.73 eq ftp
  260     access-list internet permit tcp host 63.82.98.2 host ************.113.73 eq ssh
  261     access-list internet permit tcp host 63.82.98.2 host ************.113.73 eq ftp
  262     access-list internet permit tcp host 146.145.128.26 host ************.113.73 eq ftp
  263     access-list internet permit tcp host 65.244.245.5 host ************.113.73 eq ssh
  264     access-list internet permit tcp host 63.116.153.5 host ************.113.73 eq ssh
  265     access-list 1722 permit ip host ********.2.205 host ********252.3
  266     access-list 1722 permit ip host ********.2.201 host ********252.3
  267     access-list 1722 permit ip host ********.2.21 ********.0.0 255.255.0.0
  268     access-list 1722 permit ip host ********.2.21 host ********254.121
  269     access-list 1722 permit ip host ********.2.21 host ********253.21
  270     access-list 1722 permit icmp ********.2.0 255.255.255.0 ********.0.0 255.255.0.0
  271     access-list 1722 permit tcp ********.2.0 255.255.255.0 host ********252.3 eq 1984
  272     access-list 1722 permit icmp ********.2.0 255.255.255.0 ********253.0 255.255.255.0
  273     access-list 1722 permit ip ********.2.0 255.255.255.0 host ********254.27
  274     access-list 1722 permit tcp ********.2.0 255.255.255.0 any eq domain
  275     access-list 1722 permit udp ********.2.0 255.255.255.0 any eq domain
  276     access-list 1722 permit icmp ********.2.0 255.255.255.0 ********252.0 255.255.255.0 echo-reply
  277     access-list 1722 deny ip ********.2.0 255.255.255.0 ********252.0 255.255.252.0
  278     access-list 1722 permit ip ********.2.0 255.255.255.0 any
  279     access-list 1722 deny ip any any
  280     access-list 1722 permit udp ********.2.0 255.255.255.0 host ********254.27 eq 2967
  281     access-list 1722 permit udp ********.2.0 255.255.255.0 host ********254.27 eq 38037
  282     access-list VM permit ip host ************.113.21 host 205.239.227.105
  283     access-list JF permit ip ********252.0 255.255.252.0 172.200.200.0 255.255.255.0
  284     access-list JF permit ip ********0.0 255.255.224.0 172.200.200.0 255.255.255.0
  285     access-list JF permit ip ********32.0 255.255.240.0 172.200.200.0 255.255.255.0
  286     access-list JF permit ip ********99.0 255.255.255.0 172.200.200.0 255.255.255.0
  287     access-list JF permit ip ********190.0 255.255.255.0 172.200.200.0 255.255.255.0
  288     access-list JF permit ip 86.85.2.0 255.255.255.0 172.200.200.0 255.255.255.0
  289     access-list JF permit ip 86.85.50.0 255.255.255.0 172.200.200.0 255.255.255.0
  290     access-list JF permit ip ********.2.0 255.255.255.0 172.200.200.0 255.255.255.0
  291     no pager
  292     logging on
  293     logging buffered debugging
  294     logging facility 23
  295     logging queue 1024
  296     logging host inside ********254.149
  297     interface ethernet0 100full
  298     interface ethernet1 100full
  299     interface ethernet2 100full
  300     interface ethernet3 100full
  301     interface ethernet4 100full
  302     interface ethernet5 100full
  303     mtu outside 1500
  304     mtu inside 1500
  305     mtu intf2 1500
  306     mtu intf3 1500
  307     mtu intf4 1500
  308     mtu state 1500
  309     ip address outside ************.113.2 255.255.255.0
  310     ip address inside ********254.9 255.255.252.0
  311     ip address intf2 ********.1.10 255.255.255.0
  312     ip address intf3 ********.2.10 255.255.255.0
  313     ip address intf4 ********99.11 255.255.255.0
  314     ip address state 192.168.2.1 255.255.255.252
  315     ip audit info action alarm
  316     ip audit attack action alarm
  317     failover
  318     failover timeout 0:00:00
  319     failover poll 15
  320     failover ip address outside ************.113.253
  321     failover ip address inside ********254.8
  322     failover ip address intf2 ********.1.11
  323     failover ip address intf3 ********.2.11
  324     failover ip address intf4 ********99.12
  325     failover ip address state 192.168.2.2
  326     failover link intf4
  327     pdm history enable
  328     arp timeout 14400
  329     global (outside) 1 ************.113.4 netmask 255.255.255.255
  330     nat (inside) 0 access-list nonat
  331     nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  332     nat (intf2) 0 access-list nonat
  333     nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
  334     nat (intf3) 0 access-list nonat
  335     nat (intf3) 1 0.0.0.0 0.0.0.0 0 0
  336     nat (intf4) 0 access-list nonat
  337     nat (intf4) 1 0.0.0.0 0.0.0.0 0 0
  338     static (intf2,outside) ************.113.70 ********.1.70 netmask 255.255.255.255 0 0
  339     static (intf2,outside) ************.113.72 ********.1.72 netmask 255.255.255.255 0 0
  340     static (intf2,outside) ************.113.73 ********.1.73 netmask 255.255.255.255 0 0
  341     static (intf3,outside) ************.113.195 ********.2.195 netmask 255.255.255.255 0 0
  342     static (intf3,outside) ************.113.196 ********.2.196 netmask 255.255.255.255 0 0
  343     static (intf3,outside) ************.113.201 ********.2.201 netmask 255.255.255.255 0 0
  344     static (intf3,outside) ************.113.203 ********.2.203 netmask 255.255.255.255 0 0
  345     static (intf3,outside) ************.113.204 ********.2.204 netmask 255.255.255.255 0 0
  346     static (intf3,outside) ************.113.205 ********.2.205 netmask 255.255.255.255 0 0
  347     static (intf3,outside) ************.113.207 ********.2.207 netmask 255.255.255.255 0 0
  348     static (intf3,outside) ************.113.198 ********.2.198 netmask 255.255.255.255 0 0
  349     static (intf3,outside) ************.113.202 ********.2.202 netmask 255.255.255.255 0 0
  350     static (intf3,outside) ************.113.197 ********.1.197 netmask 255.255.255.255 0 0
  351     static (inside,outside) ************.113.21 ********252.3 netmask 255.255.255.255 0 0
  352     static (intf2,outside) ************.113.71 ********.1.71 netmask 255.255.255.255 0 0
  353     static (intf2,outside) ************.113.68 ********************* netmask 255.255.255.255 0 0
  354     static (intf2,outside) ************.113.18 ********.1.18 netmask 255.255.255.255 0 0
  355     static (intf2,outside) ************.113.19 ********.1.19 netmask 255.255.255.255 0 0
  356     static (intf2,outside) ************.113.20 ********.1.20 netmask 255.255.255.255 0 0
  357     static (inside,outside) ************.113.69 ********254.41 netmask 255.255.255.255 0 0
  358     static (intf3,outside) ************.113.190 ********.2.190 netmask 255.255.255.255 0 0
  359     static (inside,outside) ************.113.42 ********254.42 netmask 255.255.255.255 0 0
  360     static (intf3,outside) ************.113.169 ********.2.169 netmask 255.255.255.255 0 0
  361     static (inside,outside) ************.113.247 ********253.47 netmask 255.255.255.255 0 0
  362     static (inside,outside) ************.113.251 ********253.51 netmask 255.255.255.255 0 0
  363     access-group internet in interface outside
  364     access-group internalnet in interface inside
  365     access-group 1721 in interface intf2
  366     access-group 1722 in interface intf3
  367     access-group any in interface intf4
  368     route outside 0.0.0.0 0.0.0.0 ************.113.1 1
  369     route inside ********0.0 255.255.0.0 ********254.10 1
  370     route inside ********190.0 255.255.255.0 ********254.10 1
  371     route inside 86.85.2.0 255.255.255.0 ********254.10 1
  372     route inside 86.85.50.0 255.255.255.0 ********254.10 1
  373     route inside ********.0.0 255.255.0.0 ********254.10 1
  374     timeout xlate 3:00:00
  375     timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
  376     timeout uauth 0:05:00 absolute
  377     aaa-server TACACS+ protocol tacacs+
  378     aaa-server RADIUS protocol radius
  379     aaa-server LOCAL protocol local
  380     snmp-server host inside ********252.35 poll
  381     snmp-server host inside ********253.21 poll
  382     snmp-server host inside ********253.2 poll
  383     snmp-server host inside ********253.51 poll
  384     snmp-server host inside ********254.149 poll
  385     snmp-server host inside ********254.7 poll
  386     snmp-server location HQ
  387     snmp-server contact MDJ
  388     snmp-server community access
  389     snmp-server enable traps
  390     floodguard enable
  391     sysopt connection permit-ipsec
  392     no sysopt route dnat
  393     crypto ipsec transform-set md5-3des esp-3des esp-md5-hmac
  394     crypto ipsec transform-set sha-3des esp-3des esp-sha-hmac
  395     crypto map vpn-map 21 ipsec-isakmp
  396     crypto map vpn-map 21 match address VM
  397     crypto map vpn-map 21 set peer *************
  398     crypto map vpn-map 21 set transform-set md5-3des
  399     crypto map vpn-map 22 ipsec-isakmp
  400     crypto map vpn-map 22 match address Im
  401     crypto map vpn-map 22 set peer ************
  402     crypto map vpn-map 22 set transform-set sha-3des
  403     crypto map vpn-map 24 ipsec-isakmp
  404     crypto map vpn-map 24 match address ZM
  405     crypto map vpn-map 24 set peer ************
  406     crypto map vpn-map 24 set transform-set md5-3des
  407     crypto map vpn-map 25 ipsec-isakmp
  408     crypto map vpn-map 25 match address VMT
  409     crypto map vpn-map 25 set peer *************
  410     crypto map vpn-map 25 set transform-set sha-3des
  411     crypto map vpn-map 26 ipsec-isakmp
  412     crypto map vpn-map 26 match address JF
  413     crypto map vpn-map 26 set peer Client IP (2600)
  414     crypto map vpn-map 26 set transform-set md5-3des
  415     crypto map vpn-map interface outside
  416     isakmp enable outside
  417     isakmp key ******** address ********* netmask 255.255.255.255
  418     isakmp key ******** address ********** netmask 255.255.255.255
  419     isakmp key ******** address ********** netmask 255.255.255.255
  420     isakmp key ******** address ********** netmask 255.255.255.255
  421     isakmp key ******** address ********** netmask 255.255.255.255
  422     isakmp key ******** address Client IP (2600) netmask 255.255.255.255
  423     isakmp identity address
  424     isakmp policy 10 authentication pre-share
  425     isakmp policy 10 encryption 3des
  426     isakmp policy 10 hash md5
  427     isakmp policy 10 group 2
  428     isakmp policy 10 lifetime 86400
  429     isakmp policy 20 authentication pre-share
  430     isakmp policy 20 encryption 3des
  431     isakmp policy 20 hash sha
  432     isakmp policy 20 group 2
  433     isakmp policy 20 lifetime 86400
  434     telnet ******** ********* inside
  435     telnet timeout 15
  436     ssh ******** ********** inside
  437     ssh timeout 60
  438     terminal width 511
  439     Cryptochecksum:3c7873533081e8cf8c1d48ed8c4b13a0
  440     : end
0
 

Author Comment

by:RyanMielke
ID: 13827026
Also, here's a debug of ISAKMP and IPSEC, if this helps....  (172.200.200.0 is the 2600's internal IP range, 113.2 is the outside of the HQ Pix)


*Mar  1 02:26:45.439: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= *********.3.220, remote= *********.113.2,
    local_proxy= 172.200.200.0/255.255.255.0/0/0 (type=4),
    remote_proxy= *********.252.0/255.255.252.0/0/0 (type=4)
*Mar  1 02:26:45.439: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= *********.3.220, remote= *********.113.2,
    local_proxy= 172.200.200.0/255.255.255.0/0/0 (type=4),
    remote_proxy= *********.252.0/255.255.252.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xC03F9BA2(3225394082), conn_id= 0, keysize= 0, flags= 0x400A
*Mar  1 02:26:45.443: ISAKMP: received ke message (1/1)
*Mar  1 02:26:45.443: ISAKMP: set new node 0 to QM_IDLE      
*Mar  1 02:26:45.443: ISAKMP (0:18): SA is still budding. Attached new ipsec request to it. (local *********.3.220, remote *********.113.2)
*Mar  1 02:26:46.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH...
*Mar  1 02:26:46.571: ISAKMP (0:18): incrementing error counter on sa: retransmit phase 1
*Mar  1 02:26:46.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH
*Mar  1 02:26:46.571: ISAKMP (0:18): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 02:26:56.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH...
*Mar  1 02:26:56.571: ISAKMP (0:18): incrementing error counter on sa: retransmit phase 1
*Mar  1 02:26:56.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH
*Mar  1 02:26:56.571: ISAKMP (0:18): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 02:27:04.603: ISAKMP (0:17): purging node -1294753914
*Mar  1 02:27:04.603: ISAKMP (0:17): purging node -982990144
*Mar  1 02:27:06.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH...
*Mar  1 02:27:06.571: ISAKMP (0:18): incrementing error counter on sa: retransmit phase 1
*Mar  1 02:27:06.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH
*Mar  1 02:27:06.571: ISAKMP (0:18): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 02:27:14.603: ISAKMP (0:17): purging SA., sa=82F64A58, delme=82F64A58
*Mar  1 02:27:15.439: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= *********.3.220, remote= *********.113.2,
    local_proxy= 172.200.200.0/255.255.255.0/0/0 (type=4),
    remote_proxy= *********.252.0/255.255.252.0/0/0 (type=4)
*Mar  1 02:27:15.439: ISAKMP: received ke message (3/1)
*Mar  1 02:27:15.439: ISAKMP (0:18): peer does not do paranoid keepalives.

*Mar  1 02:27:15.443: ISAKMP (0:18): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_KEY_EXCH (peer *********.113.2) input queue 0
*Mar  1 02:27:15.443: ISAKMP (0:18): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_KEY_EXCH (peer *********.113.2) input queue 0
*Mar  1 02:27:15.443: ISAKMP (0:18): deleting node 1115628476 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar  1 02:27:15.447: ISAKMP (0:18): deleting node 1462972016 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar  1 02:27:15.447: ISAKMP (0:18): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 02:27:15.447: ISAKMP (0:18): Old State = IKE_I_MM5  New State = IKE_DEST_SA

*Mar  1 02:27:16.275: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= *********.3.220, remote= *********.113.2,
    local_proxy= 172.200.200.0/255.255.255.0/0/0 (type=4),
    remote_proxy= *********.252.0/255.255.252.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xEBA67DAC(3953556908), conn_id= 0, keysize= 0, flags= 0x400A
*Mar  1 02:27:16.279: ISAKMP: received ke message (1/1)
*Mar  1 02:27:16.279: ISAKMP (0:0): SA request profile is (NULL)
*Mar  1 02:27:16.279: ISAKMP: local port 500, remote port 500
*Mar  1 02:27:16.283: ISAKMP: set new node 0 to QM_IDLE      
*Mar  1 02:27:16.283: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82F638E0
*Mar  1 02:27:16.283: ISAKMP (0:19): Can not start Aggressive mode, trying Main mode.
*Mar  1 02:27:16.283: ISAKMP: Looking for a matching key for *********.113.2 in default : success
*Mar  1 02:27:16.283: ISAKMP (0:19): found peer pre-shared key matching *********.113.2
*Mar  1 02:27:16.287: ISAKMP (0:19): constructed NAT-T vendor-03 ID
*Mar  1 02:27:16.287: ISAKMP (0:19): constructed NAT-T vendor-02 ID
*Mar  1 02:27:16.287: ISAKMP (0:19): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 02:27:16.287: ISAKMP (0:19): Old State = IKE_READY  New State = IKE_I_MM1

*Mar  1 02:27:16.287: ISAKMP (0:19): beginning Main Mode exchange
*Mar  1 02:27:16.287: ISAKMP (0:19): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 02:27:16.515: ISAKMP (0:19): received packet from *********.113.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar  1 02:27:16.515: ISAKMP (0:19): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 02:27:16.519: ISAKMP (0:19): Old State = IKE_I_MM1  New State = IKE_I_MM2

*Mar  1 02:27:16.519: ISAKMP (0:19): processing SA payload. message ID = 0
*Mar  1 02:27:16.519: ISAKMP: Looking for a matching key for *********.113.2 in default : success
*Mar  1 02:27:16.519: ISAKMP (0:19): found peer pre-shared key matching *********.113.2
*Mar  1 02:27:16.519: ISAKMP (0:19) local preshared key found
*Mar  1 02:27:16.523: ISAKMP : Scanning profiles for xauth ...
*Mar  1 02:27:16.523: ISAKMP (0:19): Checking ISAKMP transform 1 against priority 1 policy
*Mar  1 02:27:16.523: ISAKMP:      encryption 3DES-CBC
*Mar  1 02:27:16.523: ISAKMP:      hash MD5
*Mar  1 02:27:16.523: ISAKMP:      default group 2
*Mar  1 02:27:16.523: ISAKMP:      auth pre-share
*Mar  1 02:27:16.523: ISAKMP:      life type in seconds
*Mar  1 02:27:16.523: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  1 02:27:16.523: ISAKMP (0:19): atts are acceptable. Next payload is 0
*Mar  1 02:27:16.771: ISAKMP (0:19): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 02:27:16.771: ISAKMP (0:19): Old State = IKE_I_MM2  New State = IKE_I_MM2

*Mar  1 02:27:16.779: ISAKMP (0:19): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar  1 02:27:16.779: ISAKMP (0:19): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 02:27:16.779: ISAKMP (0:19): Old State = IKE_I_MM2  New State = IKE_I_MM3

*Mar  1 02:27:17.027: ISAKMP (0:19): received packet from *********.113.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar  1 02:27:17.031: ISAKMP (0:19): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 02:27:17.031: ISAKMP (0:19): Old State = IKE_I_MM3  New State = IKE_I_MM4

*Mar  1 02:27:17.031: ISAKMP (0:19): processing KE payload. message ID = 0
*Mar  1 02:27:17.335: ISAKMP (0:19): processing NONCE payload. message ID = 0
*Mar  1 02:27:17.335: ISAKMP: Looking for a matching key for *********.113.2 in default : success
*Mar  1 02:27:17.335: ISAKMP (0:19): found peer pre-shared key matching *********.113.2
*Mar  1 02:27:17.339: ISAKMP (0:19): SKEYID state generated
*Mar  1 02:27:17.339: ISAKMP (0:19): processing vendor id payload
*Mar  1 02:27:17.339: ISAKMP (0:19): vendor ID seems Unity/DPD but major 242 mismatch
*Mar  1 02:27:17.343: ISAKMP (0:19): vendor ID is XAUTH
*Mar  1 02:27:17.343: ISAKMP (0:19): processing vendor id payload
*Mar  1 02:27:17.343: ISAKMP (0:19): vendor ID is Unity
*Mar  1 02:27:17.343: ISAKMP (0:19): processing vendor id payload
*Mar  1 02:27:17.343: ISAKMP (0:19): vendor ID is DPD
*Mar  1 02:27:17.343: ISAKMP (0:19): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 02:27:17.347: ISAKMP (0:19): Old State = IKE_I_MM4  New State = IKE_I_MM4

*Mar  1 02:27:17.351: ISAKMP (0:19): Send initial contact
*Mar  1 02:27:17.351: ISAKMP (0:19): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  1 02:27:17.351: ISAKMP (0:19): ID payload
      next-payload : 8
      type         : 1
      address      : *********.3.220
      protocol     : 17
      port         : 500
      length       : 12
*Mar  1 02:27:17.351: ISAKMP (19): Total payload length: 12
*Mar  1 02:27:17.355: ISAKMP (0:19): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 02:27:17.355: ISAKMP (0:19): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 02:27:17.355: ISAKMP (0:19): Old State = IKE_I_MM4  New State = IKE_I_MM5
0
 
LVL 7

Expert Comment

by:minmei
ID: 13830271
Had to actually get work done - will look at it later tonight - sorry for the delay
0
 
LVL 7

Expert Comment

by:minmei
ID: 13832614
The access list 101 on the 2600 needs to match (backwards) the JF access list here. Could you check it?
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question