Solved

Cisco IOS to PIX/ASA MultiPeer Config

Posted on 2006-11-07
6
1,911 Views
Last Modified: 2008-01-09
Dear sirs, I need your help.

We have a Cisco PIX515E at the central site serving VPNs to spoke Cisco 871 routers. Config extracts follow.

We've dual homed the PIX using route tracking, making the secondary ISP just a hot standby path, and want to cause the 871s to automatically switch. Cisco IOS doc. suggests that multiple ipsec peer statements will do the trick, but I must not be configuring it correctly. When I force a switch to our secondary ISP, the 871's appear to keep banging away at our primary address and not trying to use the secondary peer path.

Our releases are PIX/ASA: 7.2(1-24) and IOS 12.4(9)T AdvIPServ.

****************************** The 871 config **********************************
!! Cisco 871, config for Spoke network, with:
!
! dhcp assigned outside address
! outbound pat, ntp,
! basic firewalling
! static vpn to PIX515 with manual selection Widomaker/Cox
! qos based on rfc2597/2598 differentiated services
! dhcp server with hosts below 100 excluded
!
version 12.4
!...
crypto isakmp key SharedSecret address w.w.w.w
crypto isakmp key SharedSecret address c.c.c.c
crypto isakmp keepalive 10 2 periodic
!...
!
crypto map hqvpn 11 ipsec-isakmp
 set security-associaation idletime 120
 set peer w.w.w.w preferred
 set peer c.c.c.c
 set transform-set ...
 match address 120
 qos pre-classify
!
! use f0-f4 as 4 port switch for vlan1 i/f
!
interface FastEthernet0
 no ip address
!...
interface FastEthernet4
 description Outside
 ip address dhcp client-id FastEthernet4
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map hqvpn
 service-policy output cbwfq_policy
!
interface Vlan1
 description Inside
 ip address 192.168.3.1 255.255.255.0
 ip nbar protocol-discovery
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly
 ip tcp adjust-mss 1452
! service-policy output cbwfq_policy
!
ip classless
!
ip nat inside source list 121 interface FastEthernet4 overload
!
access-list 101 remark inbound
!...
access-list 120 remark select vpn traffic
access-list 120 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.15.255
!
access-list 121 remark nat all but vpn traffic
access-list 121 deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.15.255
access-list 121 permit ip 192.168.3.0 0.0.0.255 any
!
end

****************************** The PIX515E config ******************************
PIX Version 7.2(1)24
!...
! Widomaker w.w.w.w our assigned address
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address w.w.w.w m.m.m.m
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!...
! Cox Cable c.c.c.c our assigned address
interface Ethernet3
 speed 100
 duplex full
 nameif backup
 security-level 0
 ip address c.c.c.c m.m.m.m
!...
!
nat-control
!
global (outside) 10 interface
global (backup) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
!
access-group outside_access_in in interface outside
access-group backup_access_in in interface backup
!
route outside 0.0.0.0 0.0.0.0 w.w.w.gateway 1 track 1
route backup 0.0.0.0 0.0.0.0 c.c.c.gateway 244
!
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 5
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
!...
!
! winside is an address inside Widomaker (our primary ISP)
sla monitor 123
 type echo protocol ipIcmpEcho w.w.w.winside interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
!
crypto ipsec transform-set fast ...
crypto dynamic-map dynmap 20 set transform-set fast
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto map mymap interface backup
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
 authentication pre-share
 encryption ...
 hash ...
 group .
 lifetime none
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
crypto isakmp nat-traversal  60
!
track 1 rtr 123 reachability
!
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key SharedSecret
!
!...
telnet 192.168.0.0 255.255.240.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
priority-queue outside
priority-queue inside
!
class-map voip
 match dscp ef
class-map rtp2
 match rtp 51000 256
class-map rtp1
 match rtp 28000 256
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
policy-map qos
 class voip
  priority
 class rtp2
  priority
 class rtp1
  priority
 class class-default
!
service-policy global_policy global
!
end
0
Comment
Question by:GLGARRISON
  • 4
  • 2
6 Comments
 
LVL 13

Accepted Solution

by:
Joseph Hornsey earned 500 total points
Comment Utility
I'd try configuring your Dead Peer Detection differently.

Try this (on the 871's):

Change the preferred peer to "set peer w.w.w.w default".
Change the keep-alives to "crypto isakmp keepalive 10 on-demand" (You may not have to specify the number of seconds if it's on-demand vs. periodic... I can't remember off the top of my head)
Change the SA idletime to "set security-association idletime 120 default"


Let me know if that works.

<-=+=->
0
 

Author Comment

by:GLGARRISON
Comment Utility
Thanks, SplinterCell5894.

Great catch on the preferred peer syntax. I agree, something's keeping dpd from doing it's job (probably me).

I'll try and report back. It's the production system (wish I had a some spare hardware to test with) so it'll take a maintenance interval to change and test.

Best regards,
Gary
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
Comment Utility

Nah.  Just do it anyway and then tell them your phone company dropped a line (or there were sun spots which caused interference with communications satellites or something else that sounds really technical).  :)

<-=+=->
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:GLGARRISON
Comment Utility
:-) Woohoo, it works! Way to go eagle eye SplinterCell5894!

Oh yeah, today was a really bad day for sunspots... good thing they didn't last long!

It's ok to accept a comment as an answer, isn't it? Or is there another protocol.
Darned, and I thought it was going to be a hard one. Had me stumped!
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
Comment Utility
Nope.... I think you actually have to select an answer to accept.  Then you give it a grade.

If you look on the right side of the screen next to the correct posted answer, you'll see a button that says "Accept".

Then, you give a grade A, B or C.  The grade you give determines the amount of points awarded.

Glad that worked for you!!!

<-=+=->

0
 
LVL 13

Expert Comment

by:Joseph Hornsey
Comment Utility

By the way...

Here's a great web site for you:  http://meyerweb.com/feeds/excuse/

You can actually subscribe to an RSS feed which gives you the Excuse of the Day.  Here are the last few:

sunspots
failure of the AE-35 unit
neutrino interactions
solar flares
the lack of an American work ethic
tsunamis in the wave-division multiplexer
a squirrel chewed through the cables
an incorrectly polarized packet accelerator
nobody forwarded that memo
line noise from rats in the wall
La Nina

I like La Nina, solar flares and the incorrectly polarized packet accelerator,  :)

<-=+=->

0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now