setup VPN for PIX 501 to another PIX

Hi everyone,

I need to setup VPN to our customer site; they provided all parameter to configure on my side. I think I have everything configured but my pix 501 can't establish tunnel to other side (customers pix). The tricky part here is I don't have any access to customer pix to check log file. But I think the problem cause is more on my side, because of miss configuration.

I have my current configuration on the pix as shown bellow (IP has been modified), can you please give me an advice what went wrong?

Regards.


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname PIX
domain-name yourdomain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521            
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list acl_out permit ip any any log
access-list 101 permit ip host 76.207.10.18 host 76.207.10.34
access-list 101 permit ip host 76.207.10.18 host 76.207.10.35
access-list 101 permit ip host 76.207.10.18 host 76.207.10.36
access-list 101 permit ip host 76.207.10.18 host 76.207.10.37
access-list 101 permit ip host 76.207.10.18 host 10.10.195.120
access-list 101 permit ip host 76.207.10.18 host 10.10.223.121
access-list NoNat permit ip 76.207.10.16 255.255.255.248 76.207.10.16 255.255.255.248
access-list ethernet0 permit tcp any interface outside eq ssh
pager lines 24
logging on
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside 76.207.10.27 255.255.255.248
ip address inside 76.207.10.19 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
pdm location 76.207.10.18 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 76.207.10.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 255.255.255.255 outside
http 76.207.10.18 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-3des esp-sha-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 191.234.157.206
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 191.234.157.206 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800
telnet timeout 5
ssh timeout 30            
console timeout 0
terminal width 80
arron9112003Asked:
Who is Participating?
 
grbladesConnect With a Mentor Commented:
Try adding the following config :-
isakmp identity address

You could also try adding the following config aswell :-
isakmp nat-traversal 3600

If that doesnt work then I would double check the shared key, ip address, and the use of 3des/sha with the other end.
0
 
grbladesCommented:
Your NoNat ACL looks incorrect. I think it should be :-

access-list NoNat permit ip host 76.207.10.18 host 76.207.10.34
access-list NoNat permit ip host 76.207.10.18 host 76.207.10.35
access-list NoNat permit ip host 76.207.10.18 host 76.207.10.36
access-list NoNat permit ip host 76.207.10.18 host 76.207.10.37
access-list NoNat permit ip host 76.207.10.18 host 10.10.195.120
access-list NoNat permit ip host 76.207.10.18 host 10.10.223.121
0
 
arron9112003Author Commented:
Hi Grblades,

I make change to ACL as your suggested but the pix still cannot establish tunnel to other end, perhaps there are other change needed. I test it by send ping, and RDP to those IPs but none of them reply.    

ISAKMP session disconnected (local 76.207.10.27 (initiator), remote 191.234.157.206)
Teardown TCP connection 31 for outside:76.207.10.35/3389 to inside:76.207.10.18/1499 duration 0:02:01 bytes 0 SYN timeout

Above is the message I see from PDM log viewer.

0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
grbladesCommented:
Can you post the output of the following commands :-

show crypto isakmp sa

show crypto sa
0
 
arron9112003Author Commented:
show crypto sa    isakmp sa
Total     : 0
Embryonic : 0
        dst               src        state     pending     created
PIX(config)# show crypto sa
interface: outside
    Crypto map tag: transam, local addr. 76.207.10.27
   local  ident (addr/mask/prot/port): (76.207.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (76.207.10.34/255.255.255.255/0/0)
   current_peer: 191.234.157.206 :0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 7, #recv errors 0
     local crypto endpt.: 76.207.10.27, remote crypto endpt.: 191.234.157.206
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   local  ident (addr/mask/prot/port): (76.207.10.18/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (76.207.10.35/255.255.255.255/0/0)
   current_peer: 191.234.157.206 :0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 21, #recv errors 0          
     local crypto endpt.: 76.207.10.27, remote crypto endpt.: 191.234.157.206
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   local  ident (addr/mask/prot/port): (76.207.10.18/255.255.255.255/0/0)      
   remote ident (addr/mask/prot/port): (76.207.10.36/255.255.255.255/0/0)
   current_peer: 191.234.157.206 :0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 76.207.10.27, remote crypto endpt.: 191.234.157.206
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:            
     outbound ah sas:
     outbound pcp sas:
   local  ident (addr/mask/prot/port): (76.207.10.18/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (76.207.10.37/255.255.255.255/0/0)
   current_peer: 191.234.157.206 :0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 76.207.10.27, remote crypto endpt.: 191.234.157.206
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   local  ident (addr/mask/prot/port): (76.207.10.18/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.101.243.106/255.255.255.255/0/0)
   current_peer: 191.234.157.206 :0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0          
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 9, #recv errors 0
     local crypto endpt.: 76.207.10.27, remote crypto endpt.: 191.234.157.206
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   local  ident (addr/mask/prot/port): (76.207.10.18/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.10.191.3/255.255.255.255/0/0)
   current_peer: 191.234.157.206 :0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 6, #recv errors 0
     local crypto endpt.: 76.207.10.27, remote crypto endpt.: 191.234.157.206
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
PIX(config)#
0
 
grbladesCommented:
There is definetly a problem bringing up the VPN. Can you repost your new configuration and I will check it again.
0
 
arron9112003Author Commented:
Here is the new configuration from the PIX.


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx encrypted
passwd xxxxxx encrypted
hostname PIX
domain-name ivr
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521            
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list acl_out permit ip any any log
access-list 101 permit ip host 76.207.10.18 host 76.207.10.35
access-list 101 permit ip host 76.207.10.18 host 76.207.10.36
access-list 101 permit ip host 76.207.10.18 host 76.207.10.37
access-list 101 permit ip host 76.207.10.18 host 10.10.195.120  
access-list 101 permit ip host 76.207.10.18 host 10.10.223.121  
access-list NoNat permit ip host 76.207.10.18 host 76.207.10.34
access-list NoNat permit ip host 76.207.10.18 host 76.207.10.35
access-list NoNat permit ip host 76.207.10.18 host 76.207.10.36
access-list NoNat permit ip host 76.207.10.18 host 76.207.10.37
access-list NoNat permit ip host 76.207.10.18 host 10.10.195.120  
access-list NoNat permit ip host 76.207.10.18 host 10.10.223.121
access-list ethernet0 permit tcp any interface outside eq ssh
pager lines 24
logging on
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside 76.207.10.27 255.255.255.248
ip address inside 76.207.10.19 255.255.255.248              
ip audit info action alarm
ip audit attack action alarm
pdm location 76.207.10.18 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 76.207.10.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 255.255.255.255 outside
http 76.207.10.18 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-3des esp-sha-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 191.234.157.206
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 191.234.157.206 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2            
isakmp policy 1 lifetime 28800
telnet timeout 5
ssh timeout 30
management-access outside
console timeout 0
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config            
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.