Solved

Cisco Pix-to-Pix VPN via 1721 Routers

Posted on 2006-07-20
6
563 Views
Last Modified: 2013-11-16
OK, so here it is.

I have a site-to-site solution I am trying to figure out.
I wanted to get the most thorough answer so I am using a ficitious public range below for accuracy.

Site 1:
Verizon DSL => ISP Modem => 1721 Router Eth0 w/Public IP Subnet (71.109.92.114-118/255.255.255.0/71.109.92.1 Gateway) =>1721 Router FA0 w/Private 172.16.100.1 Address =>Pix 506E Outside 172.16.100.2 Address=>Pix 506E Inside 192.168.100.1 Address=>2950 Internal LAN

Site 2:
Verizon DSL => ISP Modem => 1721 Router Eth0 w/Public IP Subnet (152.196.200.26-30/255.255.255.0/152.196.200.1 Gateway) =>1721 Router FA0 w/Private 172.16.101.1 Address =>Pix 506E Outside 172.16.100.2 Address=>Pix 506E Inside 192.168.101.1 Address=>2950 Internal LAN

I've created a NAT rule on both 1721's to point a public 152.196.200.27 and 71.109.92.115 respectively. These are static and point to the Pix outside ip's 172.16.100.2 and 172.16.101.2.

Now I create a VPN tunnel following Cisco's docs:
Configuring a Simple PIX-to-PIX VPN Tunnel Using IPSec
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

The tunnels never terminate. There are no errors, nothing.

Now this is currently in a lab with a Cross-Over between the 1721's. and I've got an 'ip route 0.0.0.0 0.0.0.0 Ethernet 0' rule. This allows me to bypass the production non-existent gateway addresses above, and makes the entire infrastructure able to communicate.

Is there something I am missing as far as NAT is concerned? Can I not establish a tunnel between two pix's that aren't on the border? Shouldn't I be able to create a persistent site-to-site tunnel that allows devices with the following ip's 192.168.100.0 255.255.255.0 and 192.168.101.0 255.255.255.0 to communicate seamlessly in this manner.

Given the above infrastructure, how would you config it?
0
Comment
Question by:jpugsley
6 Comments
 
LVL 9

Expert Comment

by:Pentrix2
ID: 17150557
post both sides config.  also, post the output on these too:

show crypto isakmp ca
show crypto ipsec sa

David
0
 

Author Comment

by:jpugsley
ID: 17150822
Here it is. There is alot to look at. Remember lab environment so its not fully locked down yet.
Lemme know what you think. I'll be traveling for the next few hours, I'll return to look at the post around 11PM.

Thanks for any insight.

Site 1 Pix Config:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname EMM506E
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.16.100.2 255.255.255.0
ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 172.16.100.10-172.16.100.253 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.100.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set nfff-tset esp-des esp-md5-hmac
crypto map nfff-map 1 ipsec-isakmp
crypto map nfff-map 1 match address 101
crypto map nfff-map 1 set peer 152.196.200.27
crypto map nfff-map 1 set transform-set nfff-tset
crypto map nfff-map interface outside
isakmp enable outside
isakmp key ******** address 152.196.200.27 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:b91cf359093fd8a840fd704903799f94
: end



Site 1 Shows:

CRF506E# show crypto isakmp ca
isakmp enable outside
isakmp key ******** address 71.109.92.115 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
CRF506E# show crypto ipsec sa


interface: outside
    Crypto map tag: nfff2-map, local addr. 172.16.101.2

   local  ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
   current_peer: 71.109.92.115:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.101.2, remote crypto endpt.: 70.109.95.115
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:

             
     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:




Site 1 Router Config:

EMM1721#show run
Building configuration...

Current configuration : 1280 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname EMM1721
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$AzKM$Hu2mnVux1w7JeS5IX7VUp/
!
aaa new-model
!
!
aaa authorization network hw-client-group local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
login delay 5
!
!
!
!
interface Ethernet0
 ip address 71.109.92.114 255.255.255.0
 ip nat outside
 full-duplex
!
interface Ethernet1
 ip address 192.168.200.1 255.255.255.0
 half-duplex
!
interface FastEthernet0
 ip address 172.16.100.1 255.255.255.0
 ip nat inside
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 192.168.100.0 255.255.255.0 172.16.100.2
!
no ip http server
ip nat inside source static 172.16.100.2 71.109.92.115
!
!
control-plane
!
banner motd ^C
Any unauthorized use or access to this system will be prosecuted to the fullest extent of the law.
^C
!        
line con 0
 exec-timeout 3 0
 password 7 070C7142400F1F034F4B4A
line aux 0
 exec-timeout 3 0
 password 7 045A1E1E01274A48514044
line vty 0 4
 exec-timeout 3 0
 password 7 1313030B050A022C737D69
!
end



Site 2 Pix Config:

:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname CRF506E
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.16.101.2 255.255.255.0
ip address inside 192.168.101.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 172.16.101.3-172.16.101.253 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.101.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set nfff2-tset esp-des esp-md5-hmac
crypto map nfff2-map 1 ipsec-isakmp
crypto map nfff2-map 1 match address 101
crypto map nfff2-map 1 set peer 71.109.92.115
crypto map nfff2-map 1 set transform-set nfff2-tset
crypto map nfff2-map interface outside
isakmp enable outside
isakmp key ******** address 71.109.92.115 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.101.2-192.168.101.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:898cd360fc2dc254438bacb18a935e98
: end



Site 2 Shows:

EMM506E# show crypto isakmp ca
isakmp enable outside
isakmp key ******** address 152.196.200.27 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
EMM506E# show crypto ipsec sa


interface: outside
    Crypto map tag: nfff-map, local addr. 172.16.100.2

   local  ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
   current_peer: 152.196.200.27:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.100.2, remote crypto endpt.: 151.196.254.27
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:

             
     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:




Site 2 Router Config:

CRF1721#show run
Building configuration...

Current configuration : 1140 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname CRF1721
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$nZQ3$VgNs/No8vnXlL6UFr3e.e1
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
!
!
!
!
interface Ethernet0
 ip address 152.196.200.26 255.255.255.0
 ip nat outside
 full-duplex
!
interface FastEthernet0
 ip address 172.16.101.1 255.255.255.0
 ip nat inside
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 192.168.101.0 255.255.255.0 172.16.101.2
!
no ip http server
ip nat inside source static 172.16.101.2 152.196.200.27!
!
control-plane
!
banner motd ^C
Any unauthorized use or access to this system will be prosecuted to the fullest extent of the law.
^C
!
line con 0
 exec-timeout 3 0
 password 7 0205545505000927141748
 login
line aux 0
 exec-timeout 3 0
 password 7 0207114305000927141748
 login
line vty 0 4
 exec-timeout 3 0
 password 7 0210104205000927141748
 login
!
end
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 17155760
Debug crypto isakmp
debug crypto ipsec
debug crypto engine


Post the results of this .

Also lets ask the obvious question . Are you sending some traffic across which would match the "interesting" rule of access-list 101 ?

Sh access-list  to ensure the Acl is actually taking a hit in order to bring the vpn up
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 79

Expert Comment

by:lrmoore
ID: 17157618
SITE X router:
>interface Ethernet0
 ip address 152.196.200.26 255.255.255.0
 ip nat outside
!
interface FastEthernet0
 ip address 172.16.101.1 255.255.255.0
 ip nat inside

Question for you:
Both 1721 routers appear to have an Ethernet feed as your WAN/ISP link.
What is the purpose of the router if your Internet feed is Ethernet anyway? Why not simply connect the PIX outside to the feed and assign the 152.196.xx.x number directly to the PIX outside interface and be done with it?

>ip route 0.0.0.0 0.0.0.0 Ethernet0
This is part of the problem. You cannot set a broadcast interface as your default gateway. It must be the next hop's IP address...
no ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 0.0.0.0 0.0.0.0 152.196.xx.xx


0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17157771
isakmp policy 1 encryption des  <== you know you can get a free 3DES license key, don't you?
isakmp policy 1 hash md5
isakmp policy 1 group 1  <== this should be group 2


>Now this is currently in a lab with a Cross-Over between the 1721's. and I've got an 'ip route 0.0.0.0 0.0.0.0 Ethernet 0' rule. This allows me to bypass the production non-existent gateway addresses above, and makes the entire infrastructure able to communicate.
Ummm .. No....
If you want these two to communicate in your lab with a crossover cable between the 2 x 1721's, then the WAN interface (Ethernet 0 in your case) absolutely MUST be on the same IP subnet, and the default gateway must point to the next guy.
Example:

Site 1
 interface fast 0/0
   ip address 123.45.67.8 255.255.255.0
 ip nat inside source static 123.45.67.9 172.16.100.2
 ip route 0.0.0.0 0.0.0.0 123.45.67.9

Site 2
 interface fast 0/0
   ip add 123.45.67.9 255.255.255.0
  ip nat inside source static 123.45.67.10 172.16.101.2
  ip route 0.0.0.0 0.0.0.0 123.45.67.8

0
 

Author Comment

by:jpugsley
ID: 17163196
OK! So what I went with was the PIX to PIX setup avoiding the router on the edge.
I shelfed the remote site 1721 for now, and put the 1721 in the primary site behind the pix to do internal routing between
the internal lan and the board room DMZ. All is good.

Irmoore - I went with a 3des/sha tunnel (had the 506E) I might had gone the router of AES if we weren't restricted
on the upstream bandwidth.

Thanks for you help guys, I am going to split the points here.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now