Solved

PIX501 VPN Troubles

Posted on 2007-03-19
14
373 Views
Last Modified: 2010-04-17
Hello, I am relatively new to the PIX501.  We have established two of these units as routers at different locations and both work fine.  We have port forwarding and basic internet access working. I am now trying to setup a VPN between the two.  Both have static iP addresses from the ISP.  

So far, my only attempts have been to run the wizards in the device manager. First of all I setup the PIX to communicate with the Cisco VPN client.  That works fine.

When I go to setup the VPN between two units, I follow the wizard, providing all necessary information.  It seems to work properly, but once I complete work on the wizard, two things happen (or do not).  First, the VPN light does not turn on.  Secondly, I lose access to the internet from all computers inside the PIX.  It is not just loss of sites like google.com, but I can also not ping IP addresses directly, so I don't think it has anything to do with DNS.  This happens on both PIXs.  If I go into the VPN configuration and delete the tunnel policy that was setup, then I regain internet access without any problems.  

I am looking for any pointers which may help me better understand what is causing me to lose connection,  what I can do to regain it, and eventually any help on establishing the VPN.  Note; the only thing I did to regain outside access was to delete the tunnel policy and click Apply.  Access rules seem to be setup fine and work without the tunnel policy in place.


Device: Cisco PIX 501 Firewall
Device Manager: Cisco PIX Device Manger 3.0(4)
PIX Version: 6.3(5)
OS: Windows XP
Modem: Westell Wirespeed C90 Series

Thanks for any help
0
Comment
Question by:compsol1993
  • 7
  • 7
14 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 18748316
Post PIX configs from both sides of the VPN tunnel and we can take a look...please sanitize the output first...
0
 

Author Comment

by:compsol1993
ID: 18748660
I will do that, unfortunately I may not get out to the other site until tomorrow to collect that data, so if anyone has any immediate thoughts they would be appreciated.  

Thanks
0
 

Author Comment

by:compsol1993
ID: 18755365
Ok, attached is the configuration for one of the sides.  Last night I was actually able to establish the VPN.  Both VPN leds came on, in PDM each PIX showed one IKE Tunnel and one IPsec tunnel.  I was not actually able to see any machines on either side of the VPN though, so I don't know if problem is related to the problem I am having with the internet.

Just to recap, the biggest issue right now is that once I run the VPN wizard, I loose all access to the internet.  If I do a ping directly from the PIX PDM, then I get out fine.  Any machine connected to the PIX is cutoff.  If I go and delete the Tunnel Policy created by the wizard, click apply, all internet access is restored.    Why would that one action bring the net back online...

Attached is the configuration, pretty much everything is directly from the wizard.

Thanks

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ****** encrypted
hostname ****
domain-name ******
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.2 Server
name 192.168.1.50 Laptop
access-list outside_access_in permit tcp any any
access-list inside_outbound_nat0_acl permit ip any any
access-list outside_cryptomap_20 permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Laptop 255.255.255.255 inside
pdm location Server 255.255.255.255 inside
pdm location 192.168.1.100 255.255.255.255 inside
pdm location 192.168.1.101 255.255.255.255 inside
pdm location 192.168.1.102 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https Server https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 Server 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 Server 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp Server pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp Server ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp ********** 5900 Laptop 5900 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5900 Laptop 5900 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Laptop 255.255.255.255 inside
http Server 255.255.255.255 inside
http 192.168.1.100 255.255.255.255 inside
http 192.168.1.101 255.255.255.255 inside
http 192.168.1.102 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer ***.***.***.***
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address ***.***.***.*** netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:a024c25ab5e07282eff330b285670d4c
: end
[OK]
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18756274
I see that you are exempting ALL traffic from being translated with the following statements:

access-list inside_outbound_nat0_acl permit ip any any
nat (inside) 0 access-list inside_outbound_nat0_acl

Is this your intent?  Probably not...that would definitely cause a problem with Internet connectivity.

You also have your crypto ACL defined to tunnel everything down the site-to-site tunnel with the following commands:

access-list outside_cryptomap_20 permit ip any any
crypto map outside_map 20 match address outside_cryptomap_20

Is this correct?  Typically you would define only traffic from behind the PIX going to the network behind the remote VPN tunnel peer and specify that source/destination pair, rather than "any any", in the crypto ACL.  Could you clarify this?

0
 

Author Comment

by:compsol1993
ID: 18756535
***I see that you are exempting ALL traffic from being translated with the following statements:

***access-list inside_outbound_nat0_acl permit ip any any
***nat (inside) 0 access-list inside_outbound_nat0_acl

***Is this your intent?  Probably not...that would definitely cause a problem with Internet connectivity.

No this is not my intent.  If I want to correct this, can you give me a pointer in the right direction.  My work on the PIX has been entirely through the PDM, I'm not opposed to learning the command line format, I just haven't done so yet.

***You also have your crypto ACL defined to tunnel everything down the site-to-site tunnel with the
***following commands:

***access-list outside_cryptomap_20 permit ip any any
***crypto map outside_map 20 match address outside_cryptomap_20

***Is this correct?  Typically you would define only traffic from behind the PIX going to the network
***behind the remote VPN tunnel peer and specify that source/destination pair, rather than "any any", in
***the crypto ACL.  Could you clarify this?
Ok, once again I'm learning , but I see how this is a problem.  The two networks I am trying to connect are 192.168.1.0 and 192.168.10.0  Are you saying this should be used instead of any any?  Or something more specific?

Thanks
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18757197
I would change the statements to read as follows:

no access-list inside_outbound_nat0_acl permit ip any any
access-list inside_outbound_nat0_acl permit 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

no access-list outside_cryptomap_20 permit ip any any
access-list outside_cryptomap_20 permit 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

The "no" form of the commands will take out the existing statements and then the commands after those will put back the ACL's with the specific traffic defined.  Give it a shot...
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18757225
You may get an error when you do those commands for the cryptomap ACL...no big deal since you're putting it right back with the next statement, but if you don't want the error you can reverse the last two commands like this:

access-list outside_cryptomap_20 permit 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
no access-list outside_cryptomap_20 permit ip any any

That way the cryptomap ACL is never totally gone, which is what the PIX will give you an error about if you do the "no" command first.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:compsol1993
ID: 18759784
So far so good, I applied these settings to the local side of the VPN and I have the internet back, I'll let you know how I make out once I get out to the remote.

Thanks for the advice
0
 

Author Comment

by:compsol1993
ID: 18786968
Ok, it looks like you were correct.  Making those changes did allow internet access on both ends.  Unfortunately now I cannot get the VPN to work.  This is a test configuration, I am doing this in prep for deploying the real VPN.

I ran the VPN wizard on both ends, both seemed to work simply enough, but I have not been able to make a VPN connection.  In the PDM, is there any type of log I can look at to find out what I am failing on?  For example, I'd like to know if it is actually finding the other PIX, if the Pre-Shared Keys match, that type of thing.  Is there anyway to find the specific action that is failing?

Thanks
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18786975
There are debugs that you can enable on each PIX to get that kind of info, but I will warn you that deciphering the debug messages are not for the faint of heart!  :-)

If you issue these 3 commands on either PIX, you will get IPSEC tunnel negotiation debug messages that may give you a clue as to why the tunnel isn't coming up:

debug crypto isakmp
debug crypto ipsec
debug crypto engine

You can also use these commands for troubleshooting VPN tunnels:

show crypto isakmp sa
show crypto ipsec sa

These will tell you the status of any phase 1 (ISAKMP) or phase 2 (IPSEC) negotiations.

Since you've made changes, you can always repost your current PIX configs (both sides) and I can take a look to see if I see anything.
0
 

Author Comment

by:compsol1993
ID: 18789950
Ok, I'll post the configs for both sides below.  I really appreciate all of your help, I am new to the PIX and your info really helps.  I'd like to award you the 500 points now, and setup another topic to continue this troubleshooting, so you get more.  I think this question has morphed a few times from the original topic anyway.

At this time, the configs are factory default configurations with the Startup Wizard and then the VPN wizard run on each simultaneously.  These do not include any further manipulation, other than setting a few port translations.

Thanks again.

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname cspix
domain-name &&&&&&&&
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.50 MikePC
name 192.168.0.51 MikeHP
name 192.168.0.5 Server
name 192.168.10.0 Home
name 192.168.0.0 Office
access-list outside_access_in permit tcp any any
access-list inside_outbound_nat0_acl permit ip Office 255.255.255.0 Home 255.255.255.0
access-list outside_cryptomap_20 permit ip Office 255.255.255.0 Home 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location MikePC 255.255.255.255 inside
pdm location MikeHP 255.255.255.255 inside
pdm location Server 255.255.255.255 inside
pdm location Home 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https Server https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 Server 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 Server 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp Server pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp Server ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 MikeHP 5900 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http MikePC 255.255.255.255 inside
http Server 255.255.255.255 inside
http MikeHP 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer &&&&&&&&&
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address &&&&&&&&& netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.10-192.168.0.30 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:862764a54ef70f6119ca857c4f90acbf
: end
[OK]

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.0 Office
access-list outside_cryptomap_40 permit ip 192.168.10.0 255.255.255.0 Office 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Office 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer &&&&&&&&&&&&&
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address &&&&&&&&&& netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname lbswanson
vpdn group pppoe_group ppp authentication pap
vpdn username lbswanson password *********
dhcpd address 192.168.10.2-192.168.10.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:bf280cde15fe9dca3b47fd9e7d9cb359
: end
[OK]
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18790149
Add the following statements to the bottom PIX config (the one that sits in front of the 192.168.10.0/24 network):

access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl

See if this helps...
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 18790156
You may have to clear the IPSEC and ISAKMP security associations after you put those statements in to reestablish the tunnels, or just bounce the PIX after saving the config first...the commands to clear the sa's are:

clear crypto is sa
clear crypto ip sa

0
 

Author Comment

by:compsol1993
ID: 18800871
Adding those lines did not seem to help.  What I have now done is brought both PIX's into the same office and we have setup a second broadband connection to troubleshoot this faster.  I am going to close this quesiton, batry_boy thanks for all of your help.  I will start a new topic once I get everything working locally.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now