• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 369
  • Last Modified:

Site to Site VPN between 3 Cisco PIX 506E

Hi Guys,

Can someone advise me step by step on how to create Site to Site VPN between 3 cisco pix 506e.  Basically I want Site B and Site C to connect to Site A. Someone referred me to Cisco's Site where document for Site to Site VPN is available but it didn't work for me...

I followed the Wizards in PDM but everytime I save changes I loose internet in our office i.e. PIX seems to block any outbound traffic.  This only happens if I use the Wizards to configure VPN..


Help Plz..
0
fais79
Asked:
fais79
  • 6
  • 6
1 Solution
 
naveedbCommented:
Can you post your running configs from all three PIX? login and type show running

We can then try to guide you through it.

You may want to remove IP Addresses and passwords from the configurations
0
 
aravinthrkCommented:
Waiting for the configs naveedb mentioned fais . Also, if possible give us a Network Diagram of what you want to achieve. Will be useful.
0
 
fais79Author Commented:

Sorry for the delay mate, had to travel 100miles up north to get the config because lost connection with PIX.

Anyways here it is:



Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password HJGJHGghghgg encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any any
access-list outside_cryptomap_20 permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside XXX.XXX.XXX.XXX 255.255.255.248
ip address inside 90.0.2.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 90.0.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer XXX.XXX.XXX.XXX
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address XXX.XXX.XXX.XXX netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:06e28a513d1dfa5c0ab5e42b08152715
: end
[OK]
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
fais79Author Commented:
Sorry forgot about the Network Diagram:

Each Site:

Netgear DG632 Modem/Router -----> PIX 506E ------> Server


Above setup is same for each site, so Netgear dynamically throws a local ip to PIX and hence forwards all traffic to PIX.

Just to refresh, the problem is everytime I try to setup Site to Site VPN I loose the internet through PIX!


Cheers
0
 
naveedbCommented:
What are the subnets at each site? The configuration you listed shows internal IP Address of 90.0.2.10 ? Which is a public IP Address
0
 
fais79Author Commented:
Hi Naveed,

These are internal subnets i.e.

90.0.2.0 Site C
90.0.1.0 Site B
90.0.0.0 Site A
0
 
naveedbCommented:
Netgear router: how is it setup, does it do any NAT translation or just give a Public IP Address to the PIX outside interface?

We will try to configure Site-A and Site-B first, when it is working will continue with the rest of configurations.
0
 
fais79Author Commented:
Netgear Router does do NAT and throws a local ip to PIX's outside interface. I've set it to forward all inbound traffic from ports 0 - 5000 to PIX. This range of ports should cover all standard ports.
0
 
naveedbCommented:
Do you need to have Netgear router? can we connect the PIX directly to the Internet? I have never configured PIX with port forwarding for site to site so am not sure if it will work? Have a look a the following PAQ

http://www.experts-exchange.com/Security/Firewalls/Q_21690643.html

0
 
fais79Author Commented:
OK I got two of PIXs at different office connected directly to an ADSL modem.

Still two are not talking but this time IKE Tunnel betwen the two seems to have established!

Below are configs for two offices:

Site A (Head Office)
----------------------------------------------------------------------------------------------------------------------------------------

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password jFohQxUSh7M4DSoy encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixderby
domain-name jtrecruit.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 90.0.0.3 Server
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in permit tcp any interface outside eq pptp
access-list outside_access_in deny tcp any any
access-list inside_outbound_nat0_acl permit ip 90.0.0.0 255.255.255.0 90.0.2.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 90.0.0.0 255.255.255.0 90.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 217.12.213.77 255.255.255.248
ip address inside 90.0.0.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Server 255.255.255.255 inside
pdm location 90.0.2.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp Server pptp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 217.12.213.202 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 90.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 82.56.123.146
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 82.56.123.146 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:6eec9689da155e205711f15879a57ce5
: end
[OK]
-----------------------------------------------------------------------------------------------------------------

pixhead(config)# show crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
    82.56.123.146   217.12.213.77     QM_IDLE         0           0

-----------------------------------------------------------------------------------------------------------------

pixderby(config)# show crypto ip sa


interface: outside
    Crypto map tag: outside_map, local addr. 217.12.213.77

   local  ident (addr/mask/prot/port): (90.0.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (90.0.2.0/255.255.255.0/0/0)
   current_peer: 82.56.123.146:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 589, #recv errors 0

     local crypto endpt.: 217.12.213.77, remote crypto endpt.: 82.56.123.146
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:

-------------------------------------------------------------------------------------------------------------------------------------------




Site B (Branch)
----------------------------------------------------------------------------------------------------------------------------------------

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password jFohQxUSh7M4DSoy encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixmansfield
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 90.0.2.1 Server
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in permit tcp any interface outside eq pptp
access-list outside_access_in deny tcp any any
access-list inside_outbound_nat0_acl permit ip 90.0.2.0 255.255.255.0 90.0.0.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 90.0.2.0 255.255.255.0 90.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 82.56.123.146 255.255.255.248
ip address inside 90.0.2.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Server 255.255.255.255 inside
pdm location 90.0.0.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp Server pptp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 82.6.232.145 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 90.0.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 217.12.213.77
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 217.12.213.77 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:8ef066242a5c387fa1553bd00d4ecae1
: end
[OK]

-----------------------------------------------------------------------------------------------------------------

pixmbranch(config)# show crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
    82.56.123.146   217.12.213.77    QM_IDLE         0           0

-----------------------------------------------------------------------------------------------------------------

pixbranch(config)# show crypto ip sa


interface: outside
    Crypto map tag: outside_map, local addr. 82.56.123.146

   local  ident (addr/mask/prot/port): (90.0.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (90.0.0.0/255.255.255.0/0/0)
   current_peer: 217.12.213.77:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 324, #recv errors 0

     local crypto endpt.: 82.56.123.146, remote crypto endpt.: 217.12.213.77
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:
------------------------------------------------------------------------------------------------------------------------------
0
 
naveedbCommented:
You transform sets do not match.

Please do the following
Site A
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
no crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 set transform-set ESP-3DES-MD5

Site B
no crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 20 set transform-set ESP-3DES-MD5

Check the running config to make sure they have been applied, then

clear crypto isakmp sa
clear crypto ipsec sa

From inside network of Site A try to ping the inside network of Site B and vice versa and let us know how it goes.
0
 
fais79Author Commented:
That Worked - Thanks Alot!

Been Stuck on this for agesssss


:)
0
 
naveedbCommented:
For Site-C you will still need to work on giving PIX outside interface public IP Address before we can make it work.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now