Solved

Pix 515e Site to site VPN

Posted on 2006-11-29
9
2,964 Views
Last Modified: 2013-11-16
Hi,

Sorry to do this, but just had two Cisco PIX 515e's dropped on my desk, which I have to get set up my end of the week.

I have very limited Cisco experience, and no one to ask!

In basic terms the I have two buildings with a WiMax link running between them, I have put the pix in line and run the setup and the VPN site to site wizard on both as described on Ciscos TAC website.  No Joy, can't establish a VPN at all been through all the configs can't see anything obvious.  Running latest IOS and PDM on both.

This is really cheeky but could someone post a working basic site to site VPN between these two boxes which I could use?  I need to enable SIP, http, https and tftp across the VPN.

If anyone could help I would be very grateful.

Thanks

Jon
0
Comment
Question by:JonBarnard
  • 4
  • 3
  • 2
9 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18040043
Biggest "gotcha" in setting up VPN accross a bridge, private line, or in a lab setting -
forgot to set default route . . .
Since this VPN tunnel is simply providing the encryption across a WiMAX bridge (good choice), I'm going to assume that you are assigning private IP's on each one'e outside interface.
Just add a static default on each one that points to the other's outside ip.
Example:
 site A
ip address outside 192.168.255.1 255.255.255.0
ip address inside 10.10.100.1 255.255.255.0
ip route 10.10.200.0 255.255.255.0 192.168.255.2

Site B
ip address outside 192.168.255.2 255.255.255.0
ip address inside 10.10.200.0 255.255.255.0
ip route 10.10.100.0 255.255.255.0 192.168.255.1

> Running latest IOS and PDM on both.
Can you be more specific? "show ver" will tell you
Latest OS for the 515e is 7.21 and does not use PDM, but rather it uses ASDM
Latest OS that does use PDM is 6.3(5)

Don't know of you've seen this config example, but it is pretty easy to follow
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/sit2site.htm
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18040048
Also, if you want to post up your existing configs, put them on htt://www.ee-stuff.com and reference this question #

If you can include output from 'show cry is sa' and 'show cry ip sa' that would be helpful, too
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18040079
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18040088
Sorry LR, didn't hit the refresh.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:JonBarnard
ID: 18047856
Hi,

Sort of working however for some reason only some things seem to be going over the VPN when I try from Site A to connect to a Http://172.20.130.3 it tries to go a normal route not via the VPN and the pix blocks it in ACL rules!

grateful for any suggestions or ideas!!  Also TFTP does the same thing, had to add an ACL to allow it for now!



Config A

: Saved
:
PIX Version 7.2(2)
!
hostname pixlocal
domain-name default.domain.invalid
enable password  encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.19.129.1 255.255.0.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.18.128.2 255.255.0.0
!
passwd  encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_20_cryptomap extended permit ip 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_cryptomap_1 extended permit tcp 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_cryptomap_2 extended permit udp 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_cryptomap_3 extended permit icmp 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_access_in extended permit udp host 172.19.129.4 host 172.18.128.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 172.20.0.0 255.255.0.0 172.19.129.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.18.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 172.19.129.4
crypto map outside_map 1 set transform-set ESP-AES-256-MD5
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer 172.19.129.4
crypto map outside_map 2 set transform-set ESP-AES-256-MD5
crypto map outside_map 2 set reverse-route
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer 172.19.129.4
crypto map outside_map 3 set transform-set ESP-AES-256-MD5
crypto map outside_map 3 set reverse-route
crypto map outside_map 4 set peer 172.19.129.4
crypto map outside_map 4 set transform-set ESP-AES-256-MD5
crypto map outside_map 4 set reverse-route
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 172.19.129.4
crypto map outside_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map 20 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 172.19.129.4 type ipsec-l2l
tunnel-group 172.19.129.4 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 172.18.128.3-172.18.129.2 inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
!
service-policy global_policy global
tftp-server inside 172.18.128.240 pixlocal
prompt hostname context
Cryptochecksum:612ee2a03c76d5a8cc7e4ae1104bac90
: end
asdm image flash:/pdm
no asdm history enable

Config B


: Saved
:
PIX Version 7.2(2)
!
hostname pixremote
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.19.129.4 255.255.0.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.20.130.2 255.255.0.0
!
passwd  encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_20_cryptomap extended permit ip 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list outside_cryptomap_1 extended permit tcp 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list outside_cryptomap_2 extended permit udp 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list outside_cryptomap_3 extended permit icmp 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0
route outside 172.18.0.0 255.255.0.0 172.19.129.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.20.0.0 255.255.0.0 inside
http 172.18.128.240 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 172.19.129.1
crypto map outside_map 1 set transform-set ESP-AES-256-MD5
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer 172.19.129.1
crypto map outside_map 2 set transform-set ESP-AES-256-MD5
crypto map outside_map 2 set reverse-route
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer 172.19.129.1
crypto map outside_map 3 set transform-set ESP-AES-256-MD5
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 172.19.129.1
crypto map outside_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 86400
tunnel-group 172.19.129.1 type ipsec-l2l
tunnel-group 172.19.129.1 ipsec-attributes
 pre-shared-key *
telnet 172.20.130.240 255.255.255.255 inside
telnet 172.18.128.240 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 172.20.130.3-172.20.131.2 inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
!
service-policy global_policy global
tftp-server inside 172.18.128.240 pixremote
prompt hostname context
: end
asdm image flash:/pdm
no asdm history enable


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18049495
Simplify the following, mirror on the other end...

Keep this:
 >access-list outside_20_cryptomap extended permit ip 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
>crypto map outside_map 20 match address outside_20_cryptomap
>crypto map outside_map 20 set pfs
>crypto map outside_map 20 set peer 172.19.129.1
>crypto map outside_map 20 set transform-set ESP-AES-256-MD5


Now, remove all the other extra crypto map entries..
no crypto map outside_map 1
no crypto map outside_map 2
no crypto map outside_map 3

Re-apply the crypto map to the interface
crypto map outside_map interface outside

Now, add this
access-list no_nat permit ip 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
nat (inside) 0 access-list no_nat

0
 

Author Comment

by:JonBarnard
ID: 18051923
Thank you so very much, talk about saving my bacon!!  I don't understand though, why when you run the wizard does it not create the access rules, it's kinda like doin half a job??  

Don't think I'll ever understand Cisco kit, don't get me wrong it's great kit and works brilliant once its up and running, I just always seem to have to fight to get it there!!  Arh well more practice I guess!

Thanks again!

Jon
0
 

Author Comment

by:JonBarnard
ID: 18059189
The only outstanding issue I have now is that everything works, remote login to far side pix all the SIP clients are working great, but.....the remote pix site B, I have configured so it's TFTP server is on Side A, which was working but has now stopped, not sure what changed can't seem to find it!  It looks like it's being blocked by the ACL on Side A it appears in the log as No translation route for blah blah.  I've added just for now an allow all incoming UDP from outside IP address of remote PIX but it still throughs a fit.

Is this possible?  I've been told else where that you can't configure a pix to pass TFTP traffic trough it's outside port which I think sounds a bit strange.  any ideas greatful recieved!

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18059428
TFTP works fine through the vpn, depending what you're using it for.
If you're using it for maintaining the pix itself then you have to remember what your source IP is as traffic goes out the outside interface.

If you have something like IP PHones on site that go to a tftp server on the other side it should work just fine. Mine does.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now