[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

setup VPN for PIX 501 to another PIX

Posted on 2007-10-17
7
Medium Priority
?
221 Views
Last Modified: 2012-05-05
Hi everyone,

I need to setup VPN to our customer site; they provided all parameter to configure on my side. I think I have everything configured but my pix 501 can't establish tunnel to other side (customers pix). The tricky part here is I don't have any access to customer pix to check log file. But I think the problem cause is more on my side, because of miss configuration.

I have my current configuration on the pix as shown bellow (IP has been modified), can you please give me an advice what went wrong?

Regards.


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname PIX
domain-name yourdomain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521            
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list acl_out permit ip any any log
access-list 101 permit ip host 76.207.10.18 host 76.207.10.34
access-list 101 permit ip host 76.207.10.18 host 76.207.10.35
access-list 101 permit ip host 76.207.10.18 host 76.207.10.36
access-list 101 permit ip host 76.207.10.18 host 76.207.10.37
access-list 101 permit ip host 76.207.10.18 host 10.10.195.120
access-list 101 permit ip host 76.207.10.18 host 10.10.223.121
access-list NoNat permit ip 76.207.10.16 255.255.255.248 76.207.10.16 255.255.255.248
access-list ethernet0 permit tcp any interface outside eq ssh
pager lines 24
logging on
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside 76.207.10.27 255.255.255.248
ip address inside 76.207.10.19 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
pdm location 76.207.10.18 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 76.207.10.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 255.255.255.255 outside
http 76.207.10.18 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-3des esp-sha-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 191.234.157.206
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 191.234.157.206 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800
telnet timeout 5
ssh timeout 30            
console timeout 0
terminal width 80
0
Comment
Question by:arron9112003
  • 4
  • 3
7 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 20099802
Your NoNat ACL looks incorrect. I think it should be :-

access-list NoNat permit ip host 76.207.10.18 host 76.207.10.34
access-list NoNat permit ip host 76.207.10.18 host 76.207.10.35
access-list NoNat permit ip host 76.207.10.18 host 76.207.10.36
access-list NoNat permit ip host 76.207.10.18 host 76.207.10.37
access-list NoNat permit ip host 76.207.10.18 host 10.10.195.120
access-list NoNat permit ip host 76.207.10.18 host 10.10.223.121
0
 

Author Comment

by:arron9112003
ID: 20105663
Hi Grblades,

I make change to ACL as your suggested but the pix still cannot establish tunnel to other end, perhaps there are other change needed. I test it by send ping, and RDP to those IPs but none of them reply.    

ISAKMP session disconnected (local 76.207.10.27 (initiator), remote 191.234.157.206)
Teardown TCP connection 31 for outside:76.207.10.35/3389 to inside:76.207.10.18/1499 duration 0:02:01 bytes 0 SYN timeout

Above is the message I see from PDM log viewer.

0
 
LVL 36

Expert Comment

by:grblades
ID: 20107442
Can you post the output of the following commands :-

show crypto isakmp sa

show crypto sa
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:arron9112003
ID: 20107628
show crypto sa    isakmp sa
Total     : 0
Embryonic : 0
        dst               src        state     pending     created
PIX(config)# show crypto sa
interface: outside
    Crypto map tag: transam, local addr. 76.207.10.27
   local  ident (addr/mask/prot/port): (76.207.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (76.207.10.34/255.255.255.255/0/0)
   current_peer: 191.234.157.206 :0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 7, #recv errors 0
     local crypto endpt.: 76.207.10.27, remote crypto endpt.: 191.234.157.206
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   local  ident (addr/mask/prot/port): (76.207.10.18/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (76.207.10.35/255.255.255.255/0/0)
   current_peer: 191.234.157.206 :0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 21, #recv errors 0          
     local crypto endpt.: 76.207.10.27, remote crypto endpt.: 191.234.157.206
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   local  ident (addr/mask/prot/port): (76.207.10.18/255.255.255.255/0/0)      
   remote ident (addr/mask/prot/port): (76.207.10.36/255.255.255.255/0/0)
   current_peer: 191.234.157.206 :0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 76.207.10.27, remote crypto endpt.: 191.234.157.206
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:            
     outbound ah sas:
     outbound pcp sas:
   local  ident (addr/mask/prot/port): (76.207.10.18/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (76.207.10.37/255.255.255.255/0/0)
   current_peer: 191.234.157.206 :0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 76.207.10.27, remote crypto endpt.: 191.234.157.206
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   local  ident (addr/mask/prot/port): (76.207.10.18/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.101.243.106/255.255.255.255/0/0)
   current_peer: 191.234.157.206 :0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0          
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 9, #recv errors 0
     local crypto endpt.: 76.207.10.27, remote crypto endpt.: 191.234.157.206
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   local  ident (addr/mask/prot/port): (76.207.10.18/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.10.191.3/255.255.255.255/0/0)
   current_peer: 191.234.157.206 :0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 6, #recv errors 0
     local crypto endpt.: 76.207.10.27, remote crypto endpt.: 191.234.157.206
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
PIX(config)#
0
 
LVL 36

Expert Comment

by:grblades
ID: 20119075
There is definetly a problem bringing up the VPN. Can you repost your new configuration and I will check it again.
0
 

Author Comment

by:arron9112003
ID: 20124813
Here is the new configuration from the PIX.


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx encrypted
passwd xxxxxx encrypted
hostname PIX
domain-name ivr
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521            
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list acl_out permit ip any any log
access-list 101 permit ip host 76.207.10.18 host 76.207.10.35
access-list 101 permit ip host 76.207.10.18 host 76.207.10.36
access-list 101 permit ip host 76.207.10.18 host 76.207.10.37
access-list 101 permit ip host 76.207.10.18 host 10.10.195.120  
access-list 101 permit ip host 76.207.10.18 host 10.10.223.121  
access-list NoNat permit ip host 76.207.10.18 host 76.207.10.34
access-list NoNat permit ip host 76.207.10.18 host 76.207.10.35
access-list NoNat permit ip host 76.207.10.18 host 76.207.10.36
access-list NoNat permit ip host 76.207.10.18 host 76.207.10.37
access-list NoNat permit ip host 76.207.10.18 host 10.10.195.120  
access-list NoNat permit ip host 76.207.10.18 host 10.10.223.121
access-list ethernet0 permit tcp any interface outside eq ssh
pager lines 24
logging on
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside 76.207.10.27 255.255.255.248
ip address inside 76.207.10.19 255.255.255.248              
ip audit info action alarm
ip audit attack action alarm
pdm location 76.207.10.18 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 76.207.10.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 255.255.255.255 outside
http 76.207.10.18 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-3des esp-sha-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 191.234.157.206
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 191.234.157.206 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2            
isakmp policy 1 lifetime 28800
telnet timeout 5
ssh timeout 30
management-access outside
console timeout 0
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config            
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
0
 
LVL 36

Accepted Solution

by:
grblades earned 2000 total points
ID: 20124890
Try adding the following config :-
isakmp identity address

You could also try adding the following config aswell :-
isakmp nat-traversal 3600

If that doesnt work then I would double check the shared key, ip address, and the use of 3des/sha with the other end.
0

Featured Post

Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

826 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question