jhawley24
asked on
How to configure PIX 515 7.1(1) dynamic VPN?
Greetings,
I have a PIX 515E running 7.1(1) and need to establish a VPN with a PIX 501 using dynamic addressing. I can make it work using static on both ends but configuring the 515 to accept a dynamic (from 501) VPN does not work. The solutions I have found refer to using wildcard address for the key, but the 7.1 software does not handle this the same way. Using the ASDM to configure a dynamic tunnel does not work either. The IKE portion connects but IPSEC will not. Is it still possible with v 7.1?
I have a PIX 515E running 7.1(1) and need to establish a VPN with a PIX 501 using dynamic addressing. I can make it work using static on both ends but configuring the 515 to accept a dynamic (from 501) VPN does not work. The solutions I have found refer to using wildcard address for the key, but the 7.1 software does not handle this the same way. Using the ASDM to configure a dynamic tunnel does not work either. The IKE portion connects but IPSEC will not. Is it still possible with v 7.1?
Yes it is possible. Post the sanitized configuration of both PIX and we will see what modifications we need to make.
ASKER
The PIX 515E
PIX Version 7.1(1)
!
interface Ethernet0
nameif Outside
security-level 0
ip address x.x.x.82 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.16.1 255.255.255.0
!
access-list inside_nat0_outbound extended permit ip 192.168.16.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host x.x.x.83 eq smtp
access-list Outside_access_in extended permit tcp any host x.x.x.83 eq pop3
access-list Outside_cryptomap_dyn_10 extended permit ip 192.168.16.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_access_in extended permit tcp host 192.168.16.2 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
global (Outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,Outside) tcp x.x.x.83 smtp 192.168.16.2 smtp netmask 255.255.255.255
static (inside,Outside) tcp x.x.x.83 pop3 192.168.16.2 pop3 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_access_in in interface inside
route Outside 0.0.0.0 0.0.0.0 x.x.x.81 1
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-t imeout 30
ip-phone-bypass disable
leap-bypass disable
nem enable
backup-servers keep-client-config
client-firewall none
client-access-rule none
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 10 match address Outside_cryptomap_dyn_10
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group-map enable rules
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local
and the PIX 501
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inside_outbound_nat0_acl permit ip 192.168.24.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.24.0 255.255.255.0 192.168.16.0 255.255.255.0
ip address outside dhcp setroute
ip address inside 192.168.24.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.82
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.82 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
PIX Version 7.1(1)
!
interface Ethernet0
nameif Outside
security-level 0
ip address x.x.x.82 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.16.1 255.255.255.0
!
access-list inside_nat0_outbound extended permit ip 192.168.16.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host x.x.x.83 eq smtp
access-list Outside_access_in extended permit tcp any host x.x.x.83 eq pop3
access-list Outside_cryptomap_dyn_10 extended permit ip 192.168.16.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_access_in extended permit tcp host 192.168.16.2 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
global (Outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,Outside) tcp x.x.x.83 smtp 192.168.16.2 smtp netmask 255.255.255.255
static (inside,Outside) tcp x.x.x.83 pop3 192.168.16.2 pop3 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_access_in in interface inside
route Outside 0.0.0.0 0.0.0.0 x.x.x.81 1
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem enable
backup-servers keep-client-config
client-firewall none
client-access-rule none
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 10 match address Outside_cryptomap_dyn_10
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group-map enable rules
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local
and the PIX 501
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inside_outbound_nat0_acl permit ip 192.168.24.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.24.0 255.255.255.0 192.168.16.0 255.255.255.0
ip address outside dhcp setroute
ip address inside 192.168.24.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.82
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.82 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
ASKER
Sorry-
Please revise the PIX 501 to
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.20.0 255.255.255.0 192.168.16.0 255.255.255.0
ip address outside dhcp setroute
ip address inside 192.168.20.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.82
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.82 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
Thanks
Please revise the PIX 501 to
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.20.0 255.255.255.0 192.168.16.0 255.255.255.0
ip address outside dhcp setroute
ip address inside 192.168.20.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.82
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.82 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
Thanks
Add the following on the PIX 7.1.x
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
authentication-server-grou p none
exit
Then try the connection again. If it still doesn't work, enable the debugs on the PIX 7.1 and try initiating traffic from the PIX 501 so we can see exactly where in the IPSEC negotiation it is failing.
debug crypto ipsec
debug crypto isa
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
authentication-server-grou
exit
Then try the connection again. If it still doesn't work, enable the debugs on the PIX 7.1 and try initiating traffic from the PIX 501 so we can see exactly where in the IPSEC negotiation it is failing.
debug crypto ipsec
debug crypto isa
ASKER
I was unable to use either of the commands.
# tunnel-group DefaultL2LGroup type ipsec-l2l
^
ERROR: % Invalid input detected at '^' marker.
# authentication-server-grou p none
^
ERROR: % Invalid input detected at '^' marker.
# tunnel-group DefaultL2LGroup type ipsec-l2l
^
ERROR: % Invalid input detected at '^' marker.
# authentication-server-grou
^
ERROR: % Invalid input detected at '^' marker.
ASKER
That didn't copy very well sorry.
The first command balked at the word "type"
and the second didn't like "authentication"
The first command balked at the word "type"
and the second didn't like "authentication"
ASKER
I ran the debug anyway and here is the result.
# debug crypto ipsec
# debug crypto isa
Jun 27 12:53:01 [IKEv1]: Group = DefaultRAGroup, IP = x.x.x.201,
Removing peer from peer table failed, no match!
Jun 27 12:53:01 [IKEv1]: Group = DefaultRAGroup, IP = x.x.x.201,
Error: Unable to remove PeerTblEntry
# debug crypto ipsec
# debug crypto isa
Jun 27 12:53:01 [IKEv1]: Group = DefaultRAGroup, IP = x.x.x.201,
Removing peer from peer table failed, no match!
Jun 27 12:53:01 [IKEv1]: Group = DefaultRAGroup, IP = x.x.x.201,
Error: Unable to remove PeerTblEntry
Its weird the PIX did not take those commands. We need to have the authentication disabled.
Try the following commands one at a time under configuration mode; pixfirewall(config)#:
tunnel-group DefaultL2LGroup general-attributes
Once you enter the above command, the configuration mode will change to:
hostname(config-tunnel-gen eral)#
Once it is under tunnel-general sub config mode as shown above, enter the following:
authentication-server-grou p none
e.g
hostname(config)# tunnel-group DefaultL2LGroup general-attributes
hostname(config-tunnel-gen eral)# authentication-server-grou p none
hostname(config-tunnel-gen eral)#
Try the following commands one at a time under configuration mode; pixfirewall(config)#:
tunnel-group DefaultL2LGroup general-attributes
Once you enter the above command, the configuration mode will change to:
hostname(config-tunnel-gen
Once it is under tunnel-general sub config mode as shown above, enter the following:
authentication-server-grou
e.g
hostname(config)# tunnel-group DefaultL2LGroup general-attributes
hostname(config-tunnel-gen
hostname(config-tunnel-gen
ASKER
It still balks at the word authentication.
Here is what I did -
(config-tunnel-general)# authentication-server-grou p none
^
ERROR: % Invalid input detected at '^' marker.
(config-tunnel-general)# ?
group_policy configuration commands:
accounting-server-group Enter name of the accounting server group
default-group-policy Enter name of the default group policy
exit Exit from tunnel-group general attribute
configuration mode
help Help for tunnel group configuration commands
no Remove an attribute value pair
(config-tunnel-general)# accounting-server-group none
ERROR: aaa-server group none does not exist
Here is what I did -
(config-tunnel-general)# authentication-server-grou
^
ERROR: % Invalid input detected at '^' marker.
(config-tunnel-general)# ?
group_policy configuration commands:
accounting-server-group Enter name of the accounting server group
default-group-policy Enter name of the default group policy
exit Exit from tunnel-group general attribute
configuration mode
help Help for tunnel group configuration commands
no Remove an attribute value pair
(config-tunnel-general)# accounting-server-group none
ERROR: aaa-server group none does not exist
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Stressedout,
It works now after going to step two- it is connecting but as you stated only using the RA group? IP is working just great but we cannot browse the network from the remote site. Is this due to RA instead of L2L?
I am accepting your previous as the solution and will award the points. Thank you for that, but if you have any further insight to what seems a DNS issue, or if you see a problem with RA over L2L that we need to go after. Please fire away.
It works now after going to step two- it is connecting but as you stated only using the RA group? IP is working just great but we cannot browse the network from the remote site. Is this due to RA instead of L2L?
I am accepting your previous as the solution and will award the points. Thank you for that, but if you have any further insight to what seems a DNS issue, or if you see a problem with RA over L2L that we need to go after. Please fire away.
ASKER
Got it working. Just a simple DNS setting in DHCP.
Thanks for your help. I am still curious about why it wouldn't work with L2L? Is it due to it being dynamic?
Thanks for your help. I am still curious about why it wouldn't work with L2L? Is it due to it being dynamic?