jpugsley
asked on
Cisco Pix-to-Pix VPN via 1721 Routers
OK, so here it is.
I have a site-to-site solution I am trying to figure out.
I wanted to get the most thorough answer so I am using a ficitious public range below for accuracy.
Site 1:
Verizon DSL => ISP Modem => 1721 Router Eth0 w/Public IP Subnet (71.109.92.114-118/255.255 .255.0/71. 109.92.1 Gateway) =>1721 Router FA0 w/Private 172.16.100.1 Address =>Pix 506E Outside 172.16.100.2 Address=>Pix 506E Inside 192.168.100.1 Address=>2950 Internal LAN
Site 2:
Verizon DSL => ISP Modem => 1721 Router Eth0 w/Public IP Subnet (152.196.200.26-30/255.255 .255.0/152 .196.200.1 Gateway) =>1721 Router FA0 w/Private 172.16.101.1 Address =>Pix 506E Outside 172.16.100.2 Address=>Pix 506E Inside 192.168.101.1 Address=>2950 Internal LAN
I've created a NAT rule on both 1721's to point a public 152.196.200.27 and 71.109.92.115 respectively. These are static and point to the Pix outside ip's 172.16.100.2 and 172.16.101.2.
Now I create a VPN tunnel following Cisco's docs:
Configuring a Simple PIX-to-PIX VPN Tunnel Using IPSec
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml
The tunnels never terminate. There are no errors, nothing.
Now this is currently in a lab with a Cross-Over between the 1721's. and I've got an 'ip route 0.0.0.0 0.0.0.0 Ethernet 0' rule. This allows me to bypass the production non-existent gateway addresses above, and makes the entire infrastructure able to communicate.
Is there something I am missing as far as NAT is concerned? Can I not establish a tunnel between two pix's that aren't on the border? Shouldn't I be able to create a persistent site-to-site tunnel that allows devices with the following ip's 192.168.100.0 255.255.255.0 and 192.168.101.0 255.255.255.0 to communicate seamlessly in this manner.
Given the above infrastructure, how would you config it?
I have a site-to-site solution I am trying to figure out.
I wanted to get the most thorough answer so I am using a ficitious public range below for accuracy.
Site 1:
Verizon DSL => ISP Modem => 1721 Router Eth0 w/Public IP Subnet (71.109.92.114-118/255.255
Site 2:
Verizon DSL => ISP Modem => 1721 Router Eth0 w/Public IP Subnet (152.196.200.26-30/255.255
I've created a NAT rule on both 1721's to point a public 152.196.200.27 and 71.109.92.115 respectively. These are static and point to the Pix outside ip's 172.16.100.2 and 172.16.101.2.
Now I create a VPN tunnel following Cisco's docs:
Configuring a Simple PIX-to-PIX VPN Tunnel Using IPSec
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml
The tunnels never terminate. There are no errors, nothing.
Now this is currently in a lab with a Cross-Over between the 1721's. and I've got an 'ip route 0.0.0.0 0.0.0.0 Ethernet 0' rule. This allows me to bypass the production non-existent gateway addresses above, and makes the entire infrastructure able to communicate.
Is there something I am missing as far as NAT is concerned? Can I not establish a tunnel between two pix's that aren't on the border? Shouldn't I be able to create a persistent site-to-site tunnel that allows devices with the following ip's 192.168.100.0 255.255.255.0 and 192.168.101.0 255.255.255.0 to communicate seamlessly in this manner.
Given the above infrastructure, how would you config it?
ASKER
Here it is. There is alot to look at. Remember lab environment so its not fully locked down yet.
Lemme know what you think. I'll be traveling for the next few hours, I'll return to look at the post around 11PM.
Thanks for any insight.
Site 1 Pix Config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname EMM506E
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.16.100.2 255.255.255.0
ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 172.16.100.10-172.16.100.2 53 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.100.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set nfff-tset esp-des esp-md5-hmac
crypto map nfff-map 1 ipsec-isakmp
crypto map nfff-map 1 match address 101
crypto map nfff-map 1 set peer 152.196.200.27
crypto map nfff-map 1 set transform-set nfff-tset
crypto map nfff-map interface outside
isakmp enable outside
isakmp key ******** address 152.196.200.27 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:b91cf359093 fd8a840fd7 04903799f9 4
: end
Site 1 Shows:
CRF506E# show crypto isakmp ca
isakmp enable outside
isakmp key ******** address 71.109.92.115 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
CRF506E# show crypto ipsec sa
interface: outside
Crypto map tag: nfff2-map, local addr. 172.16.101.2
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255 .0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255 .0/0/0)
current_peer: 71.109.92.115:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.101.2, remote crypto endpt.: 70.109.95.115
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Site 1 Router Config:
EMM1721#show run
Building configuration...
Current configuration : 1280 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname EMM1721
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$AzKM$Hu2mnVux1w7JeS5IX7 VUp/
!
aaa new-model
!
!
aaa authorization network hw-client-group local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
login delay 5
!
!
!
!
interface Ethernet0
ip address 71.109.92.114 255.255.255.0
ip nat outside
full-duplex
!
interface Ethernet1
ip address 192.168.200.1 255.255.255.0
half-duplex
!
interface FastEthernet0
ip address 172.16.100.1 255.255.255.0
ip nat inside
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 192.168.100.0 255.255.255.0 172.16.100.2
!
no ip http server
ip nat inside source static 172.16.100.2 71.109.92.115
!
!
control-plane
!
banner motd ^C
Any unauthorized use or access to this system will be prosecuted to the fullest extent of the law.
^C
!
line con 0
exec-timeout 3 0
password 7 070C7142400F1F034F4B4A
line aux 0
exec-timeout 3 0
password 7 045A1E1E01274A48514044
line vty 0 4
exec-timeout 3 0
password 7 1313030B050A022C737D69
!
end
Site 2 Pix Config:
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname CRF506E
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.16.101.2 255.255.255.0
ip address inside 192.168.101.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 172.16.101.3-172.16.101.25 3 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.101.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set nfff2-tset esp-des esp-md5-hmac
crypto map nfff2-map 1 ipsec-isakmp
crypto map nfff2-map 1 match address 101
crypto map nfff2-map 1 set peer 71.109.92.115
crypto map nfff2-map 1 set transform-set nfff2-tset
crypto map nfff2-map interface outside
isakmp enable outside
isakmp key ******** address 71.109.92.115 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.101.2-192.168.101. 254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:898cd360fc2 dc254438ba cb18a935e9 8
: end
Site 2 Shows:
EMM506E# show crypto isakmp ca
isakmp enable outside
isakmp key ******** address 152.196.200.27 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
EMM506E# show crypto ipsec sa
interface: outside
Crypto map tag: nfff-map, local addr. 172.16.100.2
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255 .0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255 .0/0/0)
current_peer: 152.196.200.27:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.100.2, remote crypto endpt.: 151.196.254.27
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Site 2 Router Config:
CRF1721#show run
Building configuration...
Current configuration : 1140 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname CRF1721
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$nZQ3$VgNs/No8vnXlL6UFr3 e.e1
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
!
!
!
!
interface Ethernet0
ip address 152.196.200.26 255.255.255.0
ip nat outside
full-duplex
!
interface FastEthernet0
ip address 172.16.101.1 255.255.255.0
ip nat inside
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 192.168.101.0 255.255.255.0 172.16.101.2
!
no ip http server
ip nat inside source static 172.16.101.2 152.196.200.27!
!
control-plane
!
banner motd ^C
Any unauthorized use or access to this system will be prosecuted to the fullest extent of the law.
^C
!
line con 0
exec-timeout 3 0
password 7 0205545505000927141748
login
line aux 0
exec-timeout 3 0
password 7 0207114305000927141748
login
line vty 0 4
exec-timeout 3 0
password 7 0210104205000927141748
login
!
end
Lemme know what you think. I'll be traveling for the next few hours, I'll return to look at the post around 11PM.
Thanks for any insight.
Site 1 Pix Config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname EMM506E
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.16.100.2 255.255.255.0
ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 172.16.100.10-172.16.100.2
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.100.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set nfff-tset esp-des esp-md5-hmac
crypto map nfff-map 1 ipsec-isakmp
crypto map nfff-map 1 match address 101
crypto map nfff-map 1 set peer 152.196.200.27
crypto map nfff-map 1 set transform-set nfff-tset
crypto map nfff-map interface outside
isakmp enable outside
isakmp key ******** address 152.196.200.27 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:b91cf359093
: end
Site 1 Shows:
CRF506E# show crypto isakmp ca
isakmp enable outside
isakmp key ******** address 71.109.92.115 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
CRF506E# show crypto ipsec sa
interface: outside
Crypto map tag: nfff2-map, local addr. 172.16.101.2
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255
current_peer: 71.109.92.115:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.101.2, remote crypto endpt.: 70.109.95.115
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Site 1 Router Config:
EMM1721#show run
Building configuration...
Current configuration : 1280 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname EMM1721
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$AzKM$Hu2mnVux1w7JeS5IX7
!
aaa new-model
!
!
aaa authorization network hw-client-group local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
login delay 5
!
!
!
!
interface Ethernet0
ip address 71.109.92.114 255.255.255.0
ip nat outside
full-duplex
!
interface Ethernet1
ip address 192.168.200.1 255.255.255.0
half-duplex
!
interface FastEthernet0
ip address 172.16.100.1 255.255.255.0
ip nat inside
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 192.168.100.0 255.255.255.0 172.16.100.2
!
no ip http server
ip nat inside source static 172.16.100.2 71.109.92.115
!
!
control-plane
!
banner motd ^C
Any unauthorized use or access to this system will be prosecuted to the fullest extent of the law.
^C
!
line con 0
exec-timeout 3 0
password 7 070C7142400F1F034F4B4A
line aux 0
exec-timeout 3 0
password 7 045A1E1E01274A48514044
line vty 0 4
exec-timeout 3 0
password 7 1313030B050A022C737D69
!
end
Site 2 Pix Config:
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname CRF506E
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.16.101.2 255.255.255.0
ip address inside 192.168.101.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 172.16.101.3-172.16.101.25
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.101.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set nfff2-tset esp-des esp-md5-hmac
crypto map nfff2-map 1 ipsec-isakmp
crypto map nfff2-map 1 match address 101
crypto map nfff2-map 1 set peer 71.109.92.115
crypto map nfff2-map 1 set transform-set nfff2-tset
crypto map nfff2-map interface outside
isakmp enable outside
isakmp key ******** address 71.109.92.115 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.101.2-192.168.101.
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:898cd360fc2
: end
Site 2 Shows:
EMM506E# show crypto isakmp ca
isakmp enable outside
isakmp key ******** address 152.196.200.27 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
EMM506E# show crypto ipsec sa
interface: outside
Crypto map tag: nfff-map, local addr. 172.16.100.2
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255
current_peer: 152.196.200.27:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.100.2, remote crypto endpt.: 151.196.254.27
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Site 2 Router Config:
CRF1721#show run
Building configuration...
Current configuration : 1140 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname CRF1721
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$nZQ3$VgNs/No8vnXlL6UFr3
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
!
!
!
!
interface Ethernet0
ip address 152.196.200.26 255.255.255.0
ip nat outside
full-duplex
!
interface FastEthernet0
ip address 172.16.101.1 255.255.255.0
ip nat inside
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 192.168.101.0 255.255.255.0 172.16.101.2
!
no ip http server
ip nat inside source static 172.16.101.2 152.196.200.27!
!
control-plane
!
banner motd ^C
Any unauthorized use or access to this system will be prosecuted to the fullest extent of the law.
^C
!
line con 0
exec-timeout 3 0
password 7 0205545505000927141748
login
line aux 0
exec-timeout 3 0
password 7 0207114305000927141748
login
line vty 0 4
exec-timeout 3 0
password 7 0210104205000927141748
login
!
end
Debug crypto isakmp
debug crypto ipsec
debug crypto engine
Post the results of this .
Also lets ask the obvious question . Are you sending some traffic across which would match the "interesting" rule of access-list 101 ?
Sh access-list to ensure the Acl is actually taking a hit in order to bring the vpn up
debug crypto ipsec
debug crypto engine
Post the results of this .
Also lets ask the obvious question . Are you sending some traffic across which would match the "interesting" rule of access-list 101 ?
Sh access-list to ensure the Acl is actually taking a hit in order to bring the vpn up
SITE X router:
>interface Ethernet0
ip address 152.196.200.26 255.255.255.0
ip nat outside
!
interface FastEthernet0
ip address 172.16.101.1 255.255.255.0
ip nat inside
Question for you:
Both 1721 routers appear to have an Ethernet feed as your WAN/ISP link.
What is the purpose of the router if your Internet feed is Ethernet anyway? Why not simply connect the PIX outside to the feed and assign the 152.196.xx.x number directly to the PIX outside interface and be done with it?
>ip route 0.0.0.0 0.0.0.0 Ethernet0
This is part of the problem. You cannot set a broadcast interface as your default gateway. It must be the next hop's IP address...
no ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 0.0.0.0 0.0.0.0 152.196.xx.xx
>interface Ethernet0
ip address 152.196.200.26 255.255.255.0
ip nat outside
!
interface FastEthernet0
ip address 172.16.101.1 255.255.255.0
ip nat inside
Question for you:
Both 1721 routers appear to have an Ethernet feed as your WAN/ISP link.
What is the purpose of the router if your Internet feed is Ethernet anyway? Why not simply connect the PIX outside to the feed and assign the 152.196.xx.x number directly to the PIX outside interface and be done with it?
>ip route 0.0.0.0 0.0.0.0 Ethernet0
This is part of the problem. You cannot set a broadcast interface as your default gateway. It must be the next hop's IP address...
no ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 0.0.0.0 0.0.0.0 152.196.xx.xx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK! So what I went with was the PIX to PIX setup avoiding the router on the edge.
I shelfed the remote site 1721 for now, and put the 1721 in the primary site behind the pix to do internal routing between
the internal lan and the board room DMZ. All is good.
Irmoore - I went with a 3des/sha tunnel (had the 506E) I might had gone the router of AES if we weren't restricted
on the upstream bandwidth.
Thanks for you help guys, I am going to split the points here.
I shelfed the remote site 1721 for now, and put the 1721 in the primary site behind the pix to do internal routing between
the internal lan and the board room DMZ. All is good.
Irmoore - I went with a 3des/sha tunnel (had the 506E) I might had gone the router of AES if we weren't restricted
on the upstream bandwidth.
Thanks for you help guys, I am going to split the points here.
show crypto isakmp ca
show crypto ipsec sa
David