Solved

Problem with Crypto Maps in site-to-site VPN

Posted on 2007-12-03
7
1,515 Views
Last Modified: 2011-09-20
I am attempting to connect a Cisco PIX 506e and a Cisco ASA device using the Cisco PDM VPN wizard.
The device behind the ASA is able to initiate a site-to-site VPN connection but the device behind the PIX cannot.  I have ruled out Phase I and Phase II issues out since the device behind the ASA can initiate the connection successfully.  Once this occurs the device behind the PIX can communicate with the remote host.  When saving the config via the PDM console I get the following error:
"[ERR] crypto map outside_map 20 set peer 12.171.20.84
WARNING: This crypto map is incomplete.
 To remedy the situation add a peer and a valid access-list to this crypto map.

Attached is the running config for the PIX , I do not have access to the config on the ASA.

I can also send a screen shot of the PDM error message.

I am pretty new to the PIX and would greatly appreciate any help.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password wbEr.7V16wDUhi9/ encrypted

passwd IDYsyU2LonNlM/Lb encrypted

hostname CCBPIX

domain-name ccbcreditservices.net

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol http 4080

fixup protocol http 6080

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 89.0.0.203 mail

name 10.10.150.9 mail2

name 89.0.0.4 CT_Center

name 61.62.0.0 Block

name 61.0.0.0 Block1

name 166.70.202.145 IAT_New

name 192.168.1.0 TestNetwork

object-group service CCBinternal tcp 

  port-object eq telnet 

object-group network Internet 

  network-object 10.10.100.0 255.255.255.0 

  network-object 89.0.0.0 255.255.255.0 

object-group service Internet_email tcp 

  port-object eq smtp 

object-group network mail 

  network-object mail 255.255.255.255 

  network-object 89.0.0.0 255.255.255.0 

object-group network VPN_remote 

  network-object 10.10.150.5 255.255.255.255 

object-group network test 

  network-object 89.0.0.0 255.255.255.0 

  network-object mail 255.255.255.255 

object-group service Target tcp 

  description Target HTTPS access

  port-object range 4080 4080 

  port-object range 6080 6080 

  port-object eq https 

  port-object eq www 

object-group service IAT_PC_ANYWHERE tcp 

  description PC ANYWHERE Connection Info for IAT

  port-object range pcanywhere-data 5632 

object-group service IAT tcp-udp 

  port-object range 5631 5632 

object-group service HighPorts tcp-udp 

  port-object range 1025 65535 

access-list acl_out permit icmp any any 

access-list inside_authentication_LOCAL permit tcp interface inside interface outside eq www 

access-list outside_access_in deny ip host 151.11.85.99 host 205.179.6.210 

access-list outside_access_in permit icmp any any echo-reply log 

access-list outside_access_in permit tcp any host 205.179.6.210 eq smtp 

access-list outside_access_in remark CCB Target HTTP

access-list outside_access_in permit tcp any host 205.179.6.211 object-group Target log 

access-list outside_access_in permit tcp any host 205.179.6.220 eq pcanywhere-data log 7 

access-list outside_access_in permit udp any host 205.179.6.220 eq pcanywhere-status log 7 

access-list smtp permit tcp any host 205.179.6.210 eq smtp 

access-list inside_outbound_nat0_acl permit ip any 10.10.150.0 255.255.255.128 

access-list nonat permit ip host mail 10.10.150.0 255.255.255.0 

access-list nonat permit ip host 89.0.0.201 10.10.150.0 255.255.255.0 

access-list nonat permit ip host 89.0.0.99 10.10.150.0 255.255.255.0 

access-list nonat permit ip host 89.0.0.101 10.10.150.0 255.255.255.0 

access-list nonat permit ip host 89.0.0.107 10.10.150.0 255.255.255.0 

access-list nonat permit ip host 89.0.0.25 10.10.150.0 255.255.255.0 

access-list nonat permit ip object-group VPN_remote 10.10.150.0 255.255.255.128 

access-list nonat permit ip 10.10.175.0 255.255.255.0 TestNetwork 255.255.255.0 

access-list outside_cryptomap_20 permit ip 10.10.175.0 255.255.255.0 TestNetwork 255.255.255.0 

pager lines 24

logging on

logging timestamp

logging console debugging

logging buffered notifications

logging trap notifications

logging device-id hostname

logging host inside 89.0.0.110

icmp permit 89.0.0.0 255.255.255.0 inside

icmp permit 10.10.175.0 255.255.255.0 inside

icmp permit 10.10.150.0 255.255.255.0 inside

icmp permit 10.10.100.0 255.255.255.0 inside

mtu outside 1500

mtu inside 1500

ip address outside 205.179.6.212 255.255.255.240

ip address inside 10.10.150.5 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm drop

pdm location 10.10.100.0 255.255.255.0 inside

pdm location 10.10.0.0 255.255.0.0 inside

pdm location 89.0.0.0 255.255.255.0 inside

pdm location 10.10.100.99 255.255.255.255 inside

pdm location 89.0.0.92 255.255.255.255 inside

pdm location 205.179.6.213 255.255.255.255 outside

pdm location mail 255.255.255.255 inside

pdm location 89.0.0.25 255.255.255.255 inside

pdm location 205.179.6.210 255.255.255.255 outside

pdm location 89.0.0.110 255.255.255.255 inside

pdm location 89.0.0.168 255.255.255.255 inside

pdm location mail2 255.255.255.255 inside

pdm location 89.0.0.99 255.255.255.255 inside

pdm location 89.0.0.101 255.255.255.255 inside

pdm location 89.0.0.107 255.255.255.255 inside

pdm location 89.0.0.201 255.255.255.255 inside

pdm location 10.10.150.0 255.255.255.0 outside

pdm location 10.10.150.0 255.255.255.128 outside

pdm location 10.10.20.0 255.255.255.0 inside

pdm location 10.10.11.0 255.255.255.0 inside

pdm location 10.10.150.25 255.255.255.255 inside

pdm location 10.10.150.30 255.255.255.255 inside

pdm location CT_Center 255.255.255.255 inside

pdm location Block 255.255.0.0 outside

pdm location Block1 255.0.0.0 outside

pdm location 89.0.0.190 255.255.255.255 inside

pdm location 151.11.85.99 255.255.255.255 outside

pdm location 89.0.0.173 255.255.255.255 inside

pdm location 10.10.175.0 255.255.255.0 inside

pdm location IAT_New 255.255.255.255 outside

pdm location 10.10.150.0 255.255.255.240 inside

pdm location TestNetwork 255.255.255.0 outside

pdm group Internet inside

pdm group mail inside

pdm group VPN_remote inside

pdm group test inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 205.179.6.214-205.179.6.218

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 205.179.6.210 mail2 netmask 255.255.255.255 0 0 

static (inside,outside) 205.179.6.211 10.10.150.30 netmask 255.255.255.255 0 0 

static (inside,outside) 205.179.6.220 CT_Center netmask 255.255.255.255 0 0 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 205.179.6.209 1

route inside 10.10.0.0 255.255.0.0 10.10.150.1 1

route inside 10.10.20.0 255.255.255.0 10.10.150.1 1

route inside 89.0.0.0 255.255.255.0 10.10.150.1 1

route inside mail 255.255.255.255 10.10.150.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server RADIUS (inside) host 10.10.150.25 collect timeout 5

aaa-server LOCAL protocol local 

http server enable

http 10.10.100.0 255.255.255.0 inside

http 89.0.0.0 255.255.255.0 inside

http 10.10.175.0 255.255.255.0 inside

snmp-server host inside 89.0.0.110

snmp-server host inside 89.0.0.190

no snmp-server location

no snmp-server contact

snmp-server community check12

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 12.171.20.84

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL 

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 12.171.20.84 netmask 255.255.255.255 no-xauth no-config-mode 

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication rsa-sig

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 5

isakmp policy 40 lifetime 86400

isakmp policy 60 authentication pre-share

isakmp policy 60 encryption 3des

isakmp policy 60 hash md5

isakmp policy 60 group 2

isakmp policy 60 lifetime 86400

isakmp policy 80 authentication pre-share

isakmp policy 80 encryption 3des

isakmp policy 80 hash sha

isakmp policy 80 group 2

isakmp policy 80 lifetime 86400

telnet 10.10.100.0 255.255.255.0 inside

telnet 89.0.0.107 255.255.255.255 inside

telnet 89.0.0.173 255.255.255.255 inside

telnet 89.0.0.25 255.255.255.255 inside

telnet 10.10.175.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

vpdn enable outside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcprelay enable outside

dhcprelay setroute outside

terminal width 80

Cryptochecksum:abff460eeff5fd3f82a9db1d447a2769

: end

[OK]

Open in new window

0
Comment
Question by:CCBIL
  • 4
  • 3
7 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20402910
Your crypto map looks OK to me.  However, just for grins, try the following:

From the command line interface, issue the commands:

isakmp identity address
wr mem
reload

This will tell the PIX to use a VPN peer's IP address for it's identity rather than a DNS hostname which is an option.  It will then save the configuration to memory and then reboot the PIX.  See if that helps...BTW, have you tried rebooting the PIX before now to see if that error clears up?
0
 
LVL 1

Author Comment

by:CCBIL
ID: 20402945
I will try this when time allows, the PIX is in a production environment :-)
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20403001
Understood...

Something else you can try (not as all-encompassing as a reload when it comes to clearing out memory and other running processes on the PIX) is to issue the following commands:

isakmp identity address
clear cryp is sa
clear cryp ip sa

and then try to initiate the tunnel from the PIX side.  All of those commands should be entered from "config" mode.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:CCBIL
ID: 20404555
I have followed the commands (including reloadd) and still have the same results.  I have monitored the active IKE and IPsec tunnels and do not see any activity, I am going to turn on syslog dubugging and see if I can provide any additional information.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20405295
I just noticed that your crypto access list references the 10.10.175.0/24 network for the source addressing for the VPN tunnel.

access-list outside_cryptomap_20 permit ip 10.10.175.0 255.255.255.0 TestNetwork 255.255.255.0

I also notice that your PIX inside interface is on the 10.10.150.0/24 network.

When you try to initiate the tunnel from behind the PIX, what is the IP address of the client machine you are trying to send traffic from?
0
 
LVL 1

Author Comment

by:CCBIL
ID: 20405358
The client machine is 192.168.1.200.

I was able to solve this by viewing the config of the ASA.
The ASA had 'Perfect Forwarding Secrecy' enabled while the PIX did not, after I enabled this on the PIX everything worked correctly.  As a note for others I have included the revelant syslog messages from the PIX prior to solving this.

Thank you for your help, I now know more about both devices than when I started.
 11:38 AM  10.10.150.5    CCBPIX : ISAKMP session disconnected (local 205.179.6.212 (initiator), remote Test2)  

 11:38 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 delete received (local 205.179.6.212 (initiator), remote Test2)  

 11:38 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 SA created (local 205.179.6.212/500 (initiator), remote Test2/500, authentication=pre-share, encryption=3DES-CBC, hash=SHA, group=2, lifetime=86400s)  

 11:38 AM  10.10.150.5    CCBPIX : ISAKMP session connected (local 205.179.6.212 (initiator), remote Test2)  

 11:38 AM  10.10.150.5    CCBPIX : ISAKMP Phase 2 exchange started (local 205.179.6.212 (initiator), remote Test2, message-ID 2995821737)  

 11:38 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 exchange completed (local 205.179.6.212 (initiator), remote Test2)  

 11:38 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 exchange started (local 205.179.6.212 (initiator), remote Test2)  

 11:37 AM  10.10.150.5    CCBPIX : ISAKMP session disconnected (local 205.179.6.212 (initiator), remote Test2)  

 11:37 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 delete received (local 205.179.6.212 (initiator), remote Test2)  

 11:37 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 SA created (local 205.179.6.212/500 (initiator), remote Test2/500, authentication=pre-share, encryption=3DES-CBC, hash=SHA, group=2, lifetime=86400s)  

 11:37 AM  10.10.150.5    CCBPIX : ISAKMP session connected (local 205.179.6.212 (initiator), remote Test2)  

 11:37 AM  10.10.150.5    CCBPIX : ISAKMP Phase 2 exchange started (local 205.179.6.212 (initiator), remote Test2, message-ID 660983294)  

 11:37 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 exchange completed (local 205.179.6.212 (initiator), remote Test2)  

 11:37 AM  10.10.150.5    CCBPIX : ISAKMP Phase 1 exchange started (local 205.179.6.212 (initiator), remote Test2)  

Open in new window

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 20405395
Excellent...pays to be able to look at both sides, eh?  :)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SNMP v3 Encryption of encoded messages 3 32
Cisco iWAN 8 47
Enabling vNIC failover on a live system 3 29
Gateway Resilience 4 23
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now