Solved

How to configure PIX 515 7.1(1) dynamic VPN?

Posted on 2006-06-22
12
828 Views
Last Modified: 2013-11-16
Greetings,
 I have a PIX 515E running 7.1(1) and need to establish a VPN with a PIX 501 using dynamic addressing. I can make it work using static on both ends but configuring the 515 to accept a dynamic (from 501) VPN does not work. The solutions I have found refer to using  wildcard address  for the key, but the 7.1 software does not handle this the same way. Using the ASDM to configure a dynamic tunnel does not work either. The IKE portion connects but  IPSEC will not. Is it still possible with v 7.1?  
0
Comment
Question by:jhawley24
  • 8
  • 4
12 Comments
 
LVL 9

Expert Comment

by:stressedout2004
Comment Utility
Yes it is possible. Post the sanitized configuration of both PIX and we will see what modifications we need to make.
0
 

Author Comment

by:jhawley24
Comment Utility
The PIX 515E
PIX Version 7.1(1)
!
interface Ethernet0
 nameif Outside
 security-level 0
 ip address x.x.x.82 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.16.1 255.255.255.0
!
access-list inside_nat0_outbound extended permit ip 192.168.16.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host x.x.x.83 eq smtp
access-list Outside_access_in extended permit tcp any host x.x.x.83 eq pop3
access-list Outside_cryptomap_dyn_10 extended permit ip 192.168.16.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_access_in extended permit tcp host 192.168.16.2 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any

global (Outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,Outside) tcp x.x.x.83 smtp 192.168.16.2 smtp netmask 255.255.255.255
static (inside,Outside) tcp x.x.x.83 pop3 192.168.16.2 pop3 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_access_in in interface inside
route Outside 0.0.0.0 0.0.0.0 x.x.x.81 1

group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem enable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 10 match address Outside_cryptomap_dyn_10
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside

isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20

tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
tunnel-group-map enable rules
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local


and the PIX 501
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

access-list inside_outbound_nat0_acl permit ip 192.168.24.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.24.0 255.255.255.0 192.168.16.0 255.255.255.0

ip address outside dhcp setroute
ip address inside 192.168.24.1 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.82
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.82 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400



0
 

Author Comment

by:jhawley24
Comment Utility
Sorry-
 Please revise the PIX 501 to
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.20.0 255.255.255.0 192.168.16.0 255.255.255.0

ip address outside dhcp setroute
ip address inside 192.168.20.1 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.82
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.82 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400

Thanks

0
 
LVL 9

Expert Comment

by:stressedout2004
Comment Utility
Add the following on the PIX 7.1.x

tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
   authentication-server-group none
  exit

Then try the connection again. If it still doesn't work, enable the debugs on the PIX 7.1 and try initiating traffic from the PIX 501 so we can see exactly where in the IPSEC negotiation it is failing.

debug crypto ipsec
debug crypto isa
0
 

Author Comment

by:jhawley24
Comment Utility
I was unable to use either of the commands.

# tunnel-group DefaultL2LGroup type ipsec-l2l
                               ^
ERROR: % Invalid input detected at '^' marker.

# authentication-server-group none
      ^
ERROR: % Invalid input detected at '^' marker.
0
 

Author Comment

by:jhawley24
Comment Utility
That didn't copy very well sorry.
The first command balked at the word "type"
and the second didn't like "authentication"
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:jhawley24
Comment Utility
I ran the debug anyway and here is the result.
# debug crypto ipsec
# debug crypto isa
Jun 27 12:53:01 [IKEv1]: Group = DefaultRAGroup, IP = x.x.x.201,
Removing peer from peer table failed, no match!
Jun 27 12:53:01 [IKEv1]: Group = DefaultRAGroup, IP = x.x.x.201,
Error: Unable to remove PeerTblEntry
0
 
LVL 9

Expert Comment

by:stressedout2004
Comment Utility
Its weird the PIX did not take those commands. We need to have the authentication disabled.
Try the following commands one at a time under configuration mode; pixfirewall(config)#:

tunnel-group DefaultL2LGroup general-attributes

Once you enter the above command, the configuration mode will change to:

hostname(config-tunnel-general)#

Once it is under tunnel-general sub config mode as shown above, enter the following:

authentication-server-group none

e.g

hostname(config)# tunnel-group DefaultL2LGroup general-attributes
hostname(config-tunnel-general)# authentication-server-group none
hostname(config-tunnel-general)#




0
 

Author Comment

by:jhawley24
Comment Utility
It still balks at the word authentication.
Here is what I did -
(config-tunnel-general)# authentication-server-group none
                                          ^
ERROR: % Invalid input detected at '^' marker.
(config-tunnel-general)# ?

group_policy configuration commands:
  accounting-server-group  Enter name of the accounting server group
  default-group-policy     Enter name of the default group policy
  exit                     Exit from tunnel-group general attribute
                           configuration mode
  help                     Help for tunnel group configuration commands
  no                       Remove an attribute value pair

(config-tunnel-general)# accounting-server-group none
ERROR: aaa-server group none does not exist
0
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 250 total points
Comment Utility
Ok, lets try to reverse it. Based from the debugs, it shows that the connection is falling under DefaultRAGroup which should not be the case. It should fall under DefaultL2LGroup. I don't know what to tell you, could be a bug. But let's try the following one at a time:

1) Remove the pre-shared key under the DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes
 no pre-shared-key <your preshared key>

I am assuming that the preshared key you have on DefaultRAGroup and DefaultL2LGroup and the isakmp key on the PIX 501 is the same. By removing the pre-shared key under DefaultRAGroup, lets see if we can force the tunnel to fall under DefaultL2LGroup. Do the debugs and see what happens.

2) If #1 doesn't work, then lets do the following:

tunnel-group DefaultRAGroup general-attributes
 no authentication-server-group
 exit

tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key <your preshared key>



0
 

Author Comment

by:jhawley24
Comment Utility
Stressedout,
 It works now after going to step two- it is connecting but as you stated only using the RA group?  IP is working just great but we cannot browse the network from the remote site.  Is this due to RA instead of L2L?
I am accepting your previous as the solution and will award the points. Thank you for that, but if you have any further insight to what seems a DNS issue, or if you see a problem with RA over L2L that we need to go after. Please fire away.
0
 

Author Comment

by:jhawley24
Comment Utility
Got it working. Just a simple DNS setting in DHCP.
Thanks for your help. I am still curious about why it wouldn't work with L2L? Is it due to it being dynamic?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now