[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to setup a second Cisco 515 Pix to Cisco 515 Pix tunnel with one tunnel already in place

Posted on 2006-05-17
6
Medium Priority
?
320 Views
Last Modified: 2010-04-12
Hi folks,

Right now, we have a Cisco 515 pix (A) in the office and we have an existing VPN tunnel going to another office with a cisco Pix (B).  What we want is to use the same 515 pix (A) and have another tunnel to another location with a 515 Pix (C)

I will provide the show runs of both Pix (A) and Pix (C) below (toward the end of it)

When I go "debug crypto ipsec" & "debug crypto isakmp" I get flooded with these messages, the most important and obvious is this..

The behavior is that the tunnel for 56.221 and 76.181 works and then it dies when the below message happens for the 46.147 tunnel and 76.181 tunnel, deleting all SAs..

Any help would be greatly appreciated.. I will rpely fast if you need more info..

Thanks
Kit

Debug messages
---------------------------------------------------
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:46.147.161.162, dest:76.181.123.131 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of -516398444:e1386294IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xd763706f(3613618287) for SA
        from  46.147.161.162 to   76.181.123.131 for prot 3

return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:46.147.161.162/500 Total VPN Peers:2
VPN Peer: ISAKMP: Peer ip:46.147.161.162/500 Ref cnt incremented to:1 Total VPN Peers:2
ISAKMP (0): beginning Quick Mode exchange, M-ID of -1247456964:b5a5513cIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xf12b38f7(4046141687) for SA
        from  46.147.161.162 to   76.181.123.131 for prot 3

crypto_isakmp_process_block:src:46.147.161.162, dest:76.181.123.131 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3778568852

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      encaps is 1
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 46.147.161.162, src= 76.181.123.131,
    dest_proxy= 10.4.0.0/255.255.0.0/0/0 (type=4),
    src_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): peer address 46.147.161.162 not found
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 46.147.161.162, src= 76.181.123.131,
    dest_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
    src_proxy= 10.4.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(validate_transform_proposal): peer address 76.181.123.131 not found

ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:46.147.161.162, dest:76.181.123.131 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 18 protocol 1
        spi 0, message ID = 2665747079
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): beginning Quick Mode exchange, M-ID of -2104966898:8288c10eIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xb5e444e5(3051635941) for SA
        from  46.147.161.162 to   76.181.123.131 for prot 3

crypto_isakmp_process_block:src:46.147.161.162, dest:76.181.123.131 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 18 protocol 1
        spi 0, message ID = 1896207551
return status is IKMP_NO_ERR_NO_TRANS
---------------------------------------------------




PIX(A)
---------------------------------------------------
ework-firewall# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password gwFObxY7Vo5bl2Ie encrypted
passwd gwFObxY7Vo5bl2Ie encrypted
hostname ework-firewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list vpn1 permit ip 172.16.2.0 255.255.255.0 172.16.32.0 255.255.252.0
access-list vpn1 permit ip 172.16.4.0 255.255.255.0 172.16.32.0 255.255.252.0
access-list vpn1 permit ip 172.16.1.0 255.255.255.0 172.16.32.0 255.255.252.0
access-list vpn1 permit ip 172.16.6.0 255.255.255.0 172.16.32.0 255.255.252.0
access-list vpn1 permit ip 10.3.0.0 255.255.0.0 172.16.32.0 255.255.252.0
access-list vpn1 permit ip 172.16.2.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit udp any host 76.181.123.134 eq ntp
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit ip 172.16.10.0 255.255.255.0 any
access-list outside_access_in permit udp any host 67.150.248.77 eq ntp
access-list outside_access_in permit tcp any host 76.181.123.148 eq www
access-list outside_access_in permit tcp any host 76.181.123.147 eq www
access-list outside_access_in permit tcp any host 76.181.123.146 eq 995
access-list outside_access_in permit tcp any host 76.181.123.146 eq 993
access-list outside_access_in permit tcp any host 76.181.123.146 eq https
access-list outside_access_in permit tcp any host 76.181.123.146 eq www
access-list outside_access_in permit tcp any host 76.181.123.136 eq www
access-list outside_access_in permit tcp any host 76.181.123.137 eq www
access-list outside_access_in permit tcp any host 76.181.123.138 eq www
access-list outside_access_in permit tcp any host 76.181.123.139 eq www
access-list outside_access_in permit tcp any host 76.181.123.140 eq ssh
access-list outside_access_in permit tcp any host 76.181.123.139 eq https
access-list outside_access_in permit tcp any host 76.181.123.142 eq https
access-list outside_access_in permit tcp any host 76.181.123.143 eq www
access-list outside_access_in permit tcp any host 76.181.123.145 eq www
access-list outside_access_in permit tcp any host 76.181.123.145 eq https
access-list outside_access_in permit tcp any host 76.181.123.155 eq domain
access-list outside_access_in permit tcp any host 76.181.123.156 eq domain
access-list outside_access_in permit udp any host 76.181.123.156 eq domain
access-list outside_access_in permit udp any host 76.181.123.155 eq domain
access-list outside_access_in permit tcp any host 76.181.123.141 eq www
access-list outside_access_in permit tcp any host 76.181.123.141 eq https
access-list user_vpn permit ip 172.16.2.0 255.255.255.0 172.16.32.0 255.255.252.0
access-list user_vpn permit ip 172.16.4.0 255.255.255.0 172.16.32.0 255.255.252.0
access-list user_vpn permit ip 172.16.1.0 255.255.255.0 172.16.32.0 255.255.252.0
access-list user_vpn permit ip host 172.16.2.180 any
access-list user_vpn permit ip 172.16.6.0 255.255.255.0 172.16.32.0 255.255.252.0
access-list user_vpn permit ip 172.16.2.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list vpn2 permit ip 172.16.2.0 255.255.255.0 10.4.0.0 255.255.0.0
pager lines 24
logging on
logging monitor alerts
logging buffered notifications
logging trap warnings
logging history warnings
logging facility 23
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 76.181.123.131 255.255.255.224
ip address inside 172.16.2.4 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.2.180-172.16.2.189
pdm history enable
arp timeout 600
global (outside) 1 76.181.123.148
nat (inside) 0 access-list vpn1
nat (inside) 1 172.16.2.0 255.255.255.0 0 0
static (inside,outside) 76.181.123.141 172.16.2.87 netmask 255.255.255.255 0 0
static (inside,outside) 76.181.123.147 172.16.2.37 netmask 255.255.255.255 0 0
static (inside,outside) 76.181.123.146 172.16.2.10 netmask 255.255.255.255 0 0
static (inside,outside) 76.181.123.144 172.16.2.33 netmask 255.255.255.255 0 0
static (inside,outside) 76.181.123.145 172.16.2.9 netmask 255.255.255.255 0 0
static (inside,outside) 76.181.123.155 172.16.2.2 netmask 255.255.255.255 0 0
static (inside,outside) 76.181.123.143 172.16.2.28 netmask 255.255.255.255 0 0
static (inside,outside) 76.181.123.142 172.16.2.79 netmask 255.255.255.255 0 0
static (inside,outside) 76.181.123.135 172.16.2.80 netmask 255.255.255.255 0 0
static (inside,outside) 76.181.123.140 172.16.2.32 netmask 255.255.255.255 0 0
static (inside,outside) 76.181.123.139 172.16.2.22 netmask 255.255.255.255 0 0
static (inside,outside) 76.181.123.138 172.16.2.29 netmask 255.255.255.255 0 0
static (inside,outside) 76.181.123.137 172.16.2.20 netmask 255.255.255.255 0 0
static (inside,outside) 76.181.123.136 172.16.2.26 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.181.123.130 1
route inside 172.16.1.0 255.255.255.0 172.16.2.3 1
route inside 172.16.4.0 255.255.255.0 172.16.2.3 1
route inside 172.16.6.0 255.255.255.0 172.16.2.3 1
route inside 192.168.10.0 255.255.255.0 172.16.2.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:03:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:30:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.2.0 255.255.255.0 inside
snmp-server host inside 172.16.2.79
snmp-server location Market St.
snmp-server contact hostmaster@ework.com
snmp-server community ework333
snmp-server enable traps
tftp-server inside 172.16.2.204 data\pixfw
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ECCVPN esp-des esp-md5-hmac
crypto ipsec transform-set SFCOLOVPN esp-des esp-md5-hmac
crypto map SACVPN 10 ipsec-isakmp
crypto map SACVPN 10 match address vpn1
crypto map SACVPN 10 set peer 56.221.130.19
crypto map SACVPN 10 set transform-set ECCVPN
crypto map SACVPN 15 ipsec-isakmp
crypto map SACVPN 15 match address vpn1
crypto map SACVPN 15 set peer 46.147.161.162
crypto map SACVPN 15 set transform-set SFCOLOVPN
crypto map SACVPN interface outside
isakmp enable outside
isakmp key ******** address 56.221.130.19 netmask 255.255.255.255
isakmp key ******** address 46.147.161.162 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800
telnet 172.16.2.0 255.255.255.0 inside
telnet 172.16.0.0 255.255.0.0 inside
telnet 172.16.2.0 255.255.255.0 intf2
telnet 172.16.0.0 255.255.0.0 intf2
telnet timeout 10
ssh timeout 5
management-access inside
terminal width 80
Cryptochecksum:3ef8a99c9adedc782e51e2a8ccd940e5
: end




PIX(C)
---------------------------------------------------
PIX Version 7.1(1)
!
hostname BL-PIX
domain-name ework.com
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 46.147.161.162 255.255.255.240
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.4.0.101 255.255.0.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name ework.com
access-list outside_access_in extended permit tcp any host 46.147.161.164 eq www
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list vpn1 extended permit ip 10.4.0.0 255.255.0.0 172.16.2.0 255.255.255.0
access-list user_vpn extended permit ip 10.4.0.0 255.255.0.0 172.16.2.0 255.255.255.0
pager lines 24
logging enable
mtu inside 1500
mtu outside 1500
no failover
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list vpn1
static (inside,outside) 46.147.161.164 10.4.100.10 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 10.4.0.0 255.255.128.0 10.4.1.101 1
route inside 172.16.32.0 255.255.255.0 10.4.0.11 1
route inside 10.3.0.0 255.255.0.0 10.4.0.100 1
route outside 0.0.0.0 0.0.0.0 46.147.161.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set COLOSF esp-des esp-md5-hmac
crypto map SFCOLOVPN 15 match address vpn1
crypto map SFCOLOVPN 15 set peer 76.181.123.131
crypto map SFCOLOVPN 15 set transform-set COLOSF
crypto map SFCOLOVPN interface outside
isakmp identity address
isakmp enable outside
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 28800
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 76.181.123.131 type ipsec-l2l
tunnel-group 76.181.123.131 ipsec-attributes
 pre-shared-key *
telnet 10.3.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
ssl encryption rc4-md5
: end
0
Comment
Question by:kitster510
  • 3
  • 3
6 Comments
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 1280 total points
ID: 16705217
You have to use a separate access-list for the match address of the VPN connection. You can't be using the same match address otherwise you will have problem like you are having. The same thing goes for the access-list for NAT 0, If you have VPN connection going to different site, you don't use the same access-list that you use for match address.

Make the following modification on PIX A:

access-list nonat_acl permit ip 172.16.2.0 255.255.255.0 172.16.32.0 255.255.252.0
access-list nonat_acl permit ip 172.16.4.0 255.255.255.0 172.16.32.0 255.255.252.0
access-list nonat_acl permit ip 172.16.1.0 255.255.255.0 172.16.32.0 255.255.252.0
access-list nonat_acl permit ip 172.16.6.0 255.255.255.0 172.16.32.0 255.255.252.0
access-list nonat_acl permit ip 10.3.0.0 255.255.0.0 172.16.32.0 255.255.252.0
access-list nonat_acl permit ip 172.16.2.0 255.255.255.0 10.4.0.0 255.255.0.0

nat (inside) 0 access-list nonat_acl

no access-list vpn1 permit ip 172.16.2.0 255.255.255.0 10.4.0.0 255.255.0.0

access-list vpn2 permit ip 172.16.2.0 255.255.255.0 10.4.0.0 255.255.0.0

no crypto map SACVPN interface outside

no crypto map SACVPN 15 match address vpn1
crypto map SACVPN 15 match address vpn2

crypto map SACVPN interface outside







0
 

Author Comment

by:kitster510
ID: 16705640
StreesedOut2004-

Thanks for the quick reply..

Looking at your response, I am wondering for the current access-list vpn1 on Pix(A), do I leave those entries there?

I'm trying to break things down because I have very little Cisco VPN experience other than putting up a single Pix to Pix up. I am going for my CCNA in the next two months, so please bear with me..

What I gather is,
* So the first chunk of access-list  nonat_acl is a general access-list that will tell what where the VPN tunnels will go when it gets accessed. It would take off what is going to the 10.4.x using VPN1 Tunnel, and put it on for vpn2.
* The "nat (inside) 0 access-list nonat_acl" will replace the current "nat (inside) 0 access-list vpn1" statement?

Woudl I need to do anything on Pix(c) to make it work?

Thanks in advance
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16705750
**** So the first chunk of access-list  nonat_acl is a general access-list that will tell what where the VPN tunnels will go when it gets accessed. It would take off what is going to the 10.4.x using VPN1 Tunnel, and put it on for vpn2.

The first chunk of access-list called nonat_acl allows the PIX to bypass NAT when the internal network communicates with the remote sites regardless of which tunnel it would go to. PIX A does PAT, which translate all internal host to the
PIX outside IP address for internet access. We don't want this translation happening when the traffic is going over the VPN tunnel. So the access-list nonat_acl defines that NAT exception rules.

*** The "nat (inside) 0 access-list nonat_acl" will replace the current "nat (inside) 0 access-list vpn1" statement?

Yes, if you compare the access-list entry of vpn1 and nonat_acl you would notice that they are exactly the same entries, only the access-list name is different. We need to change the access-list name for it because using the same access-list for the NAT 0 and crypto match address in the case of multiple VPN tunnels will cause the tunnel to malfunction.

*** Woudl I need to do anything on Pix(c) to make it work?

It depends, I need to see how you had the PIX C configured.

Don't hesitate to ask if you need further info.

Good luck with your CCNA.




0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 

Author Comment

by:kitster510
ID: 16710482
StressedOut2004-

Thanks for the rundown of what each chunk of text was.. I will try them out and see what happens..

Oh, the "show run" for PIX(C) is provided in the Opening Post, It's the last of the chunks blocks of text. (sorry for the huge ammount of text)
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16711348
Oh yeah right, I'm sorry. Well right now the config on PIX C is fine for now even though it is using the same access-list (vpn1) for the match address and the NAT 0. But only because you currently have one tunnel on it right now. In the future, if you decide to add more tunnel on PIX C, you will have to make modification in the access-list. I think it will be wise to modify the configuration on PIX C now while your making these changes now. It's up to you. Whatever you decide, I will give you the configuration changes on PIX C anyways.

Just add the following lines to the PIX C. It will automatically overwrite the existing nat (inside) 0.

access-list nonat extended permit ip 10.4.0.0 255.255.0.0 172.16.2.0 255.255.255.0
nat (inside) 0 access-list nonat
0
 

Author Comment

by:kitster510
ID: 16725141
Great.. thansk for the comment and quick response stressedout2004.. it worked just as planned and we got the VPN up thank you so much!
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month17 days, 14 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question