troubleshooting Question

Pix 501 vpn errors - debug information attached

Avatar of wilsonkjit
wilsonkjit asked on
Software FirewallsCisco
2 Comments1 Solution421 ViewsLast Modified:
hi ive been thrown in the deep end regarding a cisco pix firewall.
im the remote office in sydney wan 1.1.1.1/30, lan 172.16.61.0/24
hk the head office at wan 2.2.2.2, lans 10.1.6.0/24, 10.1.7.0/24, 10.1.10.0/24

desired traffic default out for lan users on 172.16.61.0/24
unrestricted traffic between lans at end end of tunnels.

here is the running config and debug information. my running config is based on another remote office that "aparently" connects fine.. so head office are convinced errors are at my end. can you pls cast an expert eye on the output and let me know if im making any school-boy errors.
thanks so much.
Wilson, Sydney, Australia.
pixfirewall# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password cJZDG.8O/WUQTcjm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.6.0 Lan2_Hongkong
name 10.1.7.0 Lan3_Hongkong
name 10.1.10.0 Lan1_Hongkong
access-list inside_access_in permit udp any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip 172.16.61.0 255.255.255.0 Lan1_Ho
ngkong 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.61.0 255.255.255.0 Lan2_Ho
ngkong 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.61.0 255.255.255.0 Lan3_Ho
ngkong 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.16.61.0 255.255.255.0 Lan1_Hongko
ng 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.16.61.0 255.255.255.0 Lan2_Hongko
ng 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.16.61.0 255.255.255.0 Lan3_Hongko
ng 255.255.255.0
access-list outside_access_in permit tcp any interface outside
pager lines 24
logging console debugging
logging monitor warnings
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.1 255.255.255.252
ip address inside 172.16.61.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Lan2_Hongkong 255.255.255.0 outside
pdm location Lan3_Hongkong 255.255.255.0 outside
pdm location Lan1_Hongkong 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 61.29.61.105 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.61.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 2.2.2.2
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 172.16.61.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.16.61.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 172.16.61.254-172.16.61.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80

Cryptochecksum:fd8ff444632790f40e5aaccc045cb784
: end


pixfirewall# show crypto map

Crypto Map: "outside_map" interfaces: { outside }

Crypto Map "outside_map" 20 ipsec-isakmp
        Peer = 2.2.2.2
        access-list outside_cryptomap_20; 3 elements
        access-list outside_cryptomap_20 line 1 permit ip 172.16.61.0 255.255.25
5.0 Lan1_Hongkong 255.255.255.0 (hitcnt=472)
        access-list outside_cryptomap_20 line 2 permit ip 172.16.61.0 255.255.25
5.0 Lan2_Hongkong 255.255.255.0 (hitcnt=474)
        access-list outside_cryptomap_20 line 3 permit ip 172.16.61.0 255.255.25
5.0 Lan3_Hongkong 255.255.255.0 (hitcnt=723)
        Current peer: 2.2.2.2
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={ ESP-3DES-MD5, }

Crypto Map "outside_map" 65535 ipsec-isakmp
        Dynamic map template tag: outside_dyn_map
pixfirewall# show iskmp
Type help or '?' for a list of available commands.
pixfirewall# show iskmp policy
Type help or '?' for a list of available commands.
pixfirewall# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list inside_access_in; 3 elements
access-list inside_access_in line 1 permit udp any any (hitcnt=104)
access-list inside_access_in line 2 permit tcp any any (hitcnt=123)
access-list inside_access_in line 3 permit ip any any (hitcnt=1678)
access-list inside_outbound_nat0_acl; 3 elements
access-list inside_outbound_nat0_acl line 1 permit ip 172.16.61.0 255.255.255.0
Lan1_Hongkong 255.255.255.0 (hitcnt=472)
access-list inside_outbound_nat0_acl line 2 permit ip 172.16.61.0 255.255.255.0
Lan2_Hongkong 255.255.255.0 (hitcnt=482)
access-list inside_outbound_nat0_acl line 3 permit ip 172.16.61.0 255.255.255.0
Lan3_Hongkong 255.255.255.0 (hitcnt=704)
access-list outside_cryptomap_20; 3 elements
access-list outside_cryptomap_20 line 1 permit ip 172.16.61.0 255.255.255.0 Lan1
_Hongkong 255.255.255.0 (hitcnt=476)
access-list outside_cryptomap_20 line 2 permit ip 172.16.61.0 255.255.255.0 Lan2
_Hongkong 255.255.255.0 (hitcnt=482)
access-list outside_cryptomap_20 line 3 permit ip 172.16.61.0 255.255.255.0 Lan3
_Hongkong 255.255.255.0 (hitcnt=729)
access-list outside_access_in; 1 elements
access-list outside_access_in line 1 permit tcp any interface outside (hitcnt=0)


pixfirewall# show crypto ipsec transform-set

Transform set ESP-3DES-MD5: { esp-3des esp-md5-hmac  }
   will negotiate = { Tunnel,  },

pixfirewall# show crypto map

Crypto Map: "outside_map" interfaces: { outside }

Crypto Map "outside_map" 20 ipsec-isakmp
        Peer = 2.2.2.2
        access-list outside_cryptomap_20; 3 elements
        access-list outside_cryptomap_20 line 1 permit ip 172.16.61.0 255.255.25
5.0 Lan1_Hongkong 255.255.255.0 (hitcnt=479)
        access-list outside_cryptomap_20 line 2 permit ip 172.16.61.0 255.255.25
5.0 Lan2_Hongkong 255.255.255.0 (hitcnt=482)
        access-list outside_cryptomap_20 line 3 permit ip 172.16.61.0 255.255.25
5.0 Lan3_Hongkong 255.255.255.0 (hitcnt=731)
        Current peer: 2.2.2.2
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={ ESP-3DES-MD5, }

Crypto Map "outside_map" 65535 ipsec-isakmp
        Dynamic map template tag: outside_dyn_map
pixfirewall# debug crypto ipsec
pixfirewall# IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 1.1.1.1, remote= 2.2.2.2,
    local_proxy= 172.16.61.0/255.255.255.0/0/0 (type=4),
    remote_proxy= Lan2_Hongkong/255.255.255.0/0/0 (type=4)
IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 1.1.1.1, remote= 2.2.2.2,
    local_proxy= 172.16.61.0/255.255.255.0/0/0 (type=4),
    remote_proxy= Lan1_Hongkong/255.255.255.0/0/0 (type=4)
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 1.1.1.1, remote= 2.2.2.2,
    local_proxy= 172.16.61.0/255.255.255.0/0/0 (type=4),
    remote_proxy= Lan3_Hongkong/255.255.255.0/0/0 (type=4)
undebug all
pixfirewall# debug crypto isakmp
pixfirewall#
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:2.2.2.2, dest:1.1.1.1 spt:500 dpt:50
0
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:2.2.2.2, dest:1.1.1.1 spt:500 dpt:50
0
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload
        next-payload : 8
        type         : 2
        protocol     : 17
        port         : 500
        length       : 28
ISAKMP (0): Total payload length: 32
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:2.2.2.2, dest:1.1.1.1 spt:500 dpt:50
0
ISAKMP: error, msg not encrypted
undebug all
pixfirewall#

ASKER CERTIFIED SOLUTION
Les Moore
Systems Architect
Join our community to see this answer!
Unlock 1 Answer and 2 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros