?
Solved

Cisco Pix 501 VPN issues

Posted on 2005-04-25
10
Medium Priority
?
953 Views
Last Modified: 2013-11-16
Okay,

I have two sites that I need connected by a site to site vpn.  One site we'll call A
has a cisco 1700 series.  Site B has a cisco pix 501 connecting through a dsl
modem.  With the configurations I currently have the vpn is established.  However
I cannot ping from network to network, and in the cisco pix pdm only decrypting
packets come across, no encrypting or error packets come through.

Below are the configurations:


Cisco Pix 501 Site B


PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname stonehedge
domain-name glv
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.100.0 GLV
access-list inside_outbound_nat0_acl permit ip any 172.16.101.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.101.0 255.255.255.0 GLV 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 172.16.101.0 255.255.255.240
access-list outside_cryptomap_20 permit ip 172.16.101.0 255.255.255.0 GLV 255.255.255.0
access-list 10 permit icmp any any
access-list 10 permit tcp any any
access-list 10 permit udp any any
access-list 10 permit ip any any
pager lines 24
logging on
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.5 255.255.255.0
ip address inside 172.16.101.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool GLV 172.16.101.4-172.16.101.9
pdm location 172.16.101.4 255.255.255.255 inside
pdm location 172.16.101.10 255.255.255.255 inside
pdm location GLV 255.255.255.0 outside
pdm location 172.16.101.0 255.255.255.0 outside
pdm location 172.16.101.0 255.255.255.240 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.101.4 255.255.255.255 inside
http 172.16.101.10 255.255.255.255 inside
http 172.16.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA mode transport
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 66.xx.xx.10
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 66.xx.xx.10 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 180
telnet 172.16.101.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local GLV
vpdn group PPTP-VPDN-GROUP client configuration dns 172.16.101.1
vpdn group PPTP-VPDN-GROUP client configuration wins 172.16.101.1
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username xx password *********
vpdn username xx password *********
vpdn enable outside
terminal width 80
Cryptochecksum:f5c5414af3250a49325b9d8dda498827
: end




Cisco 1700 Config


Current configuration : 3632 bytes
!
! Last configuration change at 21:41:06 UTC Mon Apr 25 2005 by poamann
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GullLakeView
!
boot system flash:c1700-k9o3sy7-mz.122-15.T14.bin
logging queue-limit 100
logging buffered 51200 debugging
enable secret 5 $1$Kyj5$T2uWkmzM1aNldA3a1PYiM0
!
username xxx privilege 15 secret 5 $1$IOYs$PYkN0Yn209RXQtsprUzDO/
ip subnet-zero
!
!
ip name-server 216.165.xxx.157
ip name-server 134.215.xxx.126
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ******* address 69.xxx.xxx.214
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to Stonehedge
 set peer 69.xxx.xxx.214
 set transform-set ESP-3DES-SHA1
 match address 101
!
!
!
!
interface Ethernet0
 description $ETH-WAN$
 ip address 66.xx.xx.10 255.255.255.252
 ip access-group internet_input_filter in
 no ip redirects
 no ip unreachables
 ip nat outside
 half-duplex
 crypto map SDM_CMAP_1
!
interface FastEthernet0
 ip address 172.16.100.1 255.255.255.0
 ip access-group generic_input_filter in
 no ip redirects
 no ip unreachables
 ip nat inside
 speed auto
!
interface Virtual-Template1
 no ip address
!
ip nat inside source route-map SDM_RMAP_1 interface Ethernet0 overload

ip classless
ip route 0.0.0.0 0.0.0.0 66.xx.xx.9
no ip http server
ip http authentication local
ip http secure-server
!
!
!
ip access-list extended anti_spoof_out
 permit ip 172.16.100.0 0.0.0.255 any
 deny   ip any any
ip access-list extended generic_input_filter
 deny   udp any eq 0 any eq 0
 deny   255 any any
 permit ip host 0.0.0.0 any
 permit ip host 255.255.255.255 any
 permit ip 172.16.100.0 0.0.0.255 any
 deny   ip any any
ip access-list extended internet_input_filter
 remark SDM_ACL Category=17
 permit udp any host 66.xx.xx.10 eq non500-isakmp
 permit udp any host 66.xx.xx.10 eq isakmp
 permit esp any host 66.xx.xx.10
 permit ahp any host 66.xx.xx.10
 permit gre any host 66.xx.xx.10
 deny   udp any eq 0 any eq 0
 deny   255 any any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 224.0.0.0 0.15.255.255 any
 permit ip any any
!
logging trap debugging
access-list 98 permit any
access-list 99 permit 172.16.100.0 0.0.0.255
access-list 99 permit 172.16.101.0 0.0.0.255
access-list 99 deny   any
access-list 100 remark SDM_ACL Catergory=18
access-list 100 remark IPSec Rule
access-list 100 deny   ip 172.16.100.0 0.0.0.255 172.16.101.0 0.0.0.255
access-list 100 permit ip 172.16.100.0 0.0.0.255 any
access-list 101 remark SDM_ACL Catergory=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.101.0 0.0.0.255
access-list 110 remark SDM_ACL Catergory=16
access-list 110 permit ip 172.16.100.0 0.0.0.255 172.16.101.0 0.0.0.255
access-list 111 permit ip 172.16.100.0 0.0.0.255 172.16.101.0 0.0.0.255
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
!
line con 0
 speed 115200
line aux 0
line vty 0 4
 access-class 99 in
 password 7 12140A19160A15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 99 in
 password 7 151F0402002B32
 login local
 transport input telnet ssh
!
ntp clock-period 17179955
ntp peer 192.43.244.18
ntp peer 18.145.0.30
ntp peer 192.5.41.214
end




Thanks for the help!!


Steve
0
Comment
Question by:c230kochi
  • 5
  • 4
10 Comments
 
LVL 5

Accepted Solution

by:
pazmanpro earned 1400 total points
ID: 13863605
I don't see anything wrong with your PIX config. The fact that the VPN is coming up would mean that Phase 1 and 2 completes. The problem lies with your access-list on the 1700 router; you need to add an entry to allow 172.16.101.0/24 to talk to 172.16.100.0/24. Don't ask me why, since the packets come in as ESP, but i guess the decryption takes place at the external interface so you need to add it in there. Therefore:

ip access-list extended internet_input_filter
 remark SDM_ACL Category=17
 permit udp any host 66.xx.xx.10 eq non500-isakmp
 permit udp any host 66.xx.xx.10 eq isakmp
 permit esp any host 66.xx.xx.10
 permit ahp any host 66.xx.xx.10
 permit gre any host 66.xx.xx.10
> permit ip 172.16.101.0 0.0.0.255 172.16.100.0 0.0.0.255
 deny   udp any eq 0 any eq 0
 deny   255 any any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 224.0.0.0 0.15.255.255 any
 permit ip any any

What is strange is that it seems that you used the SDM to configure the 1700 router, and this usually does a pretty good job of adding the proper access-lists.

Hope this helps.
0
 
LVL 5

Expert Comment

by:pazmanpro
ID: 13863617
On another note, what is this all about?

access-list 10 permit icmp any any
access-list 10 permit tcp any any
access-list 10 permit udp any any
access-list 10 permit ip any any
access-group 10 in interface outside

Kind of opening yourself up there aren't you? You should get rid of these.
0
 
LVL 1

Author Comment

by:c230kochi
ID: 13863678
Yeah, I couldn't figure out why it wasn't working so I figured I would open everything up
and then once it was working close down everything one by one.


I tried adding that permit statement without any changes.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 600 total points
ID: 13865473
Try adding these to the PIX also:
 isakmp identity address
 isakmp nat-traversal 20

Can we assume that the PIX is the default gateway on the remote network?
0
 
LVL 1

Author Comment

by:c230kochi
ID: 13866150
The way I have the pix side setup is that the dsl comes in on a pppoe connection to a modem.  The modem
then using dmz is forwarding everything to 192.168.1.5 the outside interface on the pix.  Also, when I vpn
in using the pptp connection I created, I cannot ping nor connect to any of the 172.16.101.x subnet.


confused...
0
 
LVL 5

Expert Comment

by:pazmanpro
ID: 13866936
Did you try lrmoore's suggestion for nat-t? That may be the problem (don't know how i missed that!).

If that did not work, since you are using PPPoE, could you try to use bridging instead of forwarding on the DSL router and set the outside interface of the PIX to the public IP?
0
 
LVL 1

Author Comment

by:c230kochi
ID: 13868474
uggggg, that didn't work.  I added the two commands and still get nothing.  as for bridging the router I looked through it
and can't find any way to do that.  The router/modem is an Actiontec.
0
 
LVL 5

Assisted Solution

by:pazmanpro
pazmanpro earned 1400 total points
ID: 13875149
After you add it clear the SAs by using

clear crypto sa
clear crypto ipsec sa
clear crypto isakmp sa

This way it will re-negotiate the peers.

If that does not work, do a "sh crypto ipsec sa" and post the results.
0
 
LVL 1

Author Comment

by:c230kochi
ID: 13876779
Wow, you deserve a heck of a lot more than 500 points!!  I would have been sitting here
forever trying to figure it out.  The clear crypto took care of the problem.  I assume it was
due to the isakmp configs.  Question though, I have other pix setup that aren't using the
isakmp nat-t and identity address commands and they are working okay.  What do these
commands do?  Was it the permit statement that solved the problem and then I just needed
to clear the crypto SAs?

Okay thanks for all the help!!
0
 
LVL 5

Expert Comment

by:pazmanpro
ID: 13899295
NAT-T is nat traversal; it allows ipsec to take place across a nat device by encapsulatiing the ESP packet as UDP (port 4500 to be exact). NAT-T is off by default. Because the PIX address is being natted, the "isakmp nat-t" needs to be put it. NAT-T is on by default on all routers.

isakmp identity address is not really neccessary since it is the default setting for the PIX. This tells the pix to send the ip address as its identity during the phase 1 negotiations.

I know for one that the NAT-T needed to be enabled and as well as the access-list entry on the router. The clear crypto sa was just to force the re-negotiation of peers.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month16 days, 14 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question