Urgent- Pix506e to Watchguard Firebox site-to-site VPN tunnel
If anyone can help with this VPN tunnel I would be very appreciative. I have been staring at it for hours and nothing will work for me. I am trying to accomplish two things. Create a site-to-site VPN between a Pix 506e and a watchguard firebox, and setup a Cisco VPN client to connect to the Pix506e.
With the site-to-site VPN sometimes I get MM_KEY_EXCH and sometimes I get QM_IDLE. I have verified that the IP addresses and pre-shared keys are the same with the MM_KEY_EXCH error. When I get QM_IDLE (which means it's up) I can't ping anything behind the watchguard.
With the VPN client, it will connect but I can't ping or browse anything. Basically I need to access the server at 172.16.2.100 via the VPN and VPN client. The public IP addresses that are in use for the server at 172.16.2.100 are from a second non-contiguous block of IPs. The outside interface on the Pix is on the other block of Public IPs.
Watchguard settings:
Watchguard LAN: 192.168.1.0 /24
VPN settings:
Phase 1 settings:
Mode: Main mode
Local ID: 72.x.x.6
Remote ID: 1.1.1.78 (which is the outside IP of the Pix in the first block of public IPs)
Authentication Algorithm: MD5-HMAC
Encryption Algorithm: DES-CBC
Negotiation expires in 0 kilobytes
Negotiation expires in 24 hours
Diffie-Helman Group 1
"check" on Send IKE Keep Alive Messages
Phase 2 settings:
Authentication Algorithm: SHA1-HMAC
Encryption Algorithm: 3DES-CBC
"not checked" Enable Perfect Forward Secrecy
Local Network: 192.18.1.0/24
Remote Network: 172.16.2.0/24
--------------------------
Current Pix 506e config:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ---- encrypted
passwd ----- encrypted
hostname pix506
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any echo
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit tcp any host 1.1.1.77 eq www
access-list acl_out permit tcp any host 1.1.1.77 eq https
access-list acl_out permit tcp any host 1.1.1.77 eq 6060
access-list acl_out permit tcp any host 1.1.1.77 eq 3389
access-list acl_out permit tcp any host 1.1.1.77 eq 32004
access-list acl_out permit tcp any host 2.2.2.186 eq www
access-list acl_out permit tcp any host 2.2.2.186 eq 3389
access-list acl_out permit tcp any host 2.2.2.186 eq smtp
access-list acl_out permit tcp any host 2.2.2.186 eq pop3
access-list nonat permit ip 172.16.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 172.16.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 172.16.2.0 255.255.255.0 host 72.x.x.6
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.78 255.255.255.248
ip address inside 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.2.200-172.16.2.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 1.1.1.77 www 172.16.1.102 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.77 https 172.16.1.102 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.77 6060 172.16.1.102 6060 netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.77 3389 172.16.1.102 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.77 32004 172.16.1.102 32004 netmask 255.255.255.255 0 0
static (inside,outside) tcp 2.2.2.186 www 172.16.2.100 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 2.2.2.186 3389 172.16.2.100 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 2.2.2.186 smtp 172.16.2.100 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 2.2.2.186 pop3 172.16.2.100 pop3 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.73 1
route inside 172.16.2.0 255.255.255.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto ipsec transform-set pixtowatchguard esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set vpnclient
crypto map vpnmap 1 ipsec-isakmp
crypto map vpnmap 1 match address 101
crypto map vpnmap 1 set peer 72.x.x.6
crypto map vpnmap 1 set transform-set pixtowatchguard
crypto map vpnmap 30 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ***** address 72.x.x.6 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup VPN address-pool vpnpool
vpngroup VPN dns-server 172.16.2.100 151.164.11.201
vpngroup VPN wins-server 172.16.2.100
vpngroup VPN split-tunnel nonat
vpngroup VPN idle-time 86400
vpngroup VPN password -----
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:d1e10c99a8e
: end
--------------------------
Cisco 1841 config file:
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1841Router
!
boot-start-marker
boot-end-marker
!
enable password 7 -------
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 172.16.1.2 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 172.16.2.1 255.255.255.0
ip access-group VLAN2-IN in
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip http server
!
ip access-list extended VLAN2-IN
permit ip host 172.16.2.100 host 172.16.1.1
deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.16.2.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
password 7 -----------------
logging synchronous
login
line aux 0
line vty 0 4
password 7 ----------------
logging synchronous
login
!
end
With the site-to-site VPN sometimes I get MM_KEY_EXCH and sometimes I get QM_IDLE. I have verified that the IP addresses and pre-shared keys are the same with the MM_KEY_EXCH error. When I get QM_IDLE (which means it's up) I can't ping anything behind the watchguard.
With the VPN client, it will connect but I can't ping or browse anything. Basically I need to access the server at 172.16.2.100 via the VPN and VPN client. The public IP addresses that are in use for the server at 172.16.2.100 are from a second non-contiguous block of IPs. The outside interface on the Pix is on the other block of Public IPs.
Watchguard settings:
Watchguard LAN: 192.168.1.0 /24
VPN settings:
Phase 1 settings:
Mode: Main mode
Local ID: 72.x.x.6
Remote ID: 1.1.1.78 (which is the outside IP of the Pix in the first block of public IPs)
Authentication Algorithm: MD5-HMAC
Encryption Algorithm: DES-CBC
Negotiation expires in 0 kilobytes
Negotiation expires in 24 hours
Diffie-Helman Group 1
"check" on Send IKE Keep Alive Messages
Phase 2 settings:
Authentication Algorithm: SHA1-HMAC
Encryption Algorithm: 3DES-CBC
"not checked" Enable Perfect Forward Secrecy
Local Network: 192.18.1.0/24
Remote Network: 172.16.2.0/24
--------------------------
Current Pix 506e config:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ---- encrypted
passwd ----- encrypted
hostname pix506
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any echo
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit tcp any host 1.1.1.77 eq www
access-list acl_out permit tcp any host 1.1.1.77 eq https
access-list acl_out permit tcp any host 1.1.1.77 eq 6060
access-list acl_out permit tcp any host 1.1.1.77 eq 3389
access-list acl_out permit tcp any host 1.1.1.77 eq 32004
access-list acl_out permit tcp any host 2.2.2.186 eq www
access-list acl_out permit tcp any host 2.2.2.186 eq 3389
access-list acl_out permit tcp any host 2.2.2.186 eq smtp
access-list acl_out permit tcp any host 2.2.2.186 eq pop3
access-list nonat permit ip 172.16.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 172.16.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 172.16.2.0 255.255.255.0 host 72.x.x.6
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.78 255.255.255.248
ip address inside 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.2.200-172.16.2.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 1.1.1.77 www 172.16.1.102 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.77 https 172.16.1.102 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.77 6060 172.16.1.102 6060 netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.77 3389 172.16.1.102 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.77 32004 172.16.1.102 32004 netmask 255.255.255.255 0 0
static (inside,outside) tcp 2.2.2.186 www 172.16.2.100 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 2.2.2.186 3389 172.16.2.100 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 2.2.2.186 smtp 172.16.2.100 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 2.2.2.186 pop3 172.16.2.100 pop3 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.73 1
route inside 172.16.2.0 255.255.255.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto ipsec transform-set pixtowatchguard esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set vpnclient
crypto map vpnmap 1 ipsec-isakmp
crypto map vpnmap 1 match address 101
crypto map vpnmap 1 set peer 72.x.x.6
crypto map vpnmap 1 set transform-set pixtowatchguard
crypto map vpnmap 30 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ***** address 72.x.x.6 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup VPN address-pool vpnpool
vpngroup VPN dns-server 172.16.2.100 151.164.11.201
vpngroup VPN wins-server 172.16.2.100
vpngroup VPN split-tunnel nonat
vpngroup VPN idle-time 86400
vpngroup VPN password -----
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:d1e10c99a8e
: end
--------------------------
Cisco 1841 config file:
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1841Router
!
boot-start-marker
boot-end-marker
!
enable password 7 -------
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 172.16.1.2 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 172.16.2.1 255.255.255.0
ip access-group VLAN2-IN in
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip http server
!
ip access-list extended VLAN2-IN
permit ip host 172.16.2.100 host 172.16.1.1
deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.16.2.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
password 7 -----------------
logging synchronous
login
line aux 0
line vty 0 4
password 7 ----------------
logging synchronous
login
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You shouldnt have to add anything more to the PIX as long as your default route is out through the PIX.
isakmp identity hostname would be the command that sends the hostname of the pix instead of the ip.
isakmp identity address sends the ip of the pix.
isakmp identity hostname would be the command that sends the hostname of the pix instead of the ip.
isakmp identity address sends the ip of the pix.
I think you need to add this:
>isakmp identity address
I suggest you also set both the authentication and encryption to be the same:
Authentication Algorithm: MD5-HMAC <== make this SHA
Encryption Algorithm: DES-CBC <== make this 3DES
Phase 2 settings:
Authentication Algorithm: SHA1-HMAC
Encryption Algorithm: 3DES-CBC
Then you would have to change the pix to match:
crypto ipsec transform-set pixtowatchguard esp-3des esp-sha-hmac
Then re-apply the crypto map to the interface after any changes.
>isakmp identity address
I suggest you also set both the authentication and encryption to be the same:
Authentication Algorithm: MD5-HMAC <== make this SHA
Encryption Algorithm: DES-CBC <== make this 3DES
Phase 2 settings:
Authentication Algorithm: SHA1-HMAC
Encryption Algorithm: 3DES-CBC
Then you would have to change the pix to match:
crypto ipsec transform-set pixtowatchguard esp-3des esp-sha-hmac
Then re-apply the crypto map to the interface after any changes.
ASKER
Sorry for the delay...
I tested the site-to-site VPN and it is working. I actually ended up changing the Watchguard settings to match as suggested then verified that those settings were exactly the same in the pix.
The issue now is that I cannot get the VPN client to work. It will connect with no problem. Once it connects I can't ping or access anything across the VPN. I have tried completely removing the ACL on the router but didn't solve it. Do you see anything that would maybe be stopping the vpn client from working?
thank you.
I tested the site-to-site VPN and it is working. I actually ended up changing the Watchguard settings to match as suggested then verified that those settings were exactly the same in the pix.
The issue now is that I cannot get the VPN client to work. It will connect with no problem. Once it connects I can't ping or access anything across the VPN. I have tried completely removing the ACL on the router but didn't solve it. Do you see anything that would maybe be stopping the vpn client from working?
thank you.
Add this line to the PIX:
isakmp nat-traversal 20
isakmp nat-traversal 20
Since you swapped the Ipsec pool ensure that the route to reach the VPN client pool travels back via the PIX
Ie point any routes on the LAN to the PIX
Ie point any routes on the LAN to the PIX
ASKER
IT'S WORKING!!
I added the isakmp nat-traversal 20 command. Then I took out the current vpn pool. I created a new pool using a 172.16.124.0 subnet, added that to the nonat ACL, and checked my routes.
I am able to connect and access the server now.
I really appreciate all of the help in getting this figured out. Thank you!
I added the isakmp nat-traversal 20 command. Then I took out the current vpn pool. I created a new pool using a 172.16.124.0 subnet, added that to the nonat ACL, and checked my routes.
I am able to connect and access the server now.
I really appreciate all of the help in getting this figured out. Thank you!
ASKER
I changed the Phase 2 settings on the Watchguard to reflect the Pix and that helped. Then on the Pix I used the debug crypto isakmp command. I used the output and searched the Cisco site for help. I was trying so many different things, I actually don't know what I did that made it finally connect. I do know that one of the errors dealt with the Pix trying to send the key using the FQDN. I issued the command isakmp identity address and that's when it seemed to connect.
I can ping the remote gateway at 192.168.1.1. It will be Monday before I can get into their office to try to access the server at 172.16.2.100 from their LAN. Do you think I will have to add something to the Pix or the routers acl to allow their LAN at 192.168.1.0/24 access to the server? Or does it look like I'll be able to ping 172.16.2.100 from their LAN?
Maybe add route inside 192.168.1.0 255.255.255.0 172.16.1.2 on the Pix?
I put the vpnpool the same as the subnet on the router hoping that would allow the VPN client to work since they were on the same subnet of 172.16.2.0/24. I completely removed the ACL on Fa0/0.2 to see if that was the problem. I also added isakmp nat-traversal to the Pix to see if that would get it. So far nothing has worked.