Solved

Cisco PIX - Site to Site Tunnel not coming up.

Posted on 2007-11-20
11
459 Views
Last Modified: 2010-04-21
Hello All,

        I have a really weird problem regarding two PIXs not establishing a tunnel. I have one PIX and the main office and a second PIX at the branch office. I checked the configuration and everything looks right. When I do a "debug crypto isakmp 100" command, all I get is PEER_REAPER_TIMER message that repeats. I get 0 when trying sh crypto isamp sa. When I try telneting to the IP adress I get a DSL welcome command prompt instead of the PIX prompt. My thinking is somehow the modem is interfering with the PIX. I can use cisco vpn client to connect to the PIX. My PIX configurations are below:
Any suggestions as to why they can not connect.

Main PIX:

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 96utOTR.PJJoSyt2 encrypted
passwd OLwrzN2..uVF.NHM encrypted
hostname HascoPix
domain-name nt.hasco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list 100 permit udp any any eq isakmp
access-list 100 permit icmp any any
access-list 100 permit esp any any
access-list 100 permit tcp any host 64.x.x.x eq 3389
access-list 100 permit tcp any host 64.x.x.x eq 3389
access-list NONAT permit ip 132.147.12.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT permit ip 132.147.12.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list VPNCLIENT permit ip 132.147.12.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list LONGBEACH permit ip 132.147.12.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.x.x.x 255.255.255.224
ip address inside 132.147.12.10 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 192.168.1.50-192.168.1.100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 64.x.x.x 3389 132.147.12.16 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 64.x.x.x 3389 132.147.12.17 3389 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 64.x.x.x 1
route inside 192.168.100.0 255.255.252.0 132.147.12.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map VPNmap 10 ipsec-isakmp
crypto map VPNmap 10 match address LONGBEACH
crypto map VPNmap 10 set pfs group2
crypto map VPNmap 10 set peer 71.x.x.x
crypto map VPNmap 10 set transform-set ESP-3DES-MD5
crypto map VPNmap 800 ipsec-isakmp dynamic outside_dyn_map
crypto map VPNmap interface outside
isakmp enable outside
isakmp key ******** address 71.x.x.x netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup HO idle-time 1800
vpngroup Hasco address-pool VPNpool
vpngroup Hasco dns-server 132.147.12.16
vpngroup Hasco wins-server 132.147.12.16
vpngroup Hasco default-domain nt.hasco.com
vpngroup Hasco split-tunnel VPNCLIENT
vpngroup Hasco idle-time 1800
vpngroup Hasco password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80

Branch PIX:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 96utOTR.PJJoSyt2 encrypted
passwd OLwrzN2..uVF.NHM encrypted
hostname Pix-Pamona
domain-name nt.hasco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list 100 permit udp any any eq isakmp
access-list 100 permit icmp any any
access-list 100 permit esp any any
access-list NONAT permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list NONAT permit ip 132.147.12.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list NONAT permit ip 192.168.100.0 255.255.255.0 132.147.12.0 255.255.255.0
access-list VPNCLIENT permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list POMONA permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.x.x.x 255.255.255.0
ip address inside 192.168.100.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 172.16.0.1-172.16.0.50 mask 255.255.255.0
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 71.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map VPNmap 10 ipsec-isakmp
crypto map VPNmap 10 match address POMONA
crypto map VPNmap 10 set pfs group2
crypto map VPNmap 10 set peer 64.x.x.x
crypto map VPNmap 10 set transform-set ESP-3DES-MD5
crypto map VPNmap 800 ipsec-isakmp dynamic outside_dyn_map
crypto map VPNmap interface outside
isakmp enable outside
isakmp key ******** address 64.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup HOP idle-time 1800
vpngroup HascoP address-pool VPNpool
vpngroup HascoP dns-server 132.147.12.16
vpngroup HascoP wins-server 132.147.12.16
vpngroup HascoP default-domain nt.hasco.com
vpngroup HascoP split-tunnel VPNCLIENT
vpngroup HascoP idle-time 1800
vpngroup HascoP password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
0
Comment
Question by:greenbeanx81
  • 7
  • 4
11 Comments
 
LVL 3

Accepted Solution

by:
RouterDude earned 500 total points
Comment Utility
Are you using Telnet or SSH to connect to the PIX? If Telnet, then the reason is port 23 is open on the modem. Going over your config, ssh is only allowed from outside.

Second, depending on the modem, you may need to allow IPSEC passthrough from internal devices even though you have a public IP on the PIX. From past experience just bringing up a Cisco 851 behind a cable modem can be a pain.

One other thing that stands out is your interesting traffic doesnt match.

access-list LONGBEACH permit ip 132.147.12.0 255.255.255.0 192.168.100.0 255.255.255.0
crypto map VPNmap 10 match address LONGBEACH
access-list POMONA permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map VPNmap 10 match address POMONA

Without a matching ACL, the tunnel wont even try to come up.
0
 

Author Comment

by:greenbeanx81
Comment Utility
What do you mean by matching?

0
 

Author Comment

by:greenbeanx81
Comment Utility
never mind..
0
 

Author Comment

by:greenbeanx81
Comment Utility
I'm getting the following when debuging crypto isakmp 150 on the branch. I have the correct keys using isakmp key XXXX address xxxx netmask x.x.x.x no-xauth no-config-mode. Could the PIX be confused involving keys with also the VPNclient? I just get a PEER_REAPER_TIMER on the main pix with doing a debug.

Pix-Pamona(config)# debug crypto isakmp 150
Pix-Pamona(config)#
PEER_REAPER_TIMER
crypto_ke_process_block:
KEYENG_IKMP_SA_SPEC
isadb_create_sa:
crypto_isakmp_init_phase1_fields: initiator
is_auth_policy_configured: auth 4
gen_cookie:P
ipsec_db_add_sa_req:
ipsec_db_get_ipsec_sa_list:
ipsec_db_add_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
is_auth_policy_configured: auth 4
ISAKMP: No cert, and no keys (public or pre-shared) with remote peer   64.x.x.x
isadb_free_isakmp_sa:
VPN Peer:ISAKMP: Peer Info for 64.x.x.x/500 not found - peers:0
0
 
LVL 3

Assisted Solution

by:RouterDude
RouterDude earned 500 total points
Comment Utility
These are the lines related only to the IPSEC for L2L or site to site. So assuming you have the correct peer address in each policy, which matches the outside address of the respecting PIX, AND both sides have a matching ACL and matching pre-share key, then the possible cause of this would be the device that the PIX is connected to at the remote site.  Make sure UDP port 500 is open on that device for passing ISAKMP to the PIX. You need to allow UDP 500 and IP 50 through for the IPSEC to work. Since we haven't gotten the first layer up yet, this is where we need to focus. Have you changed the ACL to match in the branch PIX to 132.147.12.0, and tried to establish a tunnel from that PIX? If you can bring up a connection from the branch PIX, but not the Home PIX< then it could be the cable device, if not, I would definitely look into the cable device.  

isakmp enable outside
isakmp key ******** address 71.x.x.x netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

isakmp enable outside
isakmp key ******** address 64.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:greenbeanx81
Comment Utility
I have made corrections to both the main PIX and the branch PIX. I am still unable to bring up the tunnel. Now both PIXs are reporting "PEER_REAPER_TIMER" when I run the debug crypto isakmp 150 command. The updated configurations are below. What is strange is remote VPN clients connect to the PIX using Cisco VPN client. Any suggestions? Thank you. The  client is on Verizon Business DSL with a Westell black DSL+ modem. I'm going to call the tech support and see if the modem supports IPSEC passthrough.

MAIN PIX:

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 96utOTR.PJJoSyt2 encrypted
passwd OLwrzN2..uVF.NHM encrypted
hostname HascoPix
domain-name nt.hasco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list 100 permit udp any any eq isakmp
access-list 100 permit icmp any any
access-list 100 permit esp any any
access-list 100 permit tcp any host 64.x.x.x. eq 3389
access-list 100 permit tcp any host 64.x.x.x eq 3389
access-list NONAT permit ip 132.147.12.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT permit ip 132.147.12.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list VPNSPLIT permit ip 132.147.12.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list POMONA permit ip 132.147.12.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.x.x.x 255.255.255.224
ip address inside 132.147.12.10 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 192.168.1.50-192.168.1.100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 64.x.x.x 3389 132.147.12.16 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 64.x.x.x 3389 132.147.12.17 3389 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 64.x.x.x 1
route inside 192.168.100.0 255.255.252.0 132.147.12.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map VPNmap 10 ipsec-isakmp
crypto map VPNmap 10 match address POMONA
crypto map VPNmap 10 set pfs group2
crypto map VPNmap 10 set peer 71.x.x.x
crypto map VPNmap 10 set transform-set ESP-3DES-MD5
crypto map VPNmap 800 ipsec-isakmp dynamic outside_dyn_map
crypto map VPNmap interface outside
isakmp enable outside
isakmp key ******** address 71.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup HO idle-time 1800
vpngroup Hasco address-pool VPNpool
vpngroup Hasco dns-server 132.147.12.16
vpngroup Hasco wins-server 132.147.12.16
vpngroup Hasco default-domain nt.hasco.com
vpngroup Hasco split-tunnel VPNSPLIT
vpngroup Hasco idle-time 1800
vpngroup Hasco password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80

BRANCH PIX:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 96utOTR.PJJoSyt2 encrypted
passwd OLwrzN2..uVF.NHM encrypted
hostname Pix-Pamona
domain-name nt.hasco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list 100 permit udp any any eq isakmp
access-list 100 permit icmp any any
access-list 100 permit esp any any
access-list NONAT permit ip 192.168.100.0 255.255.255.0 132.147.12.0 255.255.255.0
access-list NONAT permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list VPNSPLIT permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list LONGBEACH permit ip 192.168.100.0 255.255.255.0 132.147.12.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.x.x.x 255.255.255.0
ip address inside 192.168.100.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 172.16.0.1-172.16.0.50 mask 255.255.255.0
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 71.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map VPNmap 10 ipsec-isakmp
crypto map VPNmap 10 match address LONGBEACH
crypto map VPNmap 10 set pfs group2
crypto map VPNmap 10 set peer 64.x.x.x
crypto map VPNmap 10 set transform-set ESP-3DES-MD5
crypto map VPNmap 800 ipsec-isakmp dynamic outside_dyn_map
crypto map VPNmap interface outside
isakmp enable outside
isakmp key ******** address 64.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup HOP idle-time 1800
vpngroup HascoP address-pool VPNpool
vpngroup HascoP dns-server 132.147.12.16
vpngroup HascoP wins-server 132.147.12.16
vpngroup HascoP default-domain nt.hasco.com
vpngroup HascoP split-tunnel VPNSPLIT
vpngroup HascoP idle-time 1800
vpngroup HascoP password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.100.10-192.168.100.137 inside
dhcpd dns 132.147.12.16
dhcpd wins 132.147.12.16
dhcpd lease 604800
dhcpd ping_timeout 750
dhcpd domain nt-hasco.com
dhcpd enable inside
terminal width 80
0
 

Author Comment

by:greenbeanx81
Comment Utility
After clearing the keys on both PIXs using "clear crypto isakmp/ipsec sa". The tunnel is now reporting MM_IDLE status when entering the "sh crypto isakmp sa". I can ping from the MAIN Office to the inside interface of the branch. but I can not ping from Branch PIX to inside interface of the Main Office. Any suggestions? I have "isakmp nat-traversal 20" on both PIXs. Thank you
0
 

Author Comment

by:greenbeanx81
Comment Utility
I'm also having trouble pinging computers behind the pix when connected using Cisco VPN client. I can not ping anything when connected. I do have "isakmp nat-traversal 20" on both pixs. I should be able to ping what is behind the firewall. Any suggestions?
0
 
LVL 3

Assisted Solution

by:RouterDude
RouterDude earned 500 total points
Comment Utility
IIRC the PIX that is connecting to another IPSEC device that is behind a natted device requires the NAT-T, but the device that is behind the natted device does not, or it may be the other way around. One other thing I have come across is that you cant initiate the connections from the PIX, it has to be from a connected device  behind the PIX.

Also, with this command "sysopt connection permit-ipsec" you don't need an ACL for IPsec 500 or IP protocol 50.

Finally, you need to run the packet capture command to see what packets are actually going though. Create an ACL for the traffic you are sending, whether its ICMP or whatever, then run "capture traffic access-list xxx". You might want to set it up for the UDP 500 and protocol 50 packets to see if they are actually hitting the PIX.

run
 debug crypto isa
debug cry ipsec

Leave off everything else and look at everything. Best way to bring up a tunel is to try to get to a web site that is on a machine behind the PIX from a machine behind the other PIX. Try that and paste the debugs in so we can look them over. It sounds like phase 1 is not even being attempted, but the fact you now have the same thing from both ends means the correct traffic is being matched.

Also try removing no-xauth no-config-mode from the key. Make sure you clear cry isa sa from both PIX before attempting again.
0
 
LVL 3

Expert Comment

by:RouterDude
Comment Utility
One other thing I forgot to mention, I dont know if it has any bearing on this, but 132.147.12.0 is a routeable subnet on the internet and should not be used as a private network. If you trace one of those addresses from the branch PIX you may see that it is going out the open internet instead of trying to tunnel. Try that and see if that is the problem.
0
 

Author Closing Comment

by:greenbeanx81
Comment Utility
Good answers.. actually a routing issue but the tunnel is up.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now