Solved

Site-to-Site VPN Tunel between PIX-to-PIX and router

Posted on 2006-07-02
21
946 Views
Last Modified: 2013-11-16
hi,

I have Site to site VPN tunnel between my Headoffice and Branch office-1, both the ends, we are using PIX506E firewalls.

we have another Branch office-2, here we are using cisco 1721 router, I want to establish a VPN tunnel between My PIX (headoffice) and router(branch office-2)
I configured, but there is no active ipsec tunnel between Headoffice-PIX and router.
Any suggestions would be highly appreciated.
Kindly check the following below Networklayout and : ( Headoffice-PIX ) & router config's.



               ( headoffice )                                                                                         ( Branch office-1 )
                                                      Site-to-Site Tunnel working perfectly.
 (eth1: 192.168.0.1)  PIX1 =====================================  PIX2 (eth1: 192.168.1.1)
                                   \\
                                     \\=====================\\
                                                                                         \\
                                                                                           \\
                                                                                Cisco1712- ( Branch office-2 )
                                                                                     (eth1: 192.168.1.1)
                                                           

( Headoffice - PIX Site-to-Site config.)
-----------------------------------------------


access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 102
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set cisco2 esp-des esp-md5-hmac
crypto map example_map 10 ipsec-isakmp
crypto map example_map 10 match address 101
crypto map example_map 10 set peer 225.45.156.122
crypto map example_map 10 set transform-set cisco2
crypto map example_map 20 ipsec-isakmp
crypto map example_map 20 match address nonat
crypto map example_map 20 set peer 86.34.144.113
crypto map example_map 20 set transform-set cisco2
crypto map example_map interface outside
isakmp enable outside
isakmp key pixcisco address 225.45.156.122 netmask 255.255.255.255
isakmp key pixcisco address 86.34.144.113 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside


--------------------------------------------------

 # sh crypto ipsec sa

interface: outside
    Crypto map tag: example_map, local addr. 64.164.38.117

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer: 225.45.156.122:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 391017, #pkts encrypt: 391017, #pkts digest 391017
    #pkts decaps: 306703, #pkts decrypt: 306703, #pkts verify 306703
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 10

     local crypto endpt.: 64.164.38.117, remote crypto endpt.: 225.45.156.122
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 33ce5d07

     inbound esp sas:
      spi: 0x82c1641(137107009)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: example_map
        sa timing: remaining key lifetime (k/sec): (4431430/891)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x33ce5d07(869162247)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: example_map
        sa timing: remaining key lifetime (k/sec): (4248766/890)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
     outbound pcp sas:


     local crypto endpt.: 64.164.38.117, remote crypto endpt.: 86.34.144.113
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

HDpix#   sh crypto isakmp sa
Total     : 1
Embryonic : 0
        dst                      src                state      pending     created
   225.45.156.122   64.164.38.117    QM_IDLE         0           1
HDpix#

-----------------------------------------------------------------------------------------
Router config : cisco 1721:
----------

dashnt#sh run
Building configuration...

Current configuration : 1647 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname dashnt#
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
ip cef
!
ip name-server 224.xxx.xxx.34
ip name-server 224.xxx.xxx.35
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
crypto isakmp key pixcisco address 64.164.38.117
!
crypto ipsec transform-set ESP-3DES-SHA esp-des esp-md5-hmac
!
crypto map outside_map 20 ipsec-isakmp
 set peer 64.164.38.117
 set transform-set ESP-3DES-SHA
 match address encrypt-imti
!
interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 crypto map outside_map
!
interface Serial0
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 ip address 112.xxx.xxx.130 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 frame-relay interface-dlci 20
!
ip route 0.0.0.0 0.0.0.0 112.xxx.xxx.129
!
no ip http server
no ip http secure-server
ip nat pool dash 86.34.144.113 86.34.144.118 netmask 255.255.255.248
ip nat source static 192.168.1.1 86.34.144.114
ip nat inside source list 1 pool dash overload
ip nat inside source static 192.168.1.1 86.34.144.113
!
ip access-list extended encrypt-imti
 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!!
line con 0
line aux 0
line vty 0 4
 password dkXXXXX&(*
 login
!
end

dashnt#

dashnt#sh crypto ipsec sa

interface: FastEthernet0
    Crypto map tag: outside_map, local addr 192.168.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 64.164.38.117 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 64.164.38.117
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
--------------------------------------------------------------
dashnt# sh crypto isakmp sa
dst             src             state          conn-id slot status

dashnt#
'
'

Any suggestions would be highly appreciated.

Thanks
Mike..















































0
Comment
Question by:imtiazsh
  • 12
  • 8
21 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17026986
>PIX2 (eth1: 192.168.1.1)
> ( Branch office-2 ) (eth1: 192.168.1.1)

There's the problem. You simply cannot have the same IP subnet in both remote locations.
0
 

Author Comment

by:imtiazsh
ID: 17029114
Hi,

Thanks for reply.

According to your posting, I had modified my  Branch office-2 Cisco router (eth1: 192.168.2.1) as well as i updated head office pix ACL...., but still I am facing the same problem.. no active tunnel between router and head office pix

mike..

router ipsec sa................

dashnt#sh crypto ipsec sa

interface: FastEthernet0
    Crypto map tag: outside_map, local addr 192.168.2.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 64.164.38.117 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.2.1, remote crypto endpt.: 64.164.38.117
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17031360
>as well as i updated head office pix ACL....,
I need to see your new PIX config

With all the counters on zero at the remote, did you also change the IP's of the PC's and are the PC's pointing to the router 192.168.2.1 as their default gateway?

Did you change the nat access-lists on the remote, too for the route-map?

This is what I would expect to see on the Router:

Router side:
>
>crypto ipsec transform-set ESP-3DES-SHA esp-des esp-md5-hmac
>set transform-set ESP-3DES-SHA
>crypto isakmp policy 10
>  encr 3des <== this should be des to match the transform-set


Remove the crypto  map from the interface:

interface FastEthernet0
 no crypto map outside_map
crypto isakmp policy 10
   encr des
   hash md5
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
ip nat inside source route-map nonat pool dash overload
route-map nonat permit 10
 match ip-address 102
ip access-list extended encrypt-imti
 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255

Then re-apply the crypto map:
interface FastEthernet0
 crypto map outside_map

On the PIX side:
 access-list no_nat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
 access-list no_nat permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
 access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
 access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
 nat (inside) 0 access-list no_nat
 crypto map example_map 10 match address 101 <==
 crypto map example_map 10 set peer 225.45.156.122

 crypto map example_map 20 match address 102 <==
 crypto map example_map 20 set peer 86.34.144.113

Re-apply the crypto map to the interface:
 crypto map example_map interface outside

BTW, I can re-open this Q so that you can close it out after you get going. I'd like to earn an "A" grade. Thanks!
0
 

Author Comment

by:imtiazsh
ID: 17037682

Hello lrmoore ,

Thanks alot for your the help.

I modified exactly according to the above mentioned syntax. it works ... tunnel active between Headoffice pix and branchoffice-2 router.

Thank you so much.

mike..
0
 

Author Comment

by:imtiazsh
ID: 17037694

Hello lrmoore ,

Thanks alot for your help.

I modified exactly according to the above mentioned syntax. it works ... tunnel active between Headoffice pix and branchoffice-2 router.

Thank you so much.

mike..
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17037818
Glad to help!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17037821
Can we get the grade changed from B to A? I can simply re-open this Q and you can re-close it if that is OK with you.
0
 

Author Comment

by:imtiazsh
ID: 17037998


YES OFCOURSE  SURE............. Grade ....B to A.

Thanks

Mike...
0
 

Author Comment

by:imtiazsh
ID: 17064683


hi  irmoore,

actually i am facing another prob ... its says tunnel active between pixheadoffice and branchoffice-2 router..but there is packet transcations. kindly find below pixheadoffice and branchoffice router.
please help me ...

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 456, #pkts decrypt: 456, #pkts verify: 456

( Headoffice - PIX Site-to-Site config.)
-----------------------------------------------
HDpix#
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no_nat permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list no_nat
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set cisco2 esp-des esp-md5-hmac
crypto map example_map 10 ipsec-isakmp
crypto map example_map 10 match address 101
crypto map example_map 10 set peer 225.45.156.122
crypto map example_map 10 set transform-set cisco2
crypto map example_map 20 ipsec-isakmp
crypto map example_map 20 match address 102
crypto map example_map 20 set peer 86.34.144.113
crypto map example_map 20 set transform-set cisco2
crypto map example_map interface outside
isakmp enable outside
isakmp key pixcisco address 225.45.156.122 netmask 255.255.255.255
isakmp key pixcisco address 86.34.144.113 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup cisco2ghanitest idle-time 1800
vpngroup example_group idle-time 1800
telnet 192.168.0.0 255.255.255.0 inside

HDpix# sh crypto ipsec sa


interface: outside
    Crypto map tag: example_map, local addr. 64.164.38.117

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer: 225.45.156.122:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 27259, #pkts encrypt: 27259, #pkts digest 27259
    #pkts decaps: 26865, #pkts decrypt: 26865, #pkts verify 26865
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: 64.164.38.117, remote crypto endpt.: 225.45.156.122
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: afff3351

     inbound esp sas:
      spi: 0xf644098a(4131654026)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: example_map
        sa timing: remaining key lifetime (k/sec): (4592701/22892)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xafff3351(2952737617)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: example_map
        sa timing: remaining key lifetime (k/sec): (4605328/22892)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:
     outbound pcp sas:

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer: 86.34.144.113:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1014, #pkts encrypt: 1014, #pkts digest 1014
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 59, #recv errors 0

     local crypto endpt.: 64.164.38.117, remote crypto endpt.: 86.34.144.113
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 15a3cf30

     inbound esp sas:
      spi: 0xd011b179(3490820473)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: example_map
        sa timing: remaining key lifetime (k/sec): (4608000/1862)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x15a3cf30(363056944)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: example_map
        sa timing: remaining key lifetime (k/sec): (4607981/1860)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

HDpix#
HDpix# sh crypto isakmp sa
Total     : 2
Embryonic : 0
              dst               src                  state     pending     created
    86.34.144.113   64.164.38.117    QM_IDLE         0           1
   225.45.156.122   64.164.38.117    QM_IDLE         0           1

HDpix# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list outside_access_in; 4 elements
access-list outside_access_in line 1 permit tcp any host 64.164.38.114 eq www (hitcnt=105)
access-list outside_access_in line 2 permit tcp any host 64.164.38.118 eq www (hitcnt=0)
access-list 101; 1 elements
access-list 101 line 1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=6384)
access-list 102; 1 elements
access-list 102 line 1 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=1094)
access-list no_nat; 2 elements
access-list no_nat line 1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=12305)
access-list no_nat line 2 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=1088)


-------------------------------------------------------------------------------------------------------
Router config : Branchoffice-2
----------

dashnt#sh run
Building configuration...

Current configuration : 1828 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname dashnt
!
boot-start-marker
boot-end-marker
!
enable secret 5 dfdssgxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
ip cef
!
ip name-server 224.xxx.xxx.34
ip name-server 224.xxx.xxx.35
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key pixcisco address 64.164.38.117
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-des esp-md5-hmac
!
crypto map outside_map 20 ipsec-isakmp
 set peer 64.164.38.117
 set transform-set ESP-3DES-SHA
 match address encrypt-imti
!
!
interface FastEthernet0
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 crypto map outside_map
!
interface Serial0
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 ip address 112.xxx.xxx.130 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 frame-relay interface-dlci 20
!
ip route 0.0.0.0 0.0.0.0 112.xxx.xxx.129
!
no ip http server
no ip http secure-server
ip nat pool dash 86.34.144.113 86.34.144.118 netmask 255.255.255.248
ip nat source static 192.168.1.1 86.34.144.114
ip nat inside source list 1 pool dash overload
ip nat inside source route-map nonat pool dash overload
ip nat inside source static 192.168.1.1 86.34.144.113
!
ip access-list extended encrypt-imti
 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
route-map nonat permit 10
 match ip address 102
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password xxxvffgvd
 login
!
end

dashnt#


dashnt#    sh crypto ipsec sa

interface: FastEthernet0
    Crypto map tag: outside_map, local addr 192.168.2.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 64.164.38.117 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 456, #pkts decrypt: 456, #pkts verify: 456
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.2.1, remote crypto endpt.: 64.164.38.117
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0xD011B179(3490820473)

     inbound esp sas:
      spi: 0x15A3CF30(363056944)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: 2, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4543004/1088)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD011B179(3490820473)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: 1, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4543054/1088)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

dashnt#sh crypto isakmp sa
         dst             src               state            conn-id slot    status
192.168.2.1     64.164.38.117  QM_IDLE              1    0      ACTIVE

dashnt#
dashnt#sh access-list
Standard IP access list 1
    10 permit 192.168.2.0, wildcard bits 0.0.0.255 (260 matches)
Extended IP access list 102
    10 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
    20 permit ip 192.168.2.0 0.0.0.255 any
Extended IP access list encrypt-imti
    10 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 (513 matches)
dashnt#
dashnt# sh crypto engine connections active

  ID Interface            IP-Address         State  Algorithm             Encrypt  Decrypt
   1 Se0.1                112.xxx.xxx.130     set    HMAC_MD5+DES_56_CB        0        0
2001 Se0.1                192.168.2.1         set    DES+MD5                   0       97
2002 Se0.1                192.168.2.1         set    DES+MD5                   0        0


PLEASE HELP

Thanks

Mike......
0
 

Author Comment

by:imtiazsh
ID: 17065313


Hello Mr.lrmoore

Please advice what the possible reasons and how to fix it. I tried everything, i suspect prob with acl's.

Thanks

Mike....
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 79

Expert Comment

by:lrmoore
ID: 17065548
Remove this line
>ip nat inside source list 1 pool dash overload

Just keep this one:
>ip nat inside source route-map nonat pool dash overload
0
 

Author Comment

by:imtiazsh
ID: 17065667


Hello Mr.lrmoore,

Thanks for reply..

I updated my router. still its same ... no packet ...
find below output.


----------------------
router config(branchoffice-2)
-------------------------------------

dashnt#sh run
Building configuration...

Current configuration : 1828 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname dashnt
!
boot-start-marker
boot-end-marker
!
enable secret 5 dfdssgxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
ip cef
!
ip name-server 224.xxx.xxx.34
ip name-server 224.xxx.xxx.35
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key pixcisco address 64.164.38.117
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-des esp-md5-hmac
!
crypto map outside_map 20 ipsec-isakmp
 set peer 64.164.38.117
 set transform-set ESP-3DES-SHA
 match address encrypt-imti
!
!
interface FastEthernet0
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 crypto map outside_map
!
interface Serial0
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 ip address 112.xxx.xxx.130 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 frame-relay interface-dlci 20
!
ip route 0.0.0.0 0.0.0.0 112.xxx.xxx.129
!
no ip http server
no ip http secure-server
ip nat pool dash 86.34.144.113 86.34.144.118 netmask 255.255.255.248
ip nat source static 192.168.1.1 86.34.144.114
ip nat inside source route-map nonat pool dash overload
ip nat inside source static 192.168.1.1 86.34.144.113
!
ip access-list extended encrypt-imti
 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
route-map nonat permit 10
 match ip address 102
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password xxxvffgvd
 login

dashnt#    sh crypto ipsec sa

interface: FastEthernet0
    Crypto map tag: outside_map, local addr 192.168.2.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 64.164.38.117 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 27, #pkts decrypt: 27, #pkts verify: 27
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.2.1, remote crypto endpt.: 64.164.38.117
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0xD011B179(3490820473)

     inbound esp sas:
      spi: 0x15A3CF30(363056944)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: 2, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4543004/1088)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD011B179(3490820473)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: 1, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4543054/1088)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

dashnt#sh access-list
Standard IP access list 1
    10 permit 192.168.2.0, wildcard bits 0.0.0.255
Extended IP access list 102
    10 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 (74 matches)
    20 permit ip 192.168.2.0 0.0.0.255 any (680 matches)
Extended IP access list encrypt-imti
    10 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 (74 matches)

dashnt#sh crypto isakmp sa
dst             src             state          conn-id slot status
192.168.2.1     64.164.38.117  QM_IDLE              1    0 ACTIVE

dashnt#sh crypto engine connections active

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   1 Se0.1                112.xxx.xxx.130    set    HMAC_MD5+DES_56_CB        0        0
2001 Se0.1                192.168.2.1     set    DES+MD5                   0       86
2002 Se0.1                192.168.2.1     set    DES+MD5                   0        0

----------------------------------------------------------------------------------
( Headoffice - PIX Site-to-Site config.)

HDpix# sh crypto ipsec sa


interface: outside
    Crypto map tag: example_map, local addr. 64.164.38.117

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer: 225.45.156.122:500
     PERMIT, flags={origin_is_acl,}
     #pkts encaps: 2516, #pkts encrypt: 2516, #pkts digest 2516
    #pkts decaps: 3106, #pkts decrypt: 3106, #pkts verify 3106
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: 64.164.38.117, remote crypto endpt.: 225.45.156.122
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: afff3351

     inbound esp sas:
      spi: 0xf644098a(4131654026)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: example_map
        sa timing: remaining key lifetime (k/sec): (4592701/22892)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xafff3351(2952737617)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: example_map
        sa timing: remaining key lifetime (k/sec): (4605328/22892)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:
     outbound pcp sas:

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer: 86.34.144.113:500
     PERMIT, flags={origin_is_acl,}
     #pkts encaps: 18, #pkts encrypt: 18, #pkts digest 18
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 59, #recv errors 0

     local crypto endpt.: 64.164.38.117, remote crypto endpt.: 86.34.144.113
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 15a3cf30

     inbound esp sas:
      spi: 0xd011b179(3490820473)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: example_map
        sa timing: remaining key lifetime (k/sec): (4608000/1862)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x15a3cf30(363056944)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: example_map
        sa timing: remaining key lifetime (k/sec): (4607981/1860)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

HDpix#
HDpix# sh crypto isakmp sa
Total     : 2
Embryonic : 0
              dst               src   state                   pending     created
    86.34.144.113   64.164.38.117    QM_IDLE         0           1
   225.45.156.122   64.164.38.117    QM_IDLE         0           1

HDpix# sh access-list
access-list 101; 1 elements
access-list 101 line 1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=107)
access-list 102; 1 elements
access-list 102 line 1 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=35)
access-list no_nat; 2 elements
access-list no_nat line 1 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=107)
access-list no_nat line 2 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=33)
 
thanks

mike....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17065823
On the router, apply the crypto map to the serial interface not the ethernet:

interface FastEthernet0
 no crypto map outside_map
!
interface Serial0.1 point-to-point
 crypto map outside_map
!
0
 

Author Comment

by:imtiazsh
ID: 17066980

Hello Mr.lrmoore,

I modified ...still same.....

thanks

mike......

dashnt#sh cry isakmp sa
dst             src             state          conn-id slot status
192.168.2.1     64.164.38.117   QM_IDLE              1    0 ACTIVE

dashnt#sh cry ipsec sa

interface: Serial0.1
    Crypto map tag: outside_map, local addr 112.xxx.xxx.130

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 64.164.38.117  port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 112.xxx.xxx.130, remote crypto endpt.: 64.164.38.117
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0.1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
dashnt# sh access-list
Standard IP access list 1
    10 permit 192.168.2.0, wildcard bits 0.0.0.255
Extended IP access list 102
    10 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
    20 permit ip 192.168.2.0 0.0.0.255 any (41 matches)
Extended IP access list encrypt-imti
    10 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
dashnt#

dashnt#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 112.xxx.xxx.129 to network 0.0.0.0

     10.0.0.0/30 is subnetted, 1 subnets
C       112.xxx.xxx.128 is directly connected, Serial0.1
C    192.168.2.0/24 is directly connected, FastEthernet0
S*   0.0.0.0/0 [1/0] via 112.xxx.xxx.129
dashnt#
0
 

Author Comment

by:imtiazsh
ID: 17067018

Hi,

The testing scenario from HDpix  to branchoffice-2 router.

(Headofficepix)                                (branchoffice-2 router)

Ping, telnet, http, ftp from       ==>         192.168.2.2 : http, ping
192.168.0.1 /24              ==>           192.168.2.3 (linux machine) : telnet, ping
                               ==>           192.168.2.4 : ftp, ping
                                         ==>         192.168.2.28 : ping      
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17068931
>ip nat inside source static 192.168.1.1 86.34.144.113
How are you routing to 192.168.1.1 when your internal network is 192.168.2.1 and you don't have any static routes?

What is the local default gateway of those systems on the 192.168.2.x network?

192.168.0.1 /24            ==>          192.168.2.3 (linux machine) : telnet, ping
What is host 192.168.0.1 ? Is this the PIX?
You cannot test from the pix console, you absolutely must be on a host inside the pix, trying to talk to a host inside the router..
0
 

Author Comment

by:imtiazsh
ID: 17070762


Hello Mr.lmoore,

Thanks for reply

i am so sorry its my mistake....its like this.
! ip nat inside source static 192.168.2.1 86.34.144.113

'YES ' the default gateway is 192.168.2.1 on all machines and they can acess net.

>>>What is host 192.168.0.1 ? Is this the PIX?

192.168.0.1 is pix-headoffice internal ip address.  yes i am on 192.168.0.5 inside the pix and trying to talk to host inside the router.

192.168.0.5    ==>   192.168.2.3 (linux machine) : telnet, ping
                      ==>   192.168.2.4 : http, ping

thanks

Mike.......

Router config : Branchoffice-2
----------
ashnt#sh run
Building configuration...

Current configuration : 1828 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname dashnt
!
boot-start-marker
boot-end-marker
!
enable secret 5 dfdssgxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
ip cef
!
ip name-server 224.xxx.xxx.34
ip name-server 224.xxx.xxx.35
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key pixcisco address 64.164.38.117
!
crypto ipsec transform-set ESP-3DES-SHA esp-des esp-md5-hmac
!
crypto map outside_map 20 ipsec-isakmp
 set peer 64.164.38.117
 set transform-set ESP-3DES-SHA
 match address encrypt-imti
!
interface FastEthernet0
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 crypto map outside_map
!
interface Serial0
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 ip address 112.xxx.xxx.130 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 frame-relay interface-dlci 20
!
ip route 0.0.0.0 0.0.0.0 112.xxx.xxx.129
!
no ip http server
no ip http secure-server
ip nat pool dash 86.34.144.113 86.34.144.118 netmask 255.255.255.248
ip nat source static 192.168.2.1 86.34.144.114
ip nat inside source list 1 pool dash overload
ip nat inside source route-map nonat pool dash overload
ip nat inside source static 192.168.2.1 86.34.144.113
!
ip access-list extended encrypt-imti
 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
route-map nonat permit 10
 match ip address 102
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 password xxxvffgvd
 login
!
end

0
 

Author Comment

by:imtiazsh
ID: 17071131

hi,

sorry this is already removed.......

ip nat inside source list 1 pool dash overload

thanks
0
 

Author Comment

by:imtiazsh
ID: 17081896

Hi

Thank a lot for your valuable time.

I solved the problem.

Actually I created  interface loopback0 with ip 86.34.144.116 on the router and it worked ......

dashnt#  sh cry ipsec sa

interface: Serial0.1
    Crypto map tag: outside_map, local addr 86.34.144.116

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 64.164.38.117  port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4842, #pkts encrypt: 4842, #pkts digest: 4842
    #pkts decaps: 5272, #pkts decrypt: 5272, #pkts verify: 5272
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 86.34.144.116, remote crypto endpt.: 64.164.38.117
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0.1
     current outbound spi: 0xBF5BAF09(3210456841)

     inbound esp sas:
      spi: 0x49562B90(1230384016)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: 3, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4548721/2120)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBF5BAF09(3210456841)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: 4, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4548721/2120)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

dashnt#sh cry isakmp sa
dst             src             state          conn-id slot status
86.34.144.116  64.164.38.117  QM_IDLE              1    0 ACTIVE

 
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17082132
Good solution!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now