Solved

Configuration PIX VPN with Checkpoint no IKE traffic

Posted on 2006-07-19
8
698 Views
Last Modified: 2012-05-05
Hello,

I've got a problem with my PIX506e. i have the following configuration:

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 100full
interface ethernet1 vlan100 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan100 production security90
enable password J/Q.5.TOPu/CUUOY encrypted
passwd Wj.QrINRZQYbaHLA encrypted
hostname CXFW01
domain-name apollo
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name <<>> TMmeterpool
name <<>> TMGGSN
name <<>> ProdRadius
name <<>> ProdAIMDB
name <<>> EssentEMG122
name <<>> EssentEMG124
name <<>> EssentEMG129
name <<>> ProdWebserv
name <<>> EMGFTP
name <<>> EssentEMGTerminal
name <<>> ProductieLAN
name <<>> NijkerkWeb
name <<>> NijkerkDIGI_ETH
name <<>> ENL_AIM_T
name <<>> ProdGenDB01
name <<IPterminal>> ProdTerminal
name <<IPNAT>> NATTestEssent
name <<IPDNS1>> DNSEssentW2
name <<IPDNS2>> DNSEssentW
object-group service EssentWarmte tcp
description Group for Essent Warmte
port-object eq echo
port-object range domain domain
port-object range 3389 3389
port-object eq ftp
access-list production_outbound_nat0_acl permit ip host ProdAIMDB host TMGGSN
access-list production_outbound_nat0_acl permit ip host ProdAIMDB TMmeterpool 255.255.252.0
access-list production_outbound_nat0_acl permit ip host ProdRadius host TMGGSN
access-list production_outbound_nat0_acl permit ip host ProdRadius TMmeterpool 255.255.252.0
access-list production_outbound_nat0_acl permit ip ProductieLAN 255.255.255.0 176.16.11.128 255.255.255.192
access-list production_outbound_nat0_acl permit ip host ProdWebserv EssentEMG122 255.255.254.0
access-list production_outbound_nat0_acl permit ip ProductieLAN 255.255.255.0 host NijkerkWeb
access-list production_outbound_nat0_acl permit ip host ProdAIMDB host NijkerkDIGI_ETH
access-list production_outbound_nat0_acl permit ip ProductieLAN 255.255.255.0 host ENL_AIM_T
access-list production_outbound_nat0_acl permit ip host ProdTerminal 172.16.11.160 255.255.255.248
access-list production_outbound_nat0_acl permit ip host NATTestEssent DNSEssentW 255.255.255.0
access-list production_outbound_nat0_acl permit ip host NATTestEssent DNSEssentW2 255.255.255.252
access-list outside_cryptomap_20 permit ip host ProdAIMDB host TMGGSN
access-list outside_cryptomap_20 permit ip host ProdAIMDB TMmeterpool 255.255.252.0
access-list outside_cryptomap_20 permit ip host ProdRadius host TMGGSN
access-list outside_cryptomap_20 permit ip host ProdRadius TMmeterpool 255.255.252.0
access-list outside_cryptomap_dyn_20 permit ip any ProductieLAN 255.255.255.192
access-list production_access_in permit ip ProductieLAN 255.255.255.0 any
access-list inside_access_in permit ip ManagementLan 255.255.255.0 any
access-list inside_access_in permit ip ManagementLan 255.255.255.0 ProductieLAN 255.255.255.0
access-list 101 permit tcp any host <<IPwebserver>> eq www
access-list 101 permit tcp any host <<IPwebserver>> eq ftp
access-list 101 permit tcp any host <<IPwebserver>> eq https
access-list inside_outbound_nat0_acl permit ip ManagementLan 255.255.255.0 ProductieLAN 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any ProductieLAN 255.255.255.192


<<deleted part>>

access-list outside_cryptomap_60 permit ip ProductieLAN 255.255.255.0 host NijkerkWeb
access-list outside_cryptomap_60 permit ip host ProdAIMDB host NijkerkDIGI_ETH
access-list outside_cryptomap_60 permit ip ProductieLAN 255.255.255.0 host ENL_AIM_T
access-list outside_cryptomap_80 permit tcp host NATTestEssent object-group EssentWarmte DNSEssentW 255.255.255.0

object-group EssentWarmte
access-list outside_cryptomap_80 permit tcp host NATTestEssent object-group EssentWarmte DNSEssentW2 255.255.255.252

object-group EssentWarmte
access-list outside_cryptomap_dyn_40 permit ip any ProductieLAN 255.255.255.248
pager lines 24
logging buffered alerts
mtu outside 1500
mtu inside 1500
ip address outside <<ousideIP>> 255.255.255.248
ip address inside <<managementIP>> 255.255.255.0
ip address production <<productionIP>> 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNproduction 176.16.11.150-176.16.11.160
ip local pool EssentIpPool 172.16.11.160-172.16.11.166
pdm location ProdAIMDB 255.255.255.255 production
pdm location ProdRadius 255.255.255.255 production
pdm location TMmeterpool 255.255.252.0 outside
pdm location TMGGSN 255.255.255.255 outside
pdm location EssentEMG122 255.255.254.0 outside
pdm location EssentEMG124 255.255.254.0 outside
pdm location EssentEMG129 255.255.255.0 outside
pdm location ProdWebserv 255.255.255.255 production
pdm location EMGFTP 255.255.255.255 outside
pdm location EssentEMGTerminal 255.255.255.255 outside
pdm location NijkerkWeb 255.255.255.255 outside
pdm location NijkerkDIGI_ETH 255.255.255.255 outside
pdm location ENL_AIM_T 255.255.255.255 outside
pdm location ProdGenDB01 255.255.255.255 production
pdm location ProdTerminal 255.255.255.255 production
pdm location NATTestEssent 255.255.255.255 outside
pdm location DNSEssentW2 255.255.255.252 outside
pdm location NATTestEssent 255.255.255.255 production
pdm location DNSEssentW 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 <<IPwebserver>>
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 ManagementLan 255.255.255.0 0 0
nat (production) 0 access-list production_outbound_nat0_acl
nat (production) 1 ProductieLAN 255.255.255.0 0 0
static (production,outside) <<IPwebserver>> ProdWebserv netmask 255.255.255.255 0 0
static (inside,production) ManagementLan ManagementLan netmask 255.255.255.0 0 0
access-group 101 in interface outside
access-group inside_access_in in interface inside
access-group production_access_in in interface production
route outside 0.0.0.0 0.0.0.0 <<GatewayIP>> 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http ManagementLan 255.255.255.0 inside
http ProductieLAN 255.255.255.0 production
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

<<deleted part>>

crypto map outside_map 80 ipsec-isakmp
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer <<IPA>>
crypto map outside_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map 80 set security-association lifetime seconds 3600 kilobytes 460800
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside

<<deleted part>>

isakmp key ******** address <<IPA>> netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 3600 60
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800


<<deleted part>>

telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username <<user>> password *********
vpdn enable outside
vpdn enable inside
vpdn enable production
dhcpd domain apollo
dhcpd auto_config outside
terminal width 80
Cryptochecksum:2503615dc6533e9d699c16513628a46b
: end
[OK]

But i do not get any IKE traffic on the new VPN i'm adding:
www.vrachos.nl/vpn.jpg

What could be the problem?
0
Comment
Question by:blaadje
  • 6
  • 2
8 Comments
 
LVL 10

Accepted Solution

by:
Sorenson earned 500 total points
ID: 17137472
Try changing the match list for the VPN to be IP rather than TCP:
access-list outside_cryptomap_80 permit ip host NATTestEssent DNSEssentW2 255.255.255.252

Then if you want to limit traffic to that vpn, adjust  inside_access_in  to have those restrictions, rather than the vpn tunnel itself.  Are there any errors in the checkpoint log on the remote side?  What type of logging do you see when the vpn is established on your side.

0
 
LVL 1

Author Comment

by:blaadje
ID: 17137490
Not even phase 1 of the VPN comes to live. THere is no IKE traffic that i can see.
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 17137835
phase 1 would fail if the attributes do not match.  Change to ip instead of tcp on the acl.  check the logs and post what happens when it attempts to connect.  post "show cry isa sa" and "show cry ipsec sa"  .  Also what do the logs show on the checkpoint side?

0
 
LVL 1

Author Comment

by:blaadje
ID: 17137873
logs on the checkpoint side don't show anything because no traffic is send. Attributes are correct (look at image and config) i think.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:blaadje
ID: 17137894
Total     : 3
Embryonic : 0
        dst               src        state     pending     created
   212.203.22.67  213.201.221.146    QM_IDLE         0           1
 213.201.221.146     83.162.0.174    QM_IDLE         0          11
          TMGGSN  213.201.221.146    QM_IDLE         0           4
0
 
LVL 1

Author Comment

by:blaadje
ID: 17137944
it missing the new vpn
0
 
LVL 1

Author Comment

by:blaadje
ID: 17137964
Result of firewall command: "show cry ipsec sa"
 
interface: outside
    Crypto map tag: outside_map, local addr. 213.201.221.146
   local  ident (addr/mask/prot/port): (NATTestEssent/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (DNSEssentW/255.255.252.0/0/0)
   current_peer: <<IPA>>:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 213.201.221.146, remote crypto endpt.: <<IPA>>
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   local  ident (addr/mask/prot/port): (NATTestEssent/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (DNSEssentW2/255.255.255.192/0/0)
   current_peer: <<IPA>>:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 213.201.221.146, remote crypto endpt.: <<IPA>>
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
0
 
LVL 1

Author Comment

by:blaadje
ID: 17138104
could it be the problem that i use a pre-shared key and aggressive mode should be NO?
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now