akrosit
asked on
PIX to PIX (501's) won't work! URGENT!
Hello experts. I'm attempting to set up a site to site VPN with 2 PIX 501's.
Simply PIX 1 (192.168.0.x (inside) 82.163.165.203 (oustide)) >>>Â PIX 2 (192.168.100.x (inside) 62.163.122.4 (outside))
As I've never done this before I used the VPN Wizard within PDM but it gave me an error
"WARNING: This crypto map is incomplete. To remedy the situation add a peer and a valid access-list to this crypto map."
Any takers? I've posted the PIX running confs below:
PIX 1 -
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname AAD
domain-name xxxxxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.10.0 CD
access-list Remote_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.0.48 255.255.255.248
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.0.48 255.255.255.248
access-list outside_cryptomap_dyn_20 remark Akros IT Dial In
access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.48 255.255.255.248
access-list outside_cryptomap_40 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list Remote_splitTunnelAcl_1 permit ip any any
access-list outside_cryptomap_dyn_40 permit ip any 192.168.0.48 255.255.255.248
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote 192.168.0.50-192.168.0.55
pdm location 192.168.0.1 255.255.255.255 inside
pdm location CD 255.255.255.0 outside
pdm location 192.168.100.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 82.163.122.4
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 82.163.122.4
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 82.163.122.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Remote address-pool Remote
vpngroup Remote dns-server 192.168.0.1 192.168.0.254
vpngroup Remote wins-server 192.168.0.1
vpngroup Remote default-domain aadavies
vpngroup Remote split-tunnel Remote_splitTunnelAcl_1
vpngroup Remote idle-time 1800
vpngroup Remote password ********
PIX 2
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname CD-PIX
domain-name xxxxxxxxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.0 AAD
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 AAD 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 AAD 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.100.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.100.1 255.255.255.255 inside
pdm location AAD 255.255.255.0 outside
pdm location 192.168.100.8 255.255.255.248 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.100.0 255.255.255.0 dns 0 0
route outside AAD 255.255.255.0 192.168.0.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 82.163.165.203
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 82.163.165.203 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.100.100-192.168.10 0.131 inside
dhcpd dns 192.168.100.254 192.168.1.1
dhcpd wins 192.168.0.1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain aadgroup.local
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Simply PIX 1 (192.168.0.x (inside) 82.163.165.203 (oustide)) >>>Â PIX 2 (192.168.100.x (inside) 62.163.122.4 (outside))
As I've never done this before I used the VPN Wizard within PDM but it gave me an error
"WARNING: This crypto map is incomplete. To remedy the situation add a peer and a valid access-list to this crypto map."
Any takers? I've posted the PIX running confs below:
PIX 1 -
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname AAD
domain-name xxxxxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.10.0 CD
access-list Remote_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.0.48 255.255.255.248
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.0.48 255.255.255.248
access-list outside_cryptomap_dyn_20 remark Akros IT Dial In
access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.48 255.255.255.248
access-list outside_cryptomap_40 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list Remote_splitTunnelAcl_1 permit ip any any
access-list outside_cryptomap_dyn_40 permit ip any 192.168.0.48 255.255.255.248
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote 192.168.0.50-192.168.0.55
pdm location 192.168.0.1 255.255.255.255 inside
pdm location CD 255.255.255.0 outside
pdm location 192.168.100.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 82.163.122.4
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 82.163.122.4
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 82.163.122.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Remote address-pool Remote
vpngroup Remote dns-server 192.168.0.1 192.168.0.254
vpngroup Remote wins-server 192.168.0.1
vpngroup Remote default-domain aadavies
vpngroup Remote split-tunnel Remote_splitTunnelAcl_1
vpngroup Remote idle-time 1800
vpngroup Remote password ********
PIX 2
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname CD-PIX
domain-name xxxxxxxxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.0 AAD
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 AAD 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 AAD 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.100.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.100.1 255.255.255.255 inside
pdm location AAD 255.255.255.0 outside
pdm location 192.168.100.8 255.255.255.248 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.100.0 255.255.255.0 dns 0 0
route outside AAD 255.255.255.0 192.168.0.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 82.163.165.203
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 82.163.165.203 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.100.100-192.168.10
dhcpd dns 192.168.100.254 192.168.1.1
dhcpd wins 192.168.0.1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain aadgroup.local
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Get rid of one of these crypto map sections. Keep 20 or keep 40, but remove the other one
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 82.163.122.4
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 82.163.122.4
Then re-apply the crypto map to the interface
crypto map outside_map interface outside
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 82.163.122.4
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 82.163.122.4
Then re-apply the crypto map to the interface
crypto map outside_map interface outside
ASKER
Will give that ago.... Thanks
ASKER
OK, so on both Pix's I entered the command
isakmp identity address (all OK)
I then entered no to both the above statements containing 40
then I entered the reapply crypto command above. Still can't ping I'm afraid.
Pix 1 running Conf
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname aadpix
domain-name aadavies.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.10.0 CD
access-list Remote_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168
.0.48 255.255.255.248
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168
.100.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.0.48 255.255.255.248
access-list outside_cryptomap_dyn_20 remark Akros IT Dial In
access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.48 255.255.255.248
access-list outside_cryptomap_40 permit ip 192.168.0.0 255.255.255.0 192.168.100
.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.100
.0 255.255.255.0
access-list Remote_splitTunnelAcl_1 permit ip any any
access-list outside_cryptomap_dyn_40 permit ip any 192.168.0.48 255.255.255.248
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote 192.168.0.50-192.168.0.55
pdm location 192.168.0.1 255.255.255.255 inside
pdm location CD 255.255.255.0 outside
pdm location 192.168.100.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 82.163.122.4
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 set transform-set ESP-3DES-MD5
! Incomplete
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 82.163.122.4 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Remote address-pool Remote
vpngroup Remote dns-server 192.168.0.1 192.168.0.254
vpngroup Remote wins-server 192.168.0.1
vpngroup Remote default-domain aadavies
vpngroup Remote split-tunnel Remote_splitTunnelAcl_1
vpngroup Remote idle-time 1800
vpngroup Remote password ********
isakmp identity address (all OK)
I then entered no to both the above statements containing 40
then I entered the reapply crypto command above. Still can't ping I'm afraid.
Pix 1 running Conf
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname aadpix
domain-name aadavies.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.10.0 CD
access-list Remote_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168
.0.48 255.255.255.248
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168
.100.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.0.48 255.255.255.248
access-list outside_cryptomap_dyn_20 remark Akros IT Dial In
access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.48 255.255.255.248
access-list outside_cryptomap_40 permit ip 192.168.0.0 255.255.255.0 192.168.100
.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.100
.0 255.255.255.0
access-list Remote_splitTunnelAcl_1 permit ip any any
access-list outside_cryptomap_dyn_40 permit ip any 192.168.0.48 255.255.255.248
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote 192.168.0.50-192.168.0.55
pdm location 192.168.0.1 255.255.255.255 inside
pdm location CD 255.255.255.0 outside
pdm location 192.168.100.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 82.163.122.4
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 set transform-set ESP-3DES-MD5
! Incomplete
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 82.163.122.4 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Remote address-pool Remote
vpngroup Remote dns-server 192.168.0.1 192.168.0.254
vpngroup Remote wins-server 192.168.0.1
vpngroup Remote default-domain aadavies
vpngroup Remote split-tunnel Remote_splitTunnelAcl_1
vpngroup Remote idle-time 1800
vpngroup Remote password ********
Can you post result of
show cry is sa  <== see if phase 2 is working
  QM_IDLE is good
If you don't see anything, then keep trying 4-5 times and you might see something like
 MM_NOSTATE
show cry ip sa <== see if we get errors on phase 2
show access-list <== see if we are hitting the acls to even trigger the VPN
If you get zero hitcount on the access-list entries for both the match cryptomap_20 and the nat_0 access lists then we typically have a basic routing issue.
show cry is sa  <== see if phase 2 is working
  QM_IDLE is good
If you don't see anything, then keep trying 4-5 times and you might see something like
 MM_NOSTATE
show cry ip sa <== see if we get errors on phase 2
show access-list <== see if we are hitting the acls to even trigger the VPN
If you get zero hitcount on the access-list entries for both the match cryptomap_20 and the nat_0 access lists then we typically have a basic routing issue.
ASKER
Result of show cry is sa
Total   : 1
Embryonic : 0
    dst        src     state   pending   created
 82.163.165.203  82.163.163.149   QM_IDLE     0      1
Result of show cry ip sa
interface: outside
  Crypto map tag: outside_map, local addr. 82.163.165.203
  local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0 /0/0)
  remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255 .0/0/0)
  current_peer: 82.163.122.4:0
   PERMIT, flags={origin_is_acl,}
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
  #send errors 0, #recv errors 0
   local crypto endpt.: 82.163.165.203, remote crypto endpt.: 82.163.122.4
   path mtu 1500, ipsec overhead 0, media mtu 1500
   current outbound spi: 0
   inbound esp sas:
   inbound ah sas:
   inbound pcp sas:
   outbound esp sas:
   outbound ah sas:
   outbound pcp sas:
  local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
  remote ident (addr/mask/prot/port): (192.168.0.50/255.255.255. 255/0/0)
  current_peer: 82.163.163.149:55577
  dynamic allocated peer ip: 192.168.0.50
   PERMIT, flags={}
  #pkts encaps: 4129, #pkts encrypt: 4129, #pkts digest 4129
  #pkts decaps: 2945, #pkts decrypt: 2945, #pkts verify 2945
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
  #send errors 0, #recv errors 0
   local crypto endpt.: 82.163.165.203, remote crypto endpt.: 82.163.163.149
   path mtu 1500, ipsec overhead 56, media mtu 1500
   current outbound spi: 15b5c130
   inbound esp sas:
   spi: 0xeb236c6f(3944967279)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 3, crypto map: outside_map
    sa timing: remaining key lifetime (k/sec): (4607684/27844)
    IV size: 8 bytes
    replay detection support: Y
   inbound ah sas:
   inbound pcp sas:
   outbound esp sas:
   spi: 0x15b5c130(364233008)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 4, crypto map: outside_map
    sa timing: remaining key lifetime (k/sec): (4604408/27844)
    IV size: 8 bytes
    replay detection support: Y
   outbound ah sas:
   outbound pcp sas:
Result of show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
      alert-interval 300
access-list Remote_splitTunnelAcl; 1 elements
access-list Remote_splitTunnelAcl line 1 permit ip 192.168.0.0 255.255.255.0 any (hitcnt=0)
access-list inside_outbound_nat0_acl; 3 elements
access-list inside_outbound_nat0_acl line 1 permit ip 192.168.0.0 255.255.255.0 192.168.0.48 255.255.255.248 (hitcnt=278)
access-list inside_outbound_nat0_acl line 2 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=4)
access-list inside_outbound_nat0_acl line 3 permit ip any 192.168.0.48 255.255.255.248 (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 remark Akros IT Dial In
access-list outside_cryptomap_dyn_20 line 2 permit ip any 192.168.0.48 255.255.255.248 (hitcnt=205)
access-list outside_cryptomap_40; 1 elements
access-list outside_cryptomap_40 line 1 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_20; 1 elements
access-list outside_cryptomap_20 line 1 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=4)
access-list Remote_splitTunnelAcl_1; 1 elements
access-list Remote_splitTunnelAcl_1 line 1 permit ip any any (hitcnt=0)
access-list outside_cryptomap_dyn_40; 1 elements
access-list outside_cryptomap_dyn_40 line 1 permit ip any 192.168.0.48 255.255.255.248 (hitcnt=0)
access-list  dynacl13; 1 elements
access-list  dynacl13 line 1 permit ip any host 192.168.0.50 (hitcnt=25)
Total   : 1
Embryonic : 0
    dst        src     state   pending   created
 82.163.165.203  82.163.163.149   QM_IDLE     0      1
Result of show cry ip sa
interface: outside
  Crypto map tag: outside_map, local addr. 82.163.165.203
  local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0
  remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255
  current_peer: 82.163.122.4:0
   PERMIT, flags={origin_is_acl,}
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
  #send errors 0, #recv errors 0
   local crypto endpt.: 82.163.165.203, remote crypto endpt.: 82.163.122.4
   path mtu 1500, ipsec overhead 0, media mtu 1500
   current outbound spi: 0
   inbound esp sas:
   inbound ah sas:
   inbound pcp sas:
   outbound esp sas:
   outbound ah sas:
   outbound pcp sas:
  local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
  remote ident (addr/mask/prot/port): (192.168.0.50/255.255.255.
  current_peer: 82.163.163.149:55577
  dynamic allocated peer ip: 192.168.0.50
   PERMIT, flags={}
  #pkts encaps: 4129, #pkts encrypt: 4129, #pkts digest 4129
  #pkts decaps: 2945, #pkts decrypt: 2945, #pkts verify 2945
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
  #send errors 0, #recv errors 0
   local crypto endpt.: 82.163.165.203, remote crypto endpt.: 82.163.163.149
   path mtu 1500, ipsec overhead 56, media mtu 1500
   current outbound spi: 15b5c130
   inbound esp sas:
   spi: 0xeb236c6f(3944967279)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 3, crypto map: outside_map
    sa timing: remaining key lifetime (k/sec): (4607684/27844)
    IV size: 8 bytes
    replay detection support: Y
   inbound ah sas:
   inbound pcp sas:
   outbound esp sas:
   spi: 0x15b5c130(364233008)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 4, crypto map: outside_map
    sa timing: remaining key lifetime (k/sec): (4604408/27844)
    IV size: 8 bytes
    replay detection support: Y
   outbound ah sas:
   outbound pcp sas:
Result of show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
      alert-interval 300
access-list Remote_splitTunnelAcl; 1 elements
access-list Remote_splitTunnelAcl line 1 permit ip 192.168.0.0 255.255.255.0 any (hitcnt=0)
access-list inside_outbound_nat0_acl; 3 elements
access-list inside_outbound_nat0_acl line 1 permit ip 192.168.0.0 255.255.255.0 192.168.0.48 255.255.255.248 (hitcnt=278)
access-list inside_outbound_nat0_acl line 2 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=4)
access-list inside_outbound_nat0_acl line 3 permit ip any 192.168.0.48 255.255.255.248 (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 remark Akros IT Dial In
access-list outside_cryptomap_dyn_20 line 2 permit ip any 192.168.0.48 255.255.255.248 (hitcnt=205)
access-list outside_cryptomap_40; 1 elements
access-list outside_cryptomap_40 line 1 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_20; 1 elements
access-list outside_cryptomap_20 line 1 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=4)
access-list Remote_splitTunnelAcl_1; 1 elements
access-list Remote_splitTunnelAcl_1 line 1 permit ip any any (hitcnt=0)
access-list outside_cryptomap_dyn_40; 1 elements
access-list outside_cryptomap_dyn_40 line 1 permit ip any 192.168.0.48 255.255.255.248 (hitcnt=0)
access-list  dynacl13; 1 elements
access-list  dynacl13 line 1 permit ip any host 192.168.0.50 (hitcnt=25)
>82.163.165.203 Â 82.163.163.149 Â Â QM_IDLE Â Â Â Â
This is your client VPN, so no established tunnel with your remote peer
PIX2. Â I should have seen this the first time
>ip address inside 192.168.100.254 255.255.255.0
>route outside AAD 255.255.255.0 192.168.0.254 1
You have to remove that route statement!
 no route outside AAD 255.255.255.0 192.168.0.254 1
This is your client VPN, so no established tunnel with your remote peer
PIX2. Â I should have seen this the first time
>ip address inside 192.168.100.254 255.255.255.0
>route outside AAD 255.255.255.0 192.168.0.254 1
You have to remove that route statement!
 no route outside AAD 255.255.255.0 192.168.0.254 1
ASKER
Removed route statement (no route etc) Still no joy.
From a host inside PIX2, like from the server, setup a constant ping to a host inside of PIX 1, i.e.
 C:\> ping -t 192.168.100.1
Same on site2
 C:\>ping -t 192.168.0.1
Now, from the PIX console, try "show cry is sa" several times and see if you get anything like MM_KEYEXCHANGE Â MM_NOSTATE Â
Use 'show interface' and make sure you are using the correct public IP address on both ends for the peer statements.
 C:\> ping -t 192.168.100.1
Same on site2
 C:\>ping -t 192.168.0.1
Now, from the PIX console, try "show cry is sa" several times and see if you get anything like MM_KEYEXCHANGE Â MM_NOSTATE Â
Use 'show interface' and make sure you are using the correct public IP address on both ends for the peer statements.
ASKER
Removed route statement (no route etc) Still no joy.
ASKER
Results are in:
  dst        src     state   pending   created
 82.163.165.203  82.163.163.149   QM_IDLE     0      1
  82.163.122.4  82.163.165.203   MM_NO_STATE  0      0
aadpix(config)# show cry is sa
Total   : 2
Embryonic : 1
    dst        src     state   pending   created
 82.163.165.203  82.163.163.149   QM_IDLE     0      1
  82.163.122.4  82.163.165.203   MM_KEY_EXCH  0      0
aadpix(config)# show cry is sa
Total   : 2
Embryonic : 1
    dst        src     state   pending   created
    dst        src     state   pending   created
  dst        src     state   pending   created
 82.163.165.203  82.163.163.149   QM_IDLE     0      1
  82.163.122.4  82.163.165.203   MM_NO_STATE  0      0
aadpix(config)# show cry is sa
Total   : 2
Embryonic : 1
    dst        src     state   pending   created
 82.163.165.203  82.163.163.149   QM_IDLE     0      1
  82.163.122.4  82.163.165.203   MM_KEY_EXCH  0      0
aadpix(config)# show cry is sa
Total   : 2
Embryonic : 1
    dst        src     state   pending   created
    dst        src     state   pending   created
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Pix 2 result
Result of firewall command: "show cry is sa"
Â
Total   : 2
Embryonic : 1
    dst        src     state   pending   created
 82.163.165.203   82.163.122.4   MM_KEY_EXCH  0      0
  82.163.122.4  82.163.163.149   QM_IDLE     0      1
Result of firewall command: "show cry is sa"
Â
Total   : 2
Embryonic : 1
    dst        src     state   pending   created
 82.163.165.203   82.163.122.4   MM_KEY_EXCH  0      0
  82.163.122.4  82.163.163.149   QM_IDLE     0      1
ASKER
Yeeeeeeeesssssssss. Thank you very much for all of your time lrmoore. I reset the keys and everything started working! Marvelous!
Points go to you sir. Thank you again.
Points go to you sir. Thank you again.
Add this to PIX1 also