Solved

Cisco Pix 501 to 501 vpn

Posted on 2006-06-21
7
450 Views
Last Modified: 2010-03-19
I am having trouble getting a pix 501 to 501 vpn running.  Here is a map of my network (in a lab right now).

172.20.1.4 <-> inside <-> pix1 <-> ***.***.***.123 <-> crossover cable <-> ***.***.***.126 <-> pix2 <-> inside <-> 10.20.1.1

Here are the relevant configs:

pix1:

show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

<--- More --->
             
names

name 10.20.1.0 Avon

access-list inside_outbound_nat0_acl permit ip 172.20.1.0 255.255.255.0 Avon 255.255.255.0

access-list outside_cryptomap_20 permit ip 172.20.1.0 255.255.255.0 Avon 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside ***.***.***.123 255.255.255.248

ip address inside 172.20.1.4 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location Avon 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

<--- More --->
             
aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 172.20.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer ***.***.***.126

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address ***.***.***.126 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

<--- More --->
             
isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet 172.20.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

terminal width 80

Cryptochecksum:

: end




Pix2:

show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

<--- More --->
             
names

name 172.20.1.0 Meridian

access-list inside_outbound_nat0_acl permit ip 10.20.1.0 255.255.255.0 Meridian 255.255.255.0

access-list outside_cryptomap_20 permit ip 10.20.1.0 255.255.255.0 Meridian 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside ***.***.***.126 255.255.255.248

ip address inside 10.20.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location Meridian 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

<--- More --->
             
aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.20.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer ***.***.***.123

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address ***.***.***.123 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

<--- More --->
             
isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet 10.20.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

terminal width 80

Cryptochecksum:

: end

The tunnel does not seem to come up at all

thanks
0
Comment
Question by:bstasey
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 16954269
Add this line on both ends.

nat 0 access-list outside_cryptomap_20




0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16954985
your configs look good to me. double check the isakmp key's again
if that is good, then do some simple pings to make sure connectivity exists
on the 172.20.1.x ping the inside interface for that firewall, then ping the outside interface of the other firewall
same for 10.20.1.x except of course the to inside of its firewall and the outside of the other
make sure each pix can ping one another.

if everything seems fine, then log onto both pix's. get to global config mode and do the following
logging buffered 7
logging enable (or on can't remember which)

then run
show logging
you should see some log entries
then have a host on the 10. network ping a host on the 172. network
then run
show logging on both pix's to see if you can find any entries related to trying to setup the tunnel
also run
show crypto ipsec sa (might be just "show crypt sa" in 6.3 version)
and see if the SA exists for making the tunnel
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 16955113
prashsax,
Not trying to start anything, but that is not good advice and the syntax is not even close to being correct.
Nat zero is already taken care of with the proper acl, no need to change it.

><-> crossover cable <->
You need default routes. Point each PIX' default route to the other one's outside IP..

Site 1
 route outside 0.0.0.0 0.0.0.0 ***.***.***.126

Site 2
 route outside 0.0.0.0 0.0.0.0 ***.***.***.123

 


0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 13

Expert Comment

by:prashsax
ID: 16955161
ok.

I just looked at crypto map which uses outside_cryptomap_20.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16955215
god do I feel like a dumb*ss, can't believe I missed the default route line. granted my ping test would have discovered that.

good catch lrmoore
0
 

Author Comment

by:bstasey
ID: 16955580
Thank you, I didn't think I needed a default route to talk to another device on the same subnet (I was able to ping the outside interfaces fine between the routers.)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16955646
Yeah, it's sort of counter-intuitive because the PIX "should" forward traffic meeting the acl to the peer IP, but first it must make a routing decision of where to send traffic originating on inside - which is usually the default GW. If there is no default, then there is no route decision, then there is no traffic going anywhere..
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now