Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Problem with Crypto Maps in site-to-site VPN

Posted on 2007-12-03
7
Medium Priority
?
1,578 Views
Last Modified: 2011-09-20
I am attempting to connect a Cisco PIX 506e and a Cisco ASA device using the Cisco PDM VPN wizard.
The device behind the ASA is able to initiate a site-to-site VPN connection but the device behind the PIX cannot.  I have ruled out Phase I and Phase II issues out since the device behind the ASA can initiate the connection successfully.  Once this occurs the device behind the PIX can communicate with the remote host.  When saving the config via the PDM console I get the following error:
"[ERR] crypto map outside_map 20 set peer 12.171.20.84
WARNING: This crypto map is incomplete.
 To remedy the situation add a peer and a valid access-list to this crypto map.

Attached is the running config for the PIX , I do not have access to the config on the ASA.

I can also send a screen shot of the PDM error message.

I am pretty new to the PIX and would greatly appreciate any help.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password wbEr.7V16wDUhi9/ encrypted
passwd IDYsyU2LonNlM/Lb encrypted
hostname CCBPIX
domain-name ccbcreditservices.net
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 4080
fixup protocol http 6080
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 89.0.0.203 mail
name 10.10.150.9 mail2
name 89.0.0.4 CT_Center
name 61.62.0.0 Block
name 61.0.0.0 Block1
name 166.70.202.145 IAT_New
name 192.168.1.0 TestNetwork
object-group service CCBinternal tcp 
  port-object eq telnet 
object-group network Internet 
  network-object 10.10.100.0 255.255.255.0 
  network-object 89.0.0.0 255.255.255.0 
object-group service Internet_email tcp 
  port-object eq smtp 
object-group network mail 
  network-object mail 255.255.255.255 
  network-object 89.0.0.0 255.255.255.0 
object-group network VPN_remote 
  network-object 10.10.150.5 255.255.255.255 
object-group network test 
  network-object 89.0.0.0 255.255.255.0 
  network-object mail 255.255.255.255 
object-group service Target tcp 
  description Target HTTPS access
  port-object range 4080 4080 
  port-object range 6080 6080 
  port-object eq https 
  port-object eq www 
object-group service IAT_PC_ANYWHERE tcp 
  description PC ANYWHERE Connection Info for IAT
  port-object range pcanywhere-data 5632 
object-group service IAT tcp-udp 
  port-object range 5631 5632 
object-group service HighPorts tcp-udp 
  port-object range 1025 65535 
access-list acl_out permit icmp any any 
access-list inside_authentication_LOCAL permit tcp interface inside interface outside eq www 
access-list outside_access_in deny ip host 151.11.85.99 host 205.179.6.210 
access-list outside_access_in permit icmp any any echo-reply log 
access-list outside_access_in permit tcp any host 205.179.6.210 eq smtp 
access-list outside_access_in remark CCB Target HTTP
access-list outside_access_in permit tcp any host 205.179.6.211 object-group Target log 
access-list outside_access_in permit tcp any host 205.179.6.220 eq pcanywhere-data log 7 
access-list outside_access_in permit udp any host 205.179.6.220 eq pcanywhere-status log 7 
access-list smtp permit tcp any host 205.179.6.210 eq smtp 
access-list inside_outbound_nat0_acl permit ip any 10.10.150.0 255.255.255.128 
access-list nonat permit ip host mail 10.10.150.0 255.255.255.0 
access-list nonat permit ip host 89.0.0.201 10.10.150.0 255.255.255.0 
access-list nonat permit ip host 89.0.0.99 10.10.150.0 255.255.255.0 
access-list nonat permit ip host 89.0.0.101 10.10.150.0 255.255.255.0 
access-list nonat permit ip host 89.0.0.107 10.10.150.0 255.255.255.0 
access-list nonat permit ip host 89.0.0.25 10.10.150.0 255.255.255.0 
access-list nonat permit ip object-group VPN_remote 10.10.150.0 255.255.255.128 
access-list nonat permit ip 10.10.175.0 255.255.255.0 TestNetwork 255.255.255.0 
access-list outside_cryptomap_20 permit ip 10.10.175.0 255.255.255.0 TestNetwork 255.255.255.0 
pager lines 24
logging on
logging timestamp
logging console debugging
logging buffered notifications
logging trap notifications
logging device-id hostname
logging host inside 89.0.0.110
icmp permit 89.0.0.0 255.255.255.0 inside
icmp permit 10.10.175.0 255.255.255.0 inside
icmp permit 10.10.150.0 255.255.255.0 inside
icmp permit 10.10.100.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
ip address outside 205.179.6.212 255.255.255.240
ip address inside 10.10.150.5 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm drop
pdm location 10.10.100.0 255.255.255.0 inside
pdm location 10.10.0.0 255.255.0.0 inside
pdm location 89.0.0.0 255.255.255.0 inside
pdm location 10.10.100.99 255.255.255.255 inside
pdm location 89.0.0.92 255.255.255.255 inside
pdm location 205.179.6.213 255.255.255.255 outside
pdm location mail 255.255.255.255 inside
pdm location 89.0.0.25 255.255.255.255 inside
pdm location 205.179.6.210 255.255.255.255 outside
pdm location 89.0.0.110 255.255.255.255 inside
pdm location 89.0.0.168 255.255.255.255 inside
pdm location mail2 255.255.255.255 inside
pdm location 89.0.0.99 255.255.255.255 inside
pdm location 89.0.0.101 255.255.255.255 inside
pdm location 89.0.0.107 255.255.255.255 inside
pdm location 89.0.0.201 255.255.255.255 inside
pdm location 10.10.150.0 255.255.255.0 outside
pdm location 10.10.150.0 255.255.255.128 outside
pdm location 10.10.20.0 255.255.255.0 inside
pdm location 10.10.11.0 255.255.255.0 inside
pdm location 10.10.150.25 255.255.255.255 inside
pdm location 10.10.150.30 255.255.255.255 inside
pdm location CT_Center 255.255.255.255 inside
pdm location Block 255.255.0.0 outside
pdm location Block1 255.0.0.0 outside
pdm location 89.0.0.190 255.255.255.255 inside
pdm location 151.11.85.99 255.255.255.255 outside
pdm location 89.0.0.173 255.255.255.255 inside
pdm location 10.10.175.0 255.255.255.0 inside
pdm location IAT_New 255.255.255.255 outside
pdm location 10.10.150.0 255.255.255.240 inside
pdm location TestNetwork 255.255.255.0 outside
pdm group Internet inside
pdm group mail inside
pdm group VPN_remote inside
pdm group test inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 205.179.6.214-205.179.6.218
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 205.179.6.210 mail2 netmask 255.255.255.255 0 0 
static (inside,outside) 205.179.6.211 10.10.150.30 netmask 255.255.255.255 0 0 
static (inside,outside) 205.179.6.220 CT_Center netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 205.179.6.209 1
route inside 10.10.0.0 255.255.0.0 10.10.150.1 1
route inside 10.10.20.0 255.255.255.0 10.10.150.1 1
route inside 89.0.0.0 255.255.255.0 10.10.150.1 1
route inside mail 255.255.255.255 10.10.150.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server RADIUS (inside) host 10.10.150.25 collect timeout 5
aaa-server LOCAL protocol local 
http server enable
http 10.10.100.0 255.255.255.0 inside
http 89.0.0.0 255.255.255.0 inside
http 10.10.175.0 255.255.255.0 inside
snmp-server host inside 89.0.0.110
snmp-server host inside 89.0.0.190
no snmp-server location
no snmp-server contact
snmp-server community check12
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 12.171.20.84
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL 
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 12.171.20.84 netmask 255.255.255.255 no-xauth no-config-mode 
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication rsa-sig
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 5
isakmp policy 40 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash md5
isakmp policy 60 group 2
isakmp policy 60 lifetime 86400
isakmp policy 80 authentication pre-share
isakmp policy 80 encryption 3des
isakmp policy 80 hash sha
isakmp policy 80 group 2
isakmp policy 80 lifetime 86400
telnet 10.10.100.0 255.255.255.0 inside
telnet 89.0.0.107 255.255.255.255 inside
telnet 89.0.0.173 255.255.255.255 inside
telnet 89.0.0.25 255.255.255.255 inside
telnet 10.10.175.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcprelay enable outside
dhcprelay setroute outside
terminal width 80
Cryptochecksum:abff460eeff5fd3f82a9db1d447a2769
: end
[OK]

Open in new window

0
Comment
Question by:CCBIL
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20402910
Your crypto map looks OK to me.  However, just for grins, try the following:

From the command line interface, issue the commands:

isakmp identity address
wr mem
reload

This will tell the PIX to use a VPN peer's IP address for it's identity rather than a DNS hostname which is an option.  It will then save the configuration to memory and then reboot the PIX.  See if that helps...BTW, have you tried rebooting the PIX before now to see if that error clears up?
0
 
LVL 1

Author Comment

by:CCBIL
ID: 20402945
I will try this when time allows, the PIX is in a production environment :-)
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20403001
Understood...

Something else you can try (not as all-encompassing as a reload when it comes to clearing out memory and other running processes on the PIX) is to issue the following commands:

isakmp identity address
clear cryp is sa
clear cryp ip sa

and then try to initiate the tunnel from the PIX side.  All of those commands should be entered from "config" mode.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:CCBIL
ID: 20404555
I have followed the commands (including reloadd) and still have the same results.  I have monitored the active IKE and IPsec tunnels and do not see any activity, I am going to turn on syslog dubugging and see if I can provide any additional information.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20405295
I just noticed that your crypto access list references the 10.10.175.0/24 network for the source addressing for the VPN tunnel.

access-list outside_cryptomap_20 permit ip 10.10.175.0 255.255.255.0 TestNetwork 255.255.255.0

I also notice that your PIX inside interface is on the 10.10.150.0/24 network.

When you try to initiate the tunnel from behind the PIX, what is the IP address of the client machine you are trying to send traffic from?
0
 
LVL 1

Author Comment

by:CCBIL
ID: 20405358
The client machine is 192.168.1.200.

I was able to solve this by viewing the config of the ASA.
The ASA had 'Perfect Forwarding Secrecy' enabled while the PIX did not, after I enabled this on the PIX everything worked correctly.  As a note for others I have included the revelant syslog messages from the PIX prior to solving this.

Thank you for your help, I now know more about both devices than when I started.
 11:38 AM  10.10.150.5    CCBPIX : ISAKMP session disconnected (local 205.179.6.212 (initiator), remote Test2)  
 11:38 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 delete received (local 205.179.6.212 (initiator), remote Test2)  
 11:38 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 SA created (local 205.179.6.212/500 (initiator), remote Test2/500, authentication=pre-share, encryption=3DES-CBC, hash=SHA, group=2, lifetime=86400s)  
 11:38 AM  10.10.150.5    CCBPIX : ISAKMP session connected (local 205.179.6.212 (initiator), remote Test2)  
 11:38 AM  10.10.150.5    CCBPIX : ISAKMP Phase 2 exchange started (local 205.179.6.212 (initiator), remote Test2, message-ID 2995821737)  
 11:38 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 exchange completed (local 205.179.6.212 (initiator), remote Test2)  
 11:38 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 exchange started (local 205.179.6.212 (initiator), remote Test2)  
 11:37 AM  10.10.150.5    CCBPIX : ISAKMP session disconnected (local 205.179.6.212 (initiator), remote Test2)  
 11:37 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 delete received (local 205.179.6.212 (initiator), remote Test2)  
 11:37 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 SA created (local 205.179.6.212/500 (initiator), remote Test2/500, authentication=pre-share, encryption=3DES-CBC, hash=SHA, group=2, lifetime=86400s)  
 11:37 AM  10.10.150.5    CCBPIX : ISAKMP session connected (local 205.179.6.212 (initiator), remote Test2)  
 11:37 AM  10.10.150.5    CCBPIX : ISAKMP Phase 2 exchange started (local 205.179.6.212 (initiator), remote Test2, message-ID 660983294)  
 11:37 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 exchange completed (local 205.179.6.212 (initiator), remote Test2)  
 11:37 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 exchange started (local 205.179.6.212 (initiator), remote Test2)  

Open in new window

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 1500 total points
ID: 20405395
Excellent...pays to be able to look at both sides, eh?  :)
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question