[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

HELP!!!! PIX 515e as VPN Server behind Router with static NAT

Posted on 2006-05-26
11
Medium Priority
?
6,648 Views
Last Modified: 2010-05-18
Hi, i have been trying to setup this at office for the past 2 weeks without success. The proposed setup is like this

VPN Client -> Internet -> 2600 Router (with static nat) -> PIX 515 -> Intranet

Currently the 2600 router is configured with static nat for the pix and the vpn client can ping the PIX. I have tried this setup VPN Client -> PIX 515 -> Intranet and it works perfectly. But once i introduce the router with static nat it does not work. To make sure that it is not an ACL problem i permited all traffic to the PIX, i have also permitted all IP any any on the outside of the PIX. The client is a windows xp with SP 2 default vpn client. I have given this question 500 points as i really need to get this up and running urgently. Anyone has any solutions or has done some similar configuration? Please help. Thanks a lot.

The PIX configuration for VPN :-

PIX Version 6.3(1)
.
.

ip address outside 192.168.1.121 255.255.255.248
nat (inside) 0 access-list Nat0Inside
access-list Nat0Inside permit ip 192.168.X.X 255.255.255.0 any
ip local pool vpnpool 192.168.X.X-192.168.X.X
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto dynamic-map vpn_dyn_map 20 set transform-set TRANS_ESP_DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic vpn_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
ca identity mssvr x.x.x.x:/certsrv/mscep/mscep.dll
ca configure mssvr ra 1 20 crloptional
vpdn group vpn-group accept dialin l2tp
vpdn group vpn-group ppp authentication chap
vpdn group vpn-group ppp authentication mschap
vpdn group vpn-group client configuration address local vpnpool
vpdn group vpn-group client configuration dns x.x.x.x
vpdn group vpn-group client authentication aaa RadiusSvr
vpdn enable outside

2600 Router configuration :-

interface FastEthernet0/0
 ip address 192.168.1.122 255.255.255.248
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 ip address X.X.X.X X.X.X.X
 ip nat outside
!
interface Serial0/1
 no ip address
 shutdown
!
ip nat pool vpnnatpool x.x.x.x x.x.x.x netmask x.x.x.x
ip nat inside source list 1 pool vpnnatpool
ip nat inside source static 192.168.1.121 x.x.x.x


The debug output :-

crypto_isakmp_process_block:src:x.x.x.x, dest:192.168.1.121 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      unknown DH group 14
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 20 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 1
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 20 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a MSWIN2K client

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing RSA signature authentication using id type ID_FQDN
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:192.168.1.121 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match MINE hash
hash received: 2d f 20 56 7f 32 2a 16 f0 f1 6 4a 36 c2 19 c7
my nat hash  : 24 da 2d c8 97 da ab 7 42 55 b1 43 15 5a 7 59
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match HIS hash
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:192.168.1.121 spt:4500 dpt:4500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing CERT payload. message ID = 0
ISAKMP (0): processing a CT_X509_SIGNATURE cert
ISAKMP (0): cert approved with warning
ISAKMP (0): processing SIG payload. message ID = 0
ISAKMP (0): processing CERT_REQ payload. message ID = 0
ISAKMP (0): peer wants a CT_X509_SIGNATURE cert
ISAKMP (0): SA has been authenticated

ISAKMP: Locking UDP_ENC struct 0x1139a6c from crypto_ikmp_udp_enc_ike_init, count 1
ISAKMP (0): ID payload
        next-payload : 6
        type         : 2
        protocol     : 17
        port         : 0
        length       : 21
ISAKMP (0): Total payload length: 25
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:192.168.1.121 spt:4500 dpt:4500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2346434647

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xe 0x10
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xd0 0x90
ISAKMP:      encaps is 61444
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 3
ISAKMP: transform 2, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xe 0x10
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xd0 0x90
ISAKMP:      encaps is 61444
ISAKMP:      authenticator is HMAC-SHA
ISAKMP (0): atts not acceptable. Next payload is 3
ISAKMP: transform 3, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xe 0x10
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x3 0xd0 0x90
ISAKMP:      encaps is 61444
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP (0): processing NONCE payload. message ID = 2346434647

ISAKMP (0): processing ID payload. message ID = 2346434647
ISAKMP (0): unknown src id_type 2
return status is IKMP_ERR_RETRANS
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:x.x.x.x/4500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:x.x.x.x/4500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:x.x.x.x, dest:192.168.1.121 spt:4500 dpt:4500
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

---------------------------------------------------------------------------------------------------------------

IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 1) not supported
IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 2) not supported
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 192.168.1.121, src= x.x.x.x,
    dest_proxy= 192.168.1.121/255.255.255.255/0/0 (type=1),
    src_proxy= x.x.x.x/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x800
0
Comment
Question by:viridis_liew
11 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 16768273
There is a mismatch in your transform set parameters for your phase 2 configuration. Make sure the phase 2 parameters are the same on both sides.


harbor235
0
 
LVL 7

Expert Comment

by:tonyteri
ID: 16768502
Try Nating at the Pix, and not the 2600

/TT
0
 
LVL 13

Accepted Solution

by:
prashsax earned 1500 total points
ID: 16769406
configure your router with public ip only without any nat.

Then connect your pix outside interface to router with public ip.

And define nat on pix instead of router. PIX can do much better & faster natting then router.

this is how your setup should look like.


-------------------------Router-------------------------------------PIX---------------Intranet
Serial IP from ISP                1st Public IP           2nd Public IP    Local IP

Now, default GW for PIX should be routers Public IP.
Default GW for router should be your ISP router IP.



0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 11

Expert Comment

by:prueconsulting
ID: 16769556
As prash said you would have better luck doing the NAT on the Pix.. but if there are technical reasons for your setup

The static nat is most likely mangaling the packets as they pass through..

0
 

Author Comment

by:viridis_liew
ID: 16777529
prash you mean that there is no way to perform the static nat on the router? i have no control over this as its the company policy that everything has to be behind the router. Any way around it?
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16779613
you are using pptp vpn configuration on pix

Try and configure IPSEC ESP over UDP configuration.

For this you need cisco vpn client. it is very easy to configure and work over nat easily.




0
 
LVL 13

Expert Comment

by:prashsax
ID: 16779732
ok, while searing I found that you can enable NAT traversing on pix.

try and enable it by using:

isakmp nat-traversal 20

20 is default time interval.


0
 

Author Comment

by:viridis_liew
ID: 16781520
prash from my configuration i have already enabled the NAT traversal..my configuration is ipsec with l2tp for vpn..can you provide a url or sample configuration for IPSec ESP over UDP?
0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 16784209
Hi Viridis,

Can you also paste ur router NAT configuration as well. As you say it works pretty fine without router in between, I suggest checking things on Router NAT rules & ACLS.

regards
Charanjeet Singh
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16789835
0
 
LVL 1

Expert Comment

by:_m3Rlin_
ID: 21226171
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question