Problem with Crypto Maps in site-to-site VPN
I am attempting to connect a Cisco PIX 506e and a Cisco ASA device using the Cisco PDM VPN wizard.
The device behind the ASA is able to initiate a site-to-site VPN connection but the device behind the PIX cannot. I have ruled out Phase I and Phase II issues out since the device behind the ASA can initiate the connection successfully. Once this occurs the device behind the PIX can communicate with the remote host. When saving the config via the PDM console I get the following error:
"[ERR] crypto map outside_map 20 set peer 12.171.20.84
WARNING: This crypto map is incomplete.
To remedy the situation add a peer and a valid access-list to this crypto map.
Attached is the running config for the PIX , I do not have access to the config on the ASA.
I can also send a screen shot of the PDM error message.
I am pretty new to the PIX and would greatly appreciate any help.
The device behind the ASA is able to initiate a site-to-site VPN connection but the device behind the PIX cannot. I have ruled out Phase I and Phase II issues out since the device behind the ASA can initiate the connection successfully. Once this occurs the device behind the PIX can communicate with the remote host. When saving the config via the PDM console I get the following error:
"[ERR] crypto map outside_map 20 set peer 12.171.20.84
WARNING: This crypto map is incomplete.
To remedy the situation add a peer and a valid access-list to this crypto map.
Attached is the running config for the PIX , I do not have access to the config on the ASA.
I can also send a screen shot of the PDM error message.
I am pretty new to the PIX and would greatly appreciate any help.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password wbEr.7V16wDUhi9/ encrypted
passwd IDYsyU2LonNlM/Lb encrypted
hostname CCBPIX
domain-name ccbcreditservices.net
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 4080
fixup protocol http 6080
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 89.0.0.203 mail
name 10.10.150.9 mail2
name 89.0.0.4 CT_Center
name 61.62.0.0 Block
name 61.0.0.0 Block1
name 166.70.202.145 IAT_New
name 192.168.1.0 TestNetwork
object-group service CCBinternal tcp
port-object eq telnet
object-group network Internet
network-object 10.10.100.0 255.255.255.0
network-object 89.0.0.0 255.255.255.0
object-group service Internet_email tcp
port-object eq smtp
object-group network mail
network-object mail 255.255.255.255
network-object 89.0.0.0 255.255.255.0
object-group network VPN_remote
network-object 10.10.150.5 255.255.255.255
object-group network test
network-object 89.0.0.0 255.255.255.0
network-object mail 255.255.255.255
object-group service Target tcp
description Target HTTPS access
port-object range 4080 4080
port-object range 6080 6080
port-object eq https
port-object eq www
object-group service IAT_PC_ANYWHERE tcp
description PC ANYWHERE Connection Info for IAT
port-object range pcanywhere-data 5632
object-group service IAT tcp-udp
port-object range 5631 5632
object-group service HighPorts tcp-udp
port-object range 1025 65535
access-list acl_out permit icmp any any
access-list inside_authentication_LOCAL permit tcp interface inside interface outside eq www
access-list outside_access_in deny ip host 151.11.85.99 host 205.179.6.210
access-list outside_access_in permit icmp any any echo-reply log
access-list outside_access_in permit tcp any host 205.179.6.210 eq smtp
access-list outside_access_in remark CCB Target HTTP
access-list outside_access_in permit tcp any host 205.179.6.211 object-group Target log
access-list outside_access_in permit tcp any host 205.179.6.220 eq pcanywhere-data log 7
access-list outside_access_in permit udp any host 205.179.6.220 eq pcanywhere-status log 7
access-list smtp permit tcp any host 205.179.6.210 eq smtp
access-list inside_outbound_nat0_acl permit ip any 10.10.150.0 255.255.255.128
access-list nonat permit ip host mail 10.10.150.0 255.255.255.0
access-list nonat permit ip host 89.0.0.201 10.10.150.0 255.255.255.0
access-list nonat permit ip host 89.0.0.99 10.10.150.0 255.255.255.0
access-list nonat permit ip host 89.0.0.101 10.10.150.0 255.255.255.0
access-list nonat permit ip host 89.0.0.107 10.10.150.0 255.255.255.0
access-list nonat permit ip host 89.0.0.25 10.10.150.0 255.255.255.0
access-list nonat permit ip object-group VPN_remote 10.10.150.0 255.255.255.128
access-list nonat permit ip 10.10.175.0 255.255.255.0 TestNetwork 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.10.175.0 255.255.255.0 TestNetwork 255.255.255.0
pager lines 24
logging on
logging timestamp
logging console debugging
logging buffered notifications
logging trap notifications
logging device-id hostname
logging host inside 89.0.0.110
icmp permit 89.0.0.0 255.255.255.0 inside
icmp permit 10.10.175.0 255.255.255.0 inside
icmp permit 10.10.150.0 255.255.255.0 inside
icmp permit 10.10.100.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
ip address outside 205.179.6.212 255.255.255.240
ip address inside 10.10.150.5 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm drop
pdm location 10.10.100.0 255.255.255.0 inside
pdm location 10.10.0.0 255.255.0.0 inside
pdm location 89.0.0.0 255.255.255.0 inside
pdm location 10.10.100.99 255.255.255.255 inside
pdm location 89.0.0.92 255.255.255.255 inside
pdm location 205.179.6.213 255.255.255.255 outside
pdm location mail 255.255.255.255 inside
pdm location 89.0.0.25 255.255.255.255 inside
pdm location 205.179.6.210 255.255.255.255 outside
pdm location 89.0.0.110 255.255.255.255 inside
pdm location 89.0.0.168 255.255.255.255 inside
pdm location mail2 255.255.255.255 inside
pdm location 89.0.0.99 255.255.255.255 inside
pdm location 89.0.0.101 255.255.255.255 inside
pdm location 89.0.0.107 255.255.255.255 inside
pdm location 89.0.0.201 255.255.255.255 inside
pdm location 10.10.150.0 255.255.255.0 outside
pdm location 10.10.150.0 255.255.255.128 outside
pdm location 10.10.20.0 255.255.255.0 inside
pdm location 10.10.11.0 255.255.255.0 inside
pdm location 10.10.150.25 255.255.255.255 inside
pdm location 10.10.150.30 255.255.255.255 inside
pdm location CT_Center 255.255.255.255 inside
pdm location Block 255.255.0.0 outside
pdm location Block1 255.0.0.0 outside
pdm location 89.0.0.190 255.255.255.255 inside
pdm location 151.11.85.99 255.255.255.255 outside
pdm location 89.0.0.173 255.255.255.255 inside
pdm location 10.10.175.0 255.255.255.0 inside
pdm location IAT_New 255.255.255.255 outside
pdm location 10.10.150.0 255.255.255.240 inside
pdm location TestNetwork 255.255.255.0 outside
pdm group Internet inside
pdm group mail inside
pdm group VPN_remote inside
pdm group test inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 205.179.6.214-205.179.6.218
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 205.179.6.210 mail2 netmask 255.255.255.255 0 0
static (inside,outside) 205.179.6.211 10.10.150.30 netmask 255.255.255.255 0 0
static (inside,outside) 205.179.6.220 CT_Center netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 205.179.6.209 1
route inside 10.10.0.0 255.255.0.0 10.10.150.1 1
route inside 10.10.20.0 255.255.255.0 10.10.150.1 1
route inside 89.0.0.0 255.255.255.0 10.10.150.1 1
route inside mail 255.255.255.255 10.10.150.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 10.10.150.25 collect timeout 5
aaa-server LOCAL protocol local
http server enable
http 10.10.100.0 255.255.255.0 inside
http 89.0.0.0 255.255.255.0 inside
http 10.10.175.0 255.255.255.0 inside
snmp-server host inside 89.0.0.110
snmp-server host inside 89.0.0.190
no snmp-server location
no snmp-server contact
snmp-server community check12
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 12.171.20.84
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 12.171.20.84 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication rsa-sig
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 5
isakmp policy 40 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash md5
isakmp policy 60 group 2
isakmp policy 60 lifetime 86400
isakmp policy 80 authentication pre-share
isakmp policy 80 encryption 3des
isakmp policy 80 hash sha
isakmp policy 80 group 2
isakmp policy 80 lifetime 86400
telnet 10.10.100.0 255.255.255.0 inside
telnet 89.0.0.107 255.255.255.255 inside
telnet 89.0.0.173 255.255.255.255 inside
telnet 89.0.0.25 255.255.255.255 inside
telnet 10.10.175.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcprelay enable outside
dhcprelay setroute outside
terminal width 80
Cryptochecksum:abff460eeff5fd3f82a9db1d447a2769
: end
[OK]
ASKER
I will try this when time allows, the PIX is in a production environment :-)
Understood...
Something else you can try (not as all-encompassing as a reload when it comes to clearing out memory and other running processes on the PIX) is to issue the following commands:
isakmp identity address
clear cryp is sa
clear cryp ip sa
and then try to initiate the tunnel from the PIX side. All of those commands should be entered from "config" mode.
Something else you can try (not as all-encompassing as a reload when it comes to clearing out memory and other running processes on the PIX) is to issue the following commands:
isakmp identity address
clear cryp is sa
clear cryp ip sa
and then try to initiate the tunnel from the PIX side. All of those commands should be entered from "config" mode.
ASKER
I have followed the commands (including reloadd) and still have the same results. I have monitored the active IKE and IPsec tunnels and do not see any activity, I am going to turn on syslog dubugging and see if I can provide any additional information.
I just noticed that your crypto access list references the 10.10.175.0/24 network for the source addressing for the VPN tunnel.
access-list outside_cryptomap_20 permit ip 10.10.175.0 255.255.255.0 TestNetwork 255.255.255.0
I also notice that your PIX inside interface is on the 10.10.150.0/24 network.
When you try to initiate the tunnel from behind the PIX, what is the IP address of the client machine you are trying to send traffic from?
access-list outside_cryptomap_20 permit ip 10.10.175.0 255.255.255.0 TestNetwork 255.255.255.0
I also notice that your PIX inside interface is on the 10.10.150.0/24 network.
When you try to initiate the tunnel from behind the PIX, what is the IP address of the client machine you are trying to send traffic from?
ASKER
The client machine is 192.168.1.200.
I was able to solve this by viewing the config of the ASA.
The ASA had 'Perfect Forwarding Secrecy' enabled while the PIX did not, after I enabled this on the PIX everything worked correctly. As a note for others I have included the revelant syslog messages from the PIX prior to solving this.
Thank you for your help, I now know more about both devices than when I started.
I was able to solve this by viewing the config of the ASA.
The ASA had 'Perfect Forwarding Secrecy' enabled while the PIX did not, after I enabled this on the PIX everything worked correctly. As a note for others I have included the revelant syslog messages from the PIX prior to solving this.
Thank you for your help, I now know more about both devices than when I started.
11:38 AM 10.10.150.5 CCBPIX : ISAKMP session disconnected (local 205.179.6.212 (initiator), remote Test2)
11:38 AM 10.10.150.5 CCBPIX : ISAKMP Phase 1 delete received (local 205.179.6.212 (initiator), remote Test2)
11:38 AM 10.10.150.5 CCBPIX : ISAKMP Phase 1 SA created (local 205.179.6.212/500 (initiator), remote Test2/500, authentication=pre-share, encryption=3DES-CBC, hash=SHA, group=2, lifetime=86400s)
11:38 AM 10.10.150.5 CCBPIX : ISAKMP session connected (local 205.179.6.212 (initiator), remote Test2)
11:38 AM 10.10.150.5 CCBPIX : ISAKMP Phase 2 exchange started (local 205.179.6.212 (initiator), remote Test2, message-ID 2995821737)
11:38 AM 10.10.150.5 CCBPIX : ISAKMP Phase 1 exchange completed (local 205.179.6.212 (initiator), remote Test2)
11:38 AM 10.10.150.5 CCBPIX : ISAKMP Phase 1 exchange started (local 205.179.6.212 (initiator), remote Test2)
11:37 AM 10.10.150.5 CCBPIX : ISAKMP session disconnected (local 205.179.6.212 (initiator), remote Test2)
11:37 AM 10.10.150.5 CCBPIX : ISAKMP Phase 1 delete received (local 205.179.6.212 (initiator), remote Test2)
11:37 AM 10.10.150.5 CCBPIX : ISAKMP Phase 1 SA created (local 205.179.6.212/500 (initiator), remote Test2/500, authentication=pre-share, encryption=3DES-CBC, hash=SHA, group=2, lifetime=86400s)
11:37 AM 10.10.150.5 CCBPIX : ISAKMP session connected (local 205.179.6.212 (initiator), remote Test2)
11:37 AM 10.10.150.5 CCBPIX : ISAKMP Phase 2 exchange started (local 205.179.6.212 (initiator), remote Test2, message-ID 660983294)
11:37 AM 10.10.150.5 CCBPIX : ISAKMP Phase 1 exchange completed (local 205.179.6.212 (initiator), remote Test2)
11:37 AM 10.10.150.5 CCBPIX : ISAKMP Phase 1 exchange started (local 205.179.6.212 (initiator), remote Test2) ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
From the command line interface, issue the commands:
isakmp identity address
wr mem
reload
This will tell the PIX to use a VPN peer's IP address for it's identity rather than a DNS hostname which is an option. It will then save the configuration to memory and then reboot the PIX. See if that helps...BTW, have you tried rebooting the PIX before now to see if that error clears up?