• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 302
  • Last Modified:

Site to Site VPN

I have two sites running PIX 515. The sites would be referred to as A and B . Site A runs ver 6.1(4) whiles site B runs ver 7.0(1)


                Site A--------------------------Internet-----------------------Site B
  Router      |   1.2.3.4                                                                 |1.2.4.1 Router
                  |255.255.255.248                                                      |255.255.255.248
                  |                                                                              |
                  |                                                                              |
PIX A ver     | 1.2.3.6 (outside)                                                     |PIX B ver 7.0(1)
                  |                                                                              |  1.2.4.2 (outside)
6.1(4)         |  192.1.1.251 (inside)                                               |172.16.11.254 (inside)
                  |                                                                              |
                  |                                                                              |
LAN            |172.16.0.1 255.255.240.0                                          |172.16.11.0 255.255.240.0
                  |excluding IP's at site B
                  |                                                                              |

The PIX at site A currently allows VPN via VPN Client software. What should be achieved is a Site to Site VPN between the two PIX. The VPN configuration details below are running at both sites. What is wrong with the config ? Note (The public IP addresses are arbitarty but their subnet masks are real).

Config at Site A (runs PIX ver 6.1 (4)
access-list acl_inbound permit udp host 1.2.3.6 host 1.2.4.2 eq isakmp
access-list acl_inbound permit ah host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit esp host 1.2.3.6 host 1.2.4.2
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 101
crypto map outside_map 20 set peer 1.2.4.2
crypto map outside_map 20 set transform-set BASEPIX
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup BGL_roam idle-time 1800
vpngroup test-vpn address-pool bglpool
vpngroup test-vpn dns-server 172.16.0.1
vpngroup test-vpn wins-server 172.16.0.3
vpngroup test-vpn default-domain password
vpngroup test-vpn idle-time 1800
vpngroup test-vpn password ***


Config at Site B (runs PIX ver 7.0)
access-list acl_inbound extended permit udp host 1.2.4.2 host 1.2.3.6 eq isakmp
access-list acl_inbound extended permit ah host 1.2.4.2 host 1.2.3.6
access-list acl_inbound extended permit esp host 1.2.4.2 host 1.2.3.6
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto map outside_map 20 set peer 1.2.3.6
crypto map outside_map 20 set transform-set BASEPIX
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 1.2.3.6 type ipsec-l2l
tunnel-group 1.2.3.6 ipsec-attributes
 pre-shared-key *


0
it_gsr
Asked:
it_gsr
  • 14
  • 6
  • 2
1 Solution
 
lrmooreCommented:
>runs PIX ver 6.1 (4)
Ouch. This is very old. It should not affect the configuration, but Highly suggest upgrading to 6.3(5).

>PIX B ver 7.0(1)
Also very short-lived version with lots of bugs. Latest is 7.0(5) or 7.12

That said, here are some recommendations:

Site A (you didn't post the complete config, so these are just examples)
These two networks overlap with each other
 Site A                Site B
 172.16.0.0/20   172.16.11.0/20  
                          172.16.16.0/20  <== OK

If you are using 172.16.11.0/24 on Site B, then some adjustments can be made.

 add:
  sysopt connection permit-ipsec
  isakmp identity address
  access-list inside_outbound_nat0 permit ip 192.1.1.0 255.255.255.0 172.16.16.0 255.255.240.0
  access-list inside_outbound_nat0 permit ip 172.16.0.0 255.255.240.0 172.16.16.0 255.255.240.0
  access-list L2LVPN permit ip 192.1.1.0 255.255.255.0 172.16.11.0 255.255.240.0
  access-list L2LVPN permit ip 172.16.0.0 255.255.240.0 172.16.11.0 255.255.240.0
 nat (inside) 0 access-list inside_outbound_nat0
 crypto map outside_map 20 match address L2LVPN


Policies need to match the transform sets, and each other
Site A:
 isakmp policy 10 encryption des
 isakmp policy 10 hash sha
 isakmp policy 10 group 1  <==

Site B:
 isakmp policy 10 encryption des
 isakmp policy 10 hash md5
 isakmp policy 10 group 2  <== both ends need to have the same DH group. Suggest 2 on both ends

Site B changes required:
  isakmp identity address
  access-list L2LVPN permit ip 172.16.16.0 255.255.240.0 192.1.1.0 255.255.255.0
  access-list L2LVPN permit ip 172.16.16.0 255.255.240.0 172.16.0.0 255.255.240.0
  crypto map outside_map 20 match address L2LVPN
  access-list inside_outbound_nat0 permit ip 172.16.16.0 255.255.240.0 172.16.0.0 255.255.240.0
  nat (inside) 0 access-list inside_outbound_nat0
0
 
it_gsrAuthor Commented:
Hi Lrmoore
The networks overlap and the ip range at site B is 172.16.16.0/20 . The DH group is 2 on both systems. sorry for the typo.

Site B is miles away and I had remote desktop ports opened on machine to allow remote administration during the setup stage. The config are as below. It worked for a while but has refused to work after an ip change in the pix from one machine to the other. I can rdp to the current machine internally but  not externally as before. I cannot apply the suggested changes on site B now due this problem so I need to drive to the place tomorrow for this purpose.


Config at Site B
access-list acl_inbound extended permit tcp any host 1.2.4.3 eq 3389
asdm image flash:/asdm
asdm location 1.2.4.3 255.255.255.255 outside
static (inside,outside) 1.2.4.3  172.16.11.1 netmask 255.255.255.255


What should the final config be taking into consideration all the suggestions above.





0
 
it_gsrAuthor Commented:
Hi Lrmoore,
As stated above, with the exception of the public ip addresses all the other ip's specified are real.

0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
lrmooreCommented:
> It worked for a while but has refused to work after an ip change in the pix from one machine to the other
I don't understand what changed on the PIX?

I'm confused now:
>static (inside,outside) 1.2.4.3  172.16.11.1 netmask 255.255.255.255
> the ip range at site B is 172.16.16.0/20
But, it appears that you are actually using 172.16.11.0/20 ?
Is 172.16.11.1 the IP address of the RDP system that you are trying to access? What it that system's default gateway pointing to?

Any time you make a change to the access-list you need to re-apply it to the interface.
Any time you make a change to nat or statics, run "clear xlate" both right before and right after the config change.

0
 
it_gsrAuthor Commented:
> It worked for a while but has refused to work after an ip change in the pix from one machine to the other I don't understand what changed on the PIX?

the only change on the PIX was the ip address. I saved the config and applied clear xlate but it still doesn't want to work


I'm confused now:
>static (inside,outside) 1.2.4.3  172.16.11.1 netmask 255.255.255.255
> the ip range at site B is 172.16.16.0/20
But, it appears that you are actually using 172.16.11.0/20 ?
Is 172.16.11.1 the IP address of the RDP system that you are trying to access? What it that system's default gateway pointing to?


Yes 172.16.11.1 is the ip address that I'm trying to rdp and the gateway is 172.16.11.254 which is the PIx's internal eth IP




0
 
it_gsrAuthor Commented:
Hi Lrmoore,
I would also like to add  the functionality of  VPN access via VPN client software to the PIX at Site B. What additional commands should be added to the make it work
0
 
it_gsrAuthor Commented:
Hi Lrmoore,
I am still awaiting  comments on my earlier posting.

0
 
it_gsrAuthor Commented:
Hi Experts, MY problem still persists and would really  appreciate a response from you all.  
0
 
Keith AlabasterCommented:
If you put the IP address back to what it was when lrmoore gave you the solution, does it work again?
0
 
it_gsrAuthor Commented:
I've pasted the current config at both sites for your review. The internal IP at site B is currently 172.17.11.0/20  


Site A config
===========
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aYiGONOGTxE2368q encrypted
passwd t7oLYycQGA49Yo2i encrypted
hostname BGLKEEPER
domain-name gsrgh.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_inbound permit icmp any any
access-list acl_inbound permit udp host 1.2.3.6 host 1.2.4.2 eq isakmp
access-list acl_inbound permit ah host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit esp host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit tcp any host 1.2.3.7 eq 3389
access-list 101 permit ip 172.16.0.0 255.255.240.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
access-list 120 permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside 172.16.0.1
no logging message 106015
no logging message 305004
no logging message 305001
no logging message 302003
no logging message 302002
no logging message 304001
no logging message 302001
no logging message 302006
no logging message 302005
no logging message 609002
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.6 255.255.255.240
ip address inside 192.1.1.251 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool bglpool 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 192.1.1.251 255.255.255.255 inside
pdm location 172.16.0.9 255.255.255.255 inside
pdm location 172.16.0.20 255.255.255.255 inside
pdm location 172.16.0.99 255.255.255.255 inside
pdm location 172.16.10.9 255.255.255.255 inside
pdm location 172.16.1.200 255.255.255.255 inside
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.2
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.2.3.5 172.16.0.20 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.7 172.16.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.8 172.16.0.9 netmask 255.255.255.255 0 0
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
route inside 10.170.0.0 255.255.255.0 192.1.1.30 1
route inside 172.16.0.0 255.255.240.0 192.1.1.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
http server enable
no snmp-server location
snmp-server community XXXXXXXXXX
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto ipsec transform-set bgn_mines esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map outside_map 20 ipsec-isakmp
crypto map bgn_map 1 ipsec-isakmp
crypto map bgn_map 1 match address 101
crypto map bgn_map 1 set peer 1.2.4.2
crypto map bgn_map 1 set transform-set bgn_mines
crypto map bgn_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup TT_roam idle-time 1800
vpngroup test-vpn address-pool bglpool
vpngroup test-vpn dns-server 172.16.0.1
vpngroup test-vpn wins-server 172.16.0.3
vpngroup test-vpn default-domain password
vpngroup test-vpn idle-time 1800
vpngroup test-vpn password ********
telnet 192.1.1.220 255.255.255.255 inside
telnet timeout 5
ssh 172.16.2.55 255.255.255.255 inside
ssh timeout 5
vpdn username test password test1
vpdn username test1 password test1
terminal width 80
Cryptochecksum:8c87c9adc9f461d3d113ec1f6c51ae0e








Site B
=====
PIX Version 7.0(1)
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 1.2.4.2 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.17.11.254 255.255.240.0
!
enable password aYiGONOGTxE2368q encrypted
passwd aYiGONOGTxE2368q encrypted
hostname tdikeeper
domain-name gsrgh.com
ftp mode passive
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit tcp any host 1.2.4.5 eq 3389
access-list acl_inbound extended permit tcp any host 1.2.4.6 eq 3389
access-list acl_inbound extended permit udp host 1.2.4.2 host 1.2.3.6 eq isakmp
access-list acl_inbound extended permit ah host 1.2.4.2 host 1.2.3.6
access-list acl_inbound extended permit esp host 1.2.4.2 host 1.2.3.6
access-list 101 extended permit ip 172.16.0.0 255.255.240.0 192.168.2.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list L2LVPN extended permit ip 172.200.0.0 255.255.240.0 172.100.0.0 255.255.240.0
access-list L2LVPN extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list inside_outbound_nat0 extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list vpn_nat extended permit ip 172.16.0.0 255.255.240.0 172.100.0.0 255.255.240.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging host inside 172.17.11.1
no logging message 106015
no logging message 302003
no logging message 304001
no logging message 609002
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface inside
ip local pool bglpool 192.168.2.1-192.168.2.254
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm
asdm location 1.2.4.5 255.255.255.255 outside
asdm location 1.2.4.6 255.255.255.255 outside
no asdm history enable
arp timeout 14400
global (outside) 1 1.2.4.3
nat (inside) 0 access-list inside_outbound_nat0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.2.4.5 172.16.11.1 netmask 255.255.255.255
static (inside,outside) 1.2.4.6 172.16.11.2 netmask 255.255.255.255
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.4.7 1
route inside 172.17.11.0 255.255.255.255 172.17.11.254 1
route inside 172.16.11.0 255.255.255.255 172.16.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.11.5 255.255.255.255 inside
http 172.16.11.46 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community XXXX
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set tdi_mines esp-des esp-md5-hmac
crypto map tdi_map 1 match address L2LVPN
crypto map tdi_map 1 set peer 1.2.3.6
crypto map tdi_map 1 set transform-set tdi_mines
crypto map tdi_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 1.2.3.6 255.255.255.255 outside
telnet 172.16.11.5 255.255.255.255 inside
telnet 172.16.1.200 255.255.255.255 inside
telnet 172.16.11.46 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 1.2.3.6 type ipsec-l2l
tunnel-group 1.2.3.6 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
Cryptochecksum:7ff64c2d67e1aa86fa299ac79710df90
tdikeeper(config)#
0
 
Keith AlabasterCommented:
Thanks but can you answer the question?
0
 
it_gsrAuthor Commented:
I cannot change the config at site B now. It's about 3 hours drive away so I would  appreciate a complete review of all the commands, travel over there and make the changes in one go.
0
 
it_gsrAuthor Commented:
Hi Lrmooore and keith_alabaster

Below is my current config at the various locations for your review. Can you please help

Site A
=====
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aYiGONOGTxE2368q encrypted
passwd t7oLYycQGA49Yo2i encrypted
hostname BGLKEEPER
domain-name mmmm.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_inbound permit icmp any any
access-list acl_inbound permit udp host 1.2.3.6 host 1.2.4.2 eq

isakmp
access-list acl_inbound permit ah host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit esp host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit tcp any host 1.2.3.7 eq 3389
access-list 101 permit ip 172.16.0.0 255.255.240.0 192.168.1.0

255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.240.0 172.16.11.0

255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside 172.16.0.1
no logging message 106015
no logging message 305004
no logging message 305001
no logging message 302003
no logging message 302002
no logging message 304001
no logging message 302001
no logging message 302006
no logging message 302005
no logging message 609002
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.6 255.255.255.240
ip address inside 192.1.1.251 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool bglpool 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 192.1.1.251 255.255.255.255 inside
pdm location 172.16.0.9 255.255.255.255 inside
pdm location 172.16.0.20 255.255.255.255 inside
pdm location 172.16.0.99 255.255.255.255 inside
pdm location 172.16.10.9 255.255.255.255 inside
pdm location 172.16.1.200 255.255.255.255 inside
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.2
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.2.3.5 172.16.0.20 netmask

255.255.255.255 0 0
static (inside,outside) 1.2.3.7 172.16.1.200 netmask

255.255.255.255 0 0
static (inside,outside) 1.2.3.8 172.16.0.9 netmask

255.255.255.255 0 0
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
route inside 10.170.0.0 255.255.255.0 192.1.1.30 1
route inside 172.16.0.0 255.255.240.0 192.1.1.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00

h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
http server enable
no snmp-server location
snmp-server community xxxxxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto ipsec transform-set bgn_mines esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map outside_map 20 ipsec-isakmp
crypto map bgn_map 1 ipsec-isakmp
crypto map bgn_map 1 match address 101
crypto map bgn_map 1 set peer 1.2.4.2
crypto map bgn_map 1 set transform-set bgn_mines
crypto map bgn_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup BGL_roam idle-time 1800
vpngroup gsrgh-vpn address-pool bglpool
vpngroup gsrgh-vpn dns-server 172.16.0.1
vpngroup gsrgh-vpn wins-server 172.16.0.3
vpngroup gsrgh-vpn default-domain password
vpngroup gsrgh-vpn idle-time 1800
vpngroup gsrgh-vpn password ********
telnet 192.1.1.220 255.255.255.255 inside
telnet timeout 5
ssh 172.16.2.55 255.255.255.255 inside
ssh timeout 5
vpdn username xxx password xxx
vpdn username xxx password xxx
terminal width 80
Cryptochecksum:e41785d365372f5d64523d7dff608d46




































Site B
=========
PIX Version 7.0(1)
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 1.2.4.2 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.17.11.254 255.255.240.0
!
enable password aYiGONOGTxE2368q encrypted
passwd aYiGONOGTxE2368q encrypted
hostname tdikeeper
domain-name mmmm.com
ftp mode passive
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit tcp any host 1.2.4.5 eq

3389
access-list acl_inbound extended permit tcp any host 1.2.4.6 eq

3389
access-list acl_inbound extended permit udp host 1.2.4.2 host

1.2.3.6 eq isakmp
access-list acl_inbound extended permit ah host 1.2.4.2 host

1.2.3.6
access-list acl_inbound extended permit esp host 1.2.4.2 host

1.2.3.6
access-list 101 extended permit ip 172.16.0.0 255.255.240.0

192.168.2.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0

172.16.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0

172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0

255.255.255.0 172.16.0.0 255.255.255.0
access-list L2LVPN extended permit ip 172.200.0.0 255.255.240.0

172.100.0.0 255.255.240.0
access-list L2LVPN extended permit ip 172.17.0.0 255.255.240.0

172.16.0.0 255.255.240.0
access-list inside_outbound_nat0 extended permit ip 172.17.0.0

255.255.240.0 172.16.0.0 255.255.240.0
access-list vpn_nat extended permit ip 172.16.0.0 255.255.240.0

172.100.0.0 255.255.240.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging host inside 172.16.11.1
no logging message 106015
no logging message 302003
no logging message 304001
no logging message 609002
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface inside
ip local pool bglpool 192.168.2.1-192.168.2.254
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm
asdm location 1.2.4.5 255.255.255.255 outside
asdm location 1.2.4.6 255.255.255.255 outside
no asdm history enable
arp timeout 1440
global (outside) 1 1.2.4.3
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.200.0.0  access-list vpn_nat
static (inside,outside) 1.2.4.5 172.16.17.1 netmask

255.255.255.255
static (inside,outside) 1.2.4.6 172.16.17.2 netmask

255.255.255.255
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.4.7 1
route inside 172.17.11.0 255.255.255.255 172.17.11.254 1
route inside 172.16.11.0 255.255.255.255 172.16.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.11.5 255.255.255.255 inside
http 172.16.11.46 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community XXXXX
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set tdi_mines esp-des esp-md5-hmac
crypto map tdi_map 1 match address L2LVPN
crypto map tdi_map 1 set peer 1.2.3.6
crypto map tdi_map 1 set transform-set tdi_mines
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 1.2.3.6 255.255.255.255 outside
telnet 172.16.11.5 255.255.255.255 inside
telnet 172.16.1.200 255.255.255.255 inside
telnet 172.16.11.46 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 1.2.3.6 type ipsec-l2l
tunnel-group 1.2.3.6 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
Cryptochecksum:80e5f432be5b2a0fa2a3aa26b6264f82
0
 
lrmooreCommented:
Site A:
>PIX Version 6.1(4)
Very old, you might want to consider updating to 6.3(5) and the PDM GUI

no access-list 101 permit ip 172.16.0.0 255.255.240.0 172.16.11.0
access-list 102 permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
no crypto map bgn_map 1 match address 101
crypto map bgn_map 1 match address 102
isakmp nat-traversal 20

Site B:
 no static (inside,outside) 172.200.0.0  access-list vpn_nat
 access-list no_nat permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
 nat (inside) 0 access-list no_nat
 access-list l2l_vpn permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0

Make those changes then post result of "sho cry is sa"  "QM_IDLE" is a very good thing to see there

Using the ASDM GUI VPN Wizard is absolutely the best way to set up the Site B side, and the PDM VPN Wizard (after you upgrade the OS and the PDM) on Site A.
0
 
it_gsrAuthor Commented:
Hi Lrmoore,
Below is the update config at the various site

On running sho cry is sa at site B, the resulting message was '
There are no isakmp sas'

and 'QM_IDLE' did not show up at Site A

I've not been able to upgrade Site to the version 6.3 because I do not have the spare PIX on site yet. Once it's at hand I will replace the current one with the new and then perform the upgrade. Can you please semd me a site were i can download the 6.3 IOS



:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aYiGONOGTxE2368q encrypted
passwd t7oLYycQGA49Yo2i encrypted
hostname BGLKEEPER
domain-name mmmm.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_inbound permit icmp any any
access-list acl_inbound permit udp host 1.2.3.6 host 1.2.4.2 eq isakmp
access-list acl_inbound permit ah host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit esp host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit tcp any host 1.2.3.7 eq 3389
access-list 101 permit ip 172.16.0.0 255.255.240.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.240.0 172.16.11.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside 172.16.0.1
no logging message 106015
no logging message 305004
no logging message 305001
no logging message 302003
no logging message 302002
no logging message 304001
no logging message 302001
no logging message 302006
no logging message 302005
no logging message 609002
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.6 255.255.255.240
ip address inside 192.1.1.251 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool bglpool 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 192.1.1.251 255.255.255.255 inside
pdm location 172.16.0.9 255.255.255.255 inside
pdm location 172.16.0.20 255.255.255.255 inside
pdm location 172.16.0.99 255.255.255.255 inside
pdm location 172.16.10.9 255.255.255.255 inside
pdm location 172.16.1.200 255.255.255.255 inside
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.2
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.2.3.5 172.16.0.20 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.7 172.16.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.8 172.16.0.9 netmask 255.255.255.255 0 0
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
route inside 10.170.0.0 255.255.255.0 192.1.1.30 1
route inside 172.16.0.0 255.255.240.0 192.1.1.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
http server enable
no snmp-server location
snmp-server community xxxxxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto ipsec transform-set bgn_mines esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map outside_map 20 ipsec-isakmp
crypto map bgn_map 1 ipsec-isakmp
crypto map bgn_map 1 match address 101
crypto map bgn_map 1 set peer 1.2.4.2
crypto map bgn_map 1 set transform-set bgn_mines
crypto map bgn_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup BGL_roam idle-time 1800
vpngroup gsrgh-vpn address-pool bglpool
vpngroup gsrgh-vpn dns-server 172.16.0.1
vpngroup gsrgh-vpn wins-server 172.16.0.3
vpngroup gsrgh-vpn default-domain password
vpngroup gsrgh-vpn idle-time 1800
vpngroup gsrgh-vpn password ********
telnet 192.1.1.220 255.255.255.255 inside
telnet timeout 5
ssh 172.16.2.55 255.255.255.255 inside
ssh timeout 5
vpdn username xxx password xxx
vpdn username xxx password xxx
terminal width 80
Cryptochecksum:e41785d365372f5d64523d7dff608d46
























Site B
=========
PIX Version 7.0(1)
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 1.2.4.2 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.17.11.254 255.255.240.0
!
enable password aYiGONOGTxE2368q encrypted
passwd aYiGONOGTxE2368q encrypted
hostname tdikeeper
domain-name mmmm.com
ftp mode passive
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit tcp any host 1.2.4.5 eq 3389
access-list acl_inbound extended permit tcp any host 1.2.4.6 eq 3389
access-list acl_inbound extended permit udp host 1.2.4.2 host 1.2.3.6 eq isakmp
access-list acl_inbound extended permit ah host 1.2.4.2 host 1.2.3.6
access-list acl_inbound extended permit esp host 1.2.4.2 host 1.2.3.6
access-list 101 extended permit ip 172.16.0.0 255.255.240.0 192.168.2.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list L2LVPN extended permit ip 172.200.0.0 255.255.240.0 172.100.0.0 255.255.240.0
access-list L2LVPN extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list inside_outbound_nat0 extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list vpn_nat extended permit ip 172.16.0.0 255.255.240.0 172.100.0.0 255.255.240.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging host inside 172.16.11.1
no logging message 106015
no logging message 302003
no logging message 304001
no logging message 609002
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface inside
ip local pool bglpool 192.168.2.1-192.168.2.254
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm
asdm location 1.2.4.5 255.255.255.255 outside
asdm location 1.2.4.6 255.255.255.255 outside
no asdm history enable
arp timeout 1440
global (outside) 1 1.2.4.3
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.200.0.0  access-list vpn_nat
static (inside,outside) 1.2.4.5 172.16.17.1 netmask 255.255.255.255
static (inside,outside) 1.2.4.6 172.16.17.2 netmask 255.255.255.255
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.4.7 1
route inside 172.17.11.0 255.255.255.255 172.17.11.254 1
route inside 172.16.11.0 255.255.255.255 172.16.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.11.5 255.255.255.255 inside
http 172.16.11.46 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community XXXXX
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set tdi_mines esp-des esp-md5-hmac
crypto map tdi_map 1 match address L2LVPN
crypto map tdi_map 1 set peer 1.2.3.6
crypto map tdi_map 1 set transform-set tdi_mines
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 1.2.3.6 255.255.255.255 outside
telnet 172.16.11.5 255.255.255.255 inside
telnet 172.16.1.200 255.255.255.255 inside
telnet 172.16.11.46 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 1.2.3.6 type ipsec-l2l
tunnel-group 1.2.3.6 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
Cryptochecksum:80e5f432be5b2a0fa2a3aa26b6264f82
0
 
it_gsrAuthor Commented:
Hi Lrmoore,
Any updates on my request
0
 
lrmooreCommented:
Sorry about the delay..
>Can you please semd me a site were i can download the 6.3 IOS
http://www.cisco.com
You must have a CCO login and a valid Smartnet maintenance to download the IOS.

These entries need to be changed. You need to separate the nat-zero acl from the site-site vpn acl, and your acls are backwards:

Given:
>access-list 101 permit ip 172.16.0.0 255.255.240.0 192.168.1.0 255.255.255.0
>access-list 101 permit ip 172.16.0.0 255.255.240.0 172.16.11.0 255.255.255.0
>ip local pool bglpool 192.168.1.1-192.168.1.254
>nat (inside) 0 access-list 101
>crypto map bgn_map 1 match address 101
>ip address inside 192.1.1.251 255.255.255.0

And Remote config:
>interface Ethernet1
> nameif inside
> ip address 172.17.11.254 255.255.240.0

on BGLKEEPER, make the following changes:
\\-- delete acl 101
no access-list 101
\\-- recreate acl 101 for nat_zero
\\-- <local subnet> mask <remote subnet>
access-list 101 permit ip 192.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.1.0 255.255.255.0 172.17.0.0 255.255.240.0
access-list 101 permit 172.16.0.0 255.255.240.0 192.168.1.0 255.255.255.0
access-list 101 permit 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
\\-- create new acl for site-site vpn traffic only
access-list 102 permit ip 192.1.1.0 255.255.255.0 172.17.0.0 255.255.240.0
access-list 102 permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
\\-- re-apply nat_zero acl
nat (inside) 0 access-list 101
\\-- apply new acl 102 to the crypto map
crypto map bgn_map 1 match address 102
\\-- re-apply crypto map to the interface
crypto map bgn_map interface outside
 
Now, on "tdikeeper"
\\--add an acl match for nat_zero for the 192.1.1.0 subnet
access-list inside_outbound_nat0 extended permit ip 172.17.0.0 255.255.240.0 192.1.1.0 255.255.255.0
\\-- apply this acl to nat_zero (missing from your config)
nat (inside) 0 access-list inside_outbound_nat0
\\-- add acl entry for the remote 192.1.1.0 subnet
access-list L2LVPN extended permit ip 172.17.0.0 255.255.240.0 192.1.1.0 255.255.255.0

0
 
it_gsrAuthor Commented:
Hi Lrmoore,
The 192.168.1.1-192.168.1.254
 IP's were only meant for VPN access using VPN software on site A. Do I still go ahead with the recommended changes
0
 
lrmooreCommented:
Yes, please make all the required changes
0
 
it_gsrAuthor Commented:
Hi Lrmoore,
Thanks for your response. Are there any tests that you want you would like me to  perform after applying the given changes?
0
 
lrmooreCommented:
yes:
Post output from the PIX:
 sho cry ip sa
 sho cry is sa
 sho access-list
0
 
it_gsrAuthor Commented:
Hi Keith_Alabaster
I still do not have a solution to my problem. Please leave it open

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 14
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now