Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

PIX 515E Site to Site VPN

Posted on 2006-05-12
27
Medium Priority
?
689 Views
Last Modified: 2013-11-16
Hi Experts, I have two sites running PIX 515. The sites would be referred to as A and B . Site A runs ver 6.1(4) whiles site B runs ver 7.0(1)


                Site A--------------------------Internet-----------------------Site B
  Router      |   1.2.3.4                                                                 |1.2.4.1 Router
                  |255.255.255.248                                                      |255.255.255.248
                  |                                                                              |
                  |                                                                              |
PIX A ver     | 1.2.3.6 (outside)                                                     |PIX B ver 7.0(1)
                  |                                                                              |  1.2.4.2 (outside)
6.1(4)         |  192.1.1.251 (inside)                                               |172.16.11.254 (inside)
                  |                                                                              |
                  |                                                                              |
LAN            |172.16.0.1 255.255.240.0                                          |172.16.11.0 255.255.240.0
                  |excluding IP's at site B
                  |                                                                              |

The PIX at site A currently allows VPN via VPN Client software. What should be achieved is a Site to Site VPN between the two PIX and VPN access via client software at Site B. Site B 's network is a /20. The VPN configuration details below are running at both sites. What is wrong with the config ? Note (The public IP addresses are arbitarty but their subnet masks are real).  

Site A config
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aYiGONOGTxE2368q encrypted
passwd t7oLYycQGA49Yo2i encrypted
hostname BGLKEEPER
domain-name gsrgh.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_inbound permit icmp any any
access-list acl_inbound permit udp host 1.2.3.6 host 1.2.4.2 eq isakmp
access-list acl_inbound permit ah host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit esp host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit tcp any host 1.2.3.7 eq 3389
access-list 101 permit ip 172.16.0.0 255.255.240.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.240.0 172.16.11.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside 172.16.0.1
no logging message 106015
no logging message 305004
no logging message 305001
no logging message 302003
no logging message 302002
no logging message 304001
no logging message 302001
no logging message 302006
no logging message 302005
no logging message 609002
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.6 255.255.255.248
ip address inside 192.1.1.251 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool bglpool 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 192.1.1.251 255.255.255.255 inside
pdm location 172.16.0.9 255.255.255.255 inside
pdm location 172.16.0.20 255.255.255.255 inside
pdm location 172.16.0.99 255.255.255.255 inside
pdm location 172.16.10.9 255.255.255.255 inside
pdm location 172.16.1.200 255.255.255.255 inside
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.2
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.2.3.5 172.16.0.20 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.7 172.16.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.8 172.16.0.9 netmask 255.255.255.255 0 0
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
route inside 10.170.0.0 255.255.255.0 192.1.1.30 1
route inside 172.16.0.0 255.255.240.0 192.1.1.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
http server enable
no snmp-server location
snmp-server contact support@net.net
snmp-server community XXXXXXXXXX
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto ipsec transform-set bgn_mines esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map outside_map 20 ipsec-isakmp
crypto map bgn_map 1 ipsec-isakmp
crypto map bgn_map 1 match address 101
crypto map bgn_map 1 set peer 1.2.4.2
crypto map bgn_map 1 set transform-set bgn_mines
crypto map bgn_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup TT_roam idle-time 1800
vpngroup test-vpn address-pool bglpool
vpngroup test-vpn dns-server 172.16.0.1
vpngroup test-vpn wins-server 172.16.0.3
vpngroup test-vpn default-domain password
vpngroup test-vpn idle-time 1800
vpngroup test-vpn password ********
telnet 192.1.1.220 255.255.255.255 inside
telnet timeout 5
ssh 172.16.2.55 255.255.255.255 inside
ssh timeout 5
vpdn username test password test1
vpdn username test1 password test1
terminal width 80
Cryptochecksum:8c87c9adc9f461d3d113ec1f6c51ae0e





Site B Config

show config
: Saved
: Written by enable_15 at 10:24:13.433 UTC Fri May 12 2006

PIX Version 7.0(1)
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 1.2.4.2 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.16.11.254 255.255.240.0
!
enable password aYiGONOGTxE2368q encrypted
passwd aYiGONOGTxE2368q encrypted
hostname tdikeeper
domain-name gsrgh.com
ftp mode passive
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit tcp any host 1.2.4.5 eq 3389
access-list acl_inbound extended permit tcp any host 1.2.4.6 eq 3389
access-list acl_inbound extended permit udp host 1.2.4.2 host 1.2.3.6 eq isakmp
access-list acl_inbound extended permit ah host 1.2.4.2 host 1.2.3.6
access-list acl_inbound extended permit esp host 1.2.4.2 host 1.2.3.6
access-list 101 extended permit ip 172.16.0.0 255.255.240.0 192.168.2.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list L2LVPN extended permit ip 172.16.16.0 255.255.240.0 192.1.1.0 255.255.255.0
access-list L2LVPN extended permit ip 172.16.16.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list inside_outbound_nat0 extended permit ip 172.16.16.0 255.255.240.0 172.16.0.0 255.255.240.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging host inside 172.16.11.1
no logging message 106015
no logging message 302003
no logging message 304001
no logging message 609002
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface inside
ip local pool bglpool 192.168.2.1-192.168.2.254
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm
asdm location 1.2.4.5 255.255.255.255 outside
asdm location 1.2.4.6 255.255.255.255 outside
no asdm history enable
arp timeout 14400
global (outside) 1 1.2.4.3
nat (inside) 0 access-list inside_outbound_nat0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.2.4.5 172.16.11.1 netmask 255.255.255.255
static (inside,outside) 1.2.4.6 172.16.11.2 netmask 255.255.255.255
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.4.7 1
route inside 172.16.11.0 255.255.255.255 172.16.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.11.5 255.255.255.255 inside
http 172.16.11.46 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community XXXX
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set tdi_mines esp-des esp-md5-hmac
crypto map tdi_map 1 match address L2LVPN
crypto map tdi_map 1 set peer 1.2.3.6
crypto map tdi_map 1 set transform-set tdi_mines
crypto map tdi_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 1.2.3.6 255.255.255.255 outside
telnet 172.16.11.5 255.255.255.255 inside
telnet 172.16.1.200 255.255.255.255 inside
telnet 172.16.11.46 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 1.2.3.6 type ipsec-l2l
tunnel-group 1.2.3.6 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
Cryptochecksum:7ff64c2d67e1aa86fa299ac79710df90
tdikeeper(config)#






0
Comment
Question by:it_gsr
  • 10
  • 8
  • 7
25 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16666647
first off, I highly recommend upgrading site A to 6.3(5)
second, why is this line with a 255.255.255.248 mask on site A
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
try changing that to 255.255.255.255

on site B, remove
route inside 172.16.11.0 255.255.255.255 172.16.11.254 1
on site B where does the 172.16.16.0/20 come from, by the inside address you use, you only have 172.16.0.0-172.16.15.255 for IPs

also, your acls on both sites don't seem right to me
on site A the acl you match with the l2l tunnel is from the inside network of 172.16.0.0/20 to your vpn pool and to a partial portion of the inside nework of site B
on site B the acl you match is from an inside network of site A (from what I can tell from your config) to the lan of site A as well as from the inside network of site A to the lan of site B

please tell me what you want to accomplish because those acls just don't seem right to me.  I believe you want this, but let me know
site A
access-list 101 permit ip 172.16.16.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list 101 permit ip 192.1.1.0 255.255.255.0 172.16.0.0 255.255.240.0
site B
access-list L2LVPN permit ip 172.16.0.0 255.255.240.0 172.16.16.0 255.255.240.0
access-list L2LVPN permit ip 172.16.0.0 255.255.240.0 192.1.1.0 255.255.255.0

0
 

Author Comment

by:it_gsr
ID: 16666965
Hi Cyclops3590,
Thanks for your response. The two networks overlap

Site A                Site B
 172.16.0.0/20   172.16.11.0/20  
 
I don't really need the  172.16.16.0/20  bit. The concentration is to get the172.16.0.0/20 from A and  172.16.11.0/20 traffic from B flowing to each other

The purpose of this is enable the update of our Active directory details from both sites. We currently have the Domain controller at Site A and the ADC at site B.  


0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16667886
Unless someone else can tell you something I don't know, you can't do what you want to accomplish then.  Its a routing issue.  If a host at site A wants to get to a host on Site B it can't.  

For example, 172.16.0.1 wants to talk to 172.16.11.1, 172.16.0.1 thinks that 172.16.11.1 is on the same segment thus never routing to the firewall to go thru the tunnel. And the same for the other way around.

Basically, can you change each site to a /24 mask or does it have to be a /20 mask.  If you change to a /24 then we can get things working, but I  don't know what else that would affect
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 9

Expert Comment

by:stressedout2004
ID: 16668668
There is a way around your situation. Implement policy NAT on both ends of the firewall. I need to run some errands today. If you can wait, I'll give you the commands that you need to implement on both sides when I get back.
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16684268
The following commands below apply NAT on both sides so they appear to be coming in
from a different network when communicating over VPN to avoid the overlapping subnets.

When site A talks to site B, it appears to be coming from the 172.100.0.0 network.
e.g. host 172.16.0.20 will appear as 172.100.0.20

Likewise, when site B talks to site A, it appears to be coming from 172.200.0.0
e.g host 172.16.11.1 will appear as 172.200.11.1


Configuration changes require:

Site A:

access-list 102 permit ip 172.100.0.0 255.255.240.0 172.200.0.0 255.255.240.0
access-list vpn_nat permit ip 172.16.0.0 255.255.240.0 172.200.0.0 255.255.240.0
static (inside,outside) 172.100.0.0 access-list vpn_nat
crypto map bgn_map 1 match address 102
 
Then remove the NAT 0 ACL entry:

no access-list 101 permit ip 172.16.0.0 255.255.240.0 172.16.11.0 255.255.255.0



Site B:

access-list L2LVPN permit ip 172.200.0.0 255.255.240.0 172.100.0.0 255.255.240.0
access-list vpn_nat permit ip 172.16.11.0 255.255.240.0 172.100.0.0 255.255.240.0
static (inside,outside) 172.200.0.0 access-list vpn_nat
 
Then remove the NAT 0 ACL entry and the NAT 0 command:

no access-list inside_outbound_nat0 extended permit ip 172.16.16.0 255.255.240.0 172.16.0.0 255.255.240.0
no nat (inside) 0 access-list inside_outbound_nat0

Also remove the following ACL:

no access-list L2LVPN extended permit ip 172.16.16.0 255.255.240.0 172.16.0.0 255.255.240.0

0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16684404
nice trickery stressed, didn't think of that.

however, that is essentially like changing the IPs on one side or the other. (without really having to, yes I know).  I'm just curious if it_gsr  can do that or not; if it might mess something up or not you know.

Also, I'm still curious if the segments could be switch to /24 network.  If so, it makes the config much easier.  I guess I'm just confused why you'd ever have two seperate sites with overlapping subnets.
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16686219
It wouldnt mess anything up, it would not affect any existing static statements that is already in place. If it_gsr is not willing to make any changes in his subnetting, then policy NAT is his best bet; even if he opens a TAC case  ; ) I have implemented it several times.

>>>I guess I'm just confused why you'd ever have two seperate sites with overlapping subnets.

Maybe it_gsr can answer that for us. Overlapping is a bad design in my opinion but is unavoidable in some situation such as merging companies where IP scheme change is just not feasible specially with hundred or even thousand of hosts.



0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16686247
stressed, i was just saying that config change could mess something possibly, but that wholy depends on how it_gsr has their network setup.  

Like you said, it_gsr just needs to give us more details.
0
 

Author Comment

by:it_gsr
ID: 16738507
Hi Stressedout2004,
Thanks for your contribution. Below is  error I received when I tried the modifications below to site B

access-list vpn_nat permit ip 172.16.11.0 255.255.240.0 172.100.0.0 255.255.240.0


access-list vpn_nat permit ip 172.16.11.0 255.255.240.0 172$
ERROR: IP address,mask <172.16.11.0,255.255.240.0> doesn't pair
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16738528
try
access-list vpn_nat permit ip 172.16.0.0 255.255.240.0 172.100.0.0 255.255.240.0
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16738532
sorry, forgot to explain.
it doesn't pair because it wants the network address of that subnet and since 172.16.11.0 is in the middle of that subnet and is not the network address, it refuses to accept it.
0
 

Author Comment

by:it_gsr
ID: 16738626
Hi Stressedout,

Site A could not execute the static command below

static (inside,outside) 172.100.0.0 access-list vpn_nat

invalid local IP address access-list
Type help or '?' for a list of available commands

Whiles Site B could not remove the inside_outbound_nat0

no access-list inside_outbound_nat0 extended permit ip 172.$
ERROR: access-list <inside_outbound_nat0> does not exist
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16743874
My bad, I forgot to mention that you would need to upgrade the Site A to atleast version 6.3(5). The version you are running 6.1(4) does not support Policy NAT.

On Site B, it seems that access-list inside_outbound_nat0 no longer exist which is why you got that error.
You can't delete something that is no longer there, so that already has been taken care of.
0
 

Author Comment

by:it_gsr
ID: 16762114
Hi Stressedout2004,
Thanks for your support. I am considering changing the ip structure at Site B to 172.17.0.1 255.255.240 to prevent the overlapping ip's and also simply the configuration. What should the configuration at both ends be to achieve the Site-to-Site flow.

With the regards to upgrading the IOS, I am in the process of acquiring a new PIX515 which will have an updated version of the IOS and also act as a backup to my current PIX's. Once that is onsite, I can replace  site A's PIX with the new one and upgrade the IOS.



Thanks
0
 

Author Comment

by:it_gsr
ID: 16786062
Hi Stressedout2004,

I am still awaiting your response to my last comment and would be pleased if it comes in soonest. Thanks
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16786954
I apologize for the delay in reply. Here are the commands that you need. Take note that these changes are based on the configuration you initially posted.


Site A

access-list 101 permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
no access-list 101 permit ip 172.16.0.0 255.255.240.0 172.16.11.0 255.255.255.0
access-list 120 permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
no crypto map bgn_map interface outside
no crypto map bgn_map 1 match address 101
crypto map bgn_map 1 match address 120
crypto map bgn_map interface outside

Site B

access-list inside_outbound_nat0 extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
no access-list inside_outbound_nat0 extended permit ip 172.16.16.0 255.255.240.0 172.16.0.0 255.255.240.0
no crypto map tdi_map interface outside
access-list L2LVPN extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
no access-list L2LVPN extended permit ip 172.16.16.0 255.255.240.0 192.1.1.0 255.255.255.0
no access-list L2LVPN extended permit ip 172.16.16.0 255.255.240.0 172.16.0.0 255.255.240.0

0
 

Author Comment

by:it_gsr
ID: 16820207
Hi Stressedout2004,
The above config were applied but still cannot establish the Site-to-Site connectivity


0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16820278
can you post your updated configs so stress and I can look it over
0
 

Author Comment

by:it_gsr
ID: 16828182

Hi Stress and Cyclops

I've pasted the current config at both sites for your review. The internal IP at site B is currently 172.17.11.0/20  


Site A config
===========
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aYiGONOGTxE2368q encrypted
passwd t7oLYycQGA49Yo2i encrypted
hostname BGLKEEPER
domain-name gsrgh.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_inbound permit icmp any any
access-list acl_inbound permit udp host 1.2.3.6 host 1.2.4.2 eq isakmp
access-list acl_inbound permit ah host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit esp host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit tcp any host 1.2.3.7 eq 3389
access-list 101 permit ip 172.16.0.0 255.255.240.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
access-list 120 permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside 172.16.0.1
no logging message 106015
no logging message 305004
no logging message 305001
no logging message 302003
no logging message 302002
no logging message 304001
no logging message 302001
no logging message 302006
no logging message 302005
no logging message 609002
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.6 255.255.255.240
ip address inside 192.1.1.251 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool bglpool 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 192.1.1.251 255.255.255.255 inside
pdm location 172.16.0.9 255.255.255.255 inside
pdm location 172.16.0.20 255.255.255.255 inside
pdm location 172.16.0.99 255.255.255.255 inside
pdm location 172.16.10.9 255.255.255.255 inside
pdm location 172.16.1.200 255.255.255.255 inside
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.2
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.2.3.5 172.16.0.20 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.7 172.16.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.8 172.16.0.9 netmask 255.255.255.255 0 0
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
route inside 10.170.0.0 255.255.255.0 192.1.1.30 1
route inside 172.16.0.0 255.255.240.0 192.1.1.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
http server enable
no snmp-server location
snmp-server community XXXXXXXXXX
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto ipsec transform-set bgn_mines esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map outside_map 20 ipsec-isakmp
crypto map bgn_map 1 ipsec-isakmp
crypto map bgn_map 1 match address 101
crypto map bgn_map 1 set peer 1.2.4.2
crypto map bgn_map 1 set transform-set bgn_mines
crypto map bgn_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup TT_roam idle-time 1800
vpngroup test-vpn address-pool bglpool
vpngroup test-vpn dns-server 172.16.0.1
vpngroup test-vpn wins-server 172.16.0.3
vpngroup test-vpn default-domain password
vpngroup test-vpn idle-time 1800
vpngroup test-vpn password ********
telnet 192.1.1.220 255.255.255.255 inside
telnet timeout 5
ssh 172.16.2.55 255.255.255.255 inside
ssh timeout 5
vpdn username test password test1
vpdn username test1 password test1
terminal width 80
Cryptochecksum:8c87c9adc9f461d3d113ec1f6c51ae0e








Site B
=====
PIX Version 7.0(1)
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 1.2.4.2 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.17.11.254 255.255.240.0
!
enable password aYiGONOGTxE2368q encrypted
passwd aYiGONOGTxE2368q encrypted
hostname tdikeeper
domain-name gsrgh.com
ftp mode passive
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit tcp any host 1.2.4.5 eq 3389
access-list acl_inbound extended permit tcp any host 1.2.4.6 eq 3389
access-list acl_inbound extended permit udp host 1.2.4.2 host 1.2.3.6 eq isakmp
access-list acl_inbound extended permit ah host 1.2.4.2 host 1.2.3.6
access-list acl_inbound extended permit esp host 1.2.4.2 host 1.2.3.6
access-list 101 extended permit ip 172.16.0.0 255.255.240.0 192.168.2.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list L2LVPN extended permit ip 172.200.0.0 255.255.240.0 172.100.0.0 255.255.240.0
access-list L2LVPN extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list inside_outbound_nat0 extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0
access-list vpn_nat extended permit ip 172.16.0.0 255.255.240.0 172.100.0.0 255.255.240.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging host inside 172.17.11.1
no logging message 106015
no logging message 302003
no logging message 304001
no logging message 609002
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface inside
ip local pool bglpool 192.168.2.1-192.168.2.254
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm
asdm location 1.2.4.5 255.255.255.255 outside
asdm location 1.2.4.6 255.255.255.255 outside
no asdm history enable
arp timeout 14400
global (outside) 1 1.2.4.3
nat (inside) 0 access-list inside_outbound_nat0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.2.4.5 172.16.11.1 netmask 255.255.255.255
static (inside,outside) 1.2.4.6 172.16.11.2 netmask 255.255.255.255
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.4.7 1
route inside 172.17.11.0 255.255.255.255 172.17.11.254 1
route inside 172.16.11.0 255.255.255.255 172.16.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.11.5 255.255.255.255 inside
http 172.16.11.46 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community XXXX
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set tdi_mines esp-des esp-md5-hmac
crypto map tdi_map 1 match address L2LVPN
crypto map tdi_map 1 set peer 1.2.3.6
crypto map tdi_map 1 set transform-set tdi_mines
crypto map tdi_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 1.2.3.6 255.255.255.255 outside
telnet 172.16.11.5 255.255.255.255 inside
telnet 172.16.1.200 255.255.255.255 inside
telnet 172.16.11.46 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 1.2.3.6 type ipsec-l2l
tunnel-group 1.2.3.6 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
Cryptochecksum:7ff64c2d67e1aa86fa299ac79710df90
tdikeeper(config)#
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16844907
Make the following changes on the PIX in the order that they appear:

Site A

no crypto map bgn_map interface outside
no crypto map bgn_map 1 match address 101
crypto map bgn_map 1 match address 120
crypto map bgn_map interface outside

Site B

no route inside 172.17.11.0 255.255.255.255 172.17.11.254
no route inside 172.16.11.0 255.255.255.255 172.16.11.254
no access-list L2LVPN extended permit ip 172.200.0.0 255.255.240.0 172.100.0.0 255.255.240.0
sysopt connection permit-ipsec

Initiate the tunnel by sending some traffic like icmp. Double check the output of *sh crypto isa sa* on site A and make sure the status is QM_idle or MM_ACTIVE on site B.







0
 

Author Comment

by:it_gsr
ID: 16947178

Hi Stressedout2004,

Below are the details after applying the config above

Site A

sh crypto isa
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400



sh crypto isa sa
Total     : 0
Embryonic : 0
        dst            src         state     pending    created



0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16952510
The tunnel is not getting established. Can you post the recent configuration from both PIX so we can double check it?
0
 

Author Comment

by:it_gsr
ID: 17024645
Hi stressedout,
I pasted the  current config weeks ago  but it looks like it never found it's way onto the site. Have it again



Site A
=====
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aYiGONOGTxE2368q encrypted
passwd t7oLYycQGA49Yo2i encrypted
hostname BGLKEEPER
domain-name mmmm.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_inbound permit icmp any any
access-list acl_inbound permit udp host 1.2.3.6 host 1.2.4.2 eq

isakmp
access-list acl_inbound permit ah host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit esp host 1.2.3.6 host 1.2.4.2
access-list acl_inbound permit tcp any host 1.2.3.7 eq 3389
access-list 101 permit ip 172.16.0.0 255.255.240.0 192.168.1.0

255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.240.0 172.16.11.0

255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside 172.16.0.1
no logging message 106015
no logging message 305004
no logging message 305001
no logging message 302003
no logging message 302002
no logging message 304001
no logging message 302001
no logging message 302006
no logging message 302005
no logging message 609002
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.6 255.255.255.240
ip address inside 192.1.1.251 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool bglpool 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 192.1.1.251 255.255.255.255 inside
pdm location 172.16.0.9 255.255.255.255 inside
pdm location 172.16.0.20 255.255.255.255 inside
pdm location 172.16.0.99 255.255.255.255 inside
pdm location 172.16.10.9 255.255.255.255 inside
pdm location 172.16.1.200 255.255.255.255 inside
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.2
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 1.2.3.5 172.16.0.20 netmask

255.255.255.255 0 0
static (inside,outside) 1.2.3.7 172.16.1.200 netmask

255.255.255.255 0 0
static (inside,outside) 1.2.3.8 172.16.0.9 netmask

255.255.255.255 0 0
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
route inside 10.170.0.0 255.255.255.0 192.1.1.30 1
route inside 172.16.0.0 255.255.240.0 192.1.1.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00

h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
http server enable
no snmp-server location
snmp-server community xxxxxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set BASEPIX esp-des esp-sha-hmac
crypto ipsec transform-set bgn_mines esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map outside_map 20 ipsec-isakmp
crypto map bgn_map 1 ipsec-isakmp
crypto map bgn_map 1 match address 101
crypto map bgn_map 1 set peer 1.2.4.2
crypto map bgn_map 1 set transform-set bgn_mines
crypto map bgn_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.4.2 netmask 255.255.255.248
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup BGL_roam idle-time 1800
vpngroup gsrgh-vpn address-pool bglpool
vpngroup gsrgh-vpn dns-server 172.16.0.1
vpngroup gsrgh-vpn wins-server 172.16.0.3
vpngroup gsrgh-vpn default-domain password
vpngroup gsrgh-vpn idle-time 1800
vpngroup gsrgh-vpn password ********
telnet 192.1.1.220 255.255.255.255 inside
telnet timeout 5
ssh 172.16.2.55 255.255.255.255 inside
ssh timeout 5
vpdn username xxx password xxx
vpdn username xxx password xxx
terminal width 80
Cryptochecksum:e41785d365372f5d64523d7dff608d46




































Site B
=========
PIX Version 7.0(1)
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 1.2.4.2 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.17.11.254 255.255.240.0
!
enable password aYiGONOGTxE2368q encrypted
passwd aYiGONOGTxE2368q encrypted
hostname tdikeeper
domain-name mmmm.com
ftp mode passive
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit tcp any host 1.2.4.5 eq

3389
access-list acl_inbound extended permit tcp any host 1.2.4.6 eq

3389
access-list acl_inbound extended permit udp host 1.2.4.2 host

1.2.3.6 eq isakmp
access-list acl_inbound extended permit ah host 1.2.4.2 host

1.2.3.6
access-list acl_inbound extended permit esp host 1.2.4.2 host

1.2.3.6
access-list 101 extended permit ip 172.16.0.0 255.255.240.0

192.168.2.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0

172.16.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.11.0 255.255.255.0

172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 extended permit ip 172.16.11.0

255.255.255.0 172.16.0.0 255.255.255.0
access-list L2LVPN extended permit ip 172.200.0.0 255.255.240.0

172.100.0.0 255.255.240.0
access-list L2LVPN extended permit ip 172.17.0.0 255.255.240.0

172.16.0.0 255.255.240.0
access-list inside_outbound_nat0 extended permit ip 172.17.0.0

255.255.240.0 172.16.0.0 255.255.240.0
access-list vpn_nat extended permit ip 172.16.0.0 255.255.240.0

172.100.0.0 255.255.240.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging host inside 172.16.11.1
no logging message 106015
no logging message 302003
no logging message 304001
no logging message 609002
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface inside
ip local pool bglpool 192.168.2.1-192.168.2.254
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/asdm
asdm location 1.2.4.5 255.255.255.255 outside
asdm location 1.2.4.6 255.255.255.255 outside
no asdm history enable
arp timeout 1440
global (outside) 1 1.2.4.3
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.200.0.0  access-list vpn_nat
static (inside,outside) 1.2.4.5 172.16.17.1 netmask

255.255.255.255
static (inside,outside) 1.2.4.6 172.16.17.2 netmask

255.255.255.255
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.4.7 1
route inside 172.17.11.0 255.255.255.255 172.17.11.254 1
route inside 172.16.11.0 255.255.255.255 172.16.11.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.11.5 255.255.255.255 inside
http 172.16.11.46 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community XXXXX
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set tdi_mines esp-des esp-md5-hmac
crypto map tdi_map 1 match address L2LVPN
crypto map tdi_map 1 set peer 1.2.3.6
crypto map tdi_map 1 set transform-set tdi_mines
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 1.2.3.6 255.255.255.255 outside
telnet 172.16.11.5 255.255.255.255 inside
telnet 172.16.1.200 255.255.255.255 inside
telnet 172.16.11.46 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 1.2.3.6 type ipsec-l2l
tunnel-group 1.2.3.6 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
Cryptochecksum:80e5f432be5b2a0fa2a3aa26b6264f82
0
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 2000 total points
ID: 17145829
Please make the following changes:

Site A

access-list 101 permit ip  172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0
no access-list 101 permit ip 172.16.0.0 255.255.240.0 192.168.1.0 255.255.255.0
no access-list 101 permit ip 172.16.0.0 255.255.240.0 172.16.11.0  255.255255.0


Site B
no access-list L2LVPN extended permit ip 172.200.0.0 255.255.240.0 172.100.0.0 255.255.240.0
no static (inside,outside) 172.200.0.0  access-list vpn_nat
no access-list vpn_nat extended permit ip 172.16.0.0 255.255.240.0 172.100.0.0 255.255.240.0
access-list nonat extended permit ip 172.17.0.0 255.255.240.0  172.16.0.0 255.255.240.0
nat (inside) 0 access-list nonat
crypto map tdi_map interface outside
0
 

Author Comment

by:it_gsr
ID: 17401230
Hi Keith_Alabaster
I still do not have a solution to my problem. Please leave the question open

0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month12 days, 4 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question