Link to home
Start Free TrialLog in
Avatar of Heiden Engineer
Heiden EngineerFlag for United States of America

asked on

Trying to setup another Site VPN on my PIX and cannot get either one to work.

Below is my configuration.  I do not know if my firewall will support more than one configuration.  Both of the vendors I am connecting to do not know anything about PIX configuration and I really need to get these up and running.  Thanks in advance.
PIX Version 6.3(1)                  
interface ethernet0 10baset                           
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                   
enable password cnSVlRPJeYQiI/UE encrypted                                          
passwd cnSVlRPJeYQiI/UE encrypted                                 
hostname pixfirewall                    
domain-name hurmem.com                      
fixup protocol ftp 21                     
fixup protocol h323 h225 1720                             
fixup protocol h323 ras 1718-1719                                 
fixup protocol http 80                      
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                       
fixup protocol sip 5060                       
fixup protocol sip udp 5060                           
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
names     
access-list pix_intf2 permit ip 172.20.1.0 255.255.255.0 192.168.0.0 255.255.0.0                                                                                
 
access-list acl_outside permit icmp any any                                           
access-list ACL_OUTSIDE permit tcp any any                                          
access-list 108 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0                                                                            
access-list nonat_inside permit ip 192.168.0.0                                            
5.0   
access-list nonat_inside permit ip host 192.168.5.251 208.50.249.192 255.255.255                                                                                
.224    
access-list nonat_pix/intf2 permit ip 172.20.1.0 255.255.255.0 172.16.1.0 255.25                                                                                
5.255.0       
access-list vrc permit ip host 192.168.5.251 208.50.249.192 255.255.255.224                                                                           
pager lines 24              
logging on          
logging buffered debugging                          
mtu outside 1500                
mtu inside 1500               
ip address outside 64.119.60.157 255.255.255.240                                                
ip address inside 192.168.0.2 255.255.0.0                                         
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool test 172.16.1.1-17                              
no failover           
failover timeout 0:00:00                        
failover poll 15                
failover ip address outside 216.144.220.220                                           
failover ip address inside 192.168.0.252                                        
pdm history enable                  
arp timeout 14400                 
nat (inside) 0 access-list nonat_inside                                       
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
access-group acl_outside in interface outside                                             
rip inside passive version 1                            
route outside 0.0.0.0 0.0.0.0 64.119.60.145 1                                             
timeout xlate 3:00:00                     
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                             
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 s                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                   
aaa-server RADIUS protocol radius                                 
aaa-server LOCAL protocol local                               
no snmp-server location                       
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                           
floodguard enable                 
sysopt connection permit-ipsec                              
crypto ipsec transform-set HMCSET esp-des esp-md5-hmac                                                      
crypto ipsec transform-set strong esp-des esp-sha-hmac                                                      
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac                                                         
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac                                                         
crypto map cisco 10 ipsec-isakmp                                
crypto map cisco 10 match address vrc                                     
crypto map cisco 10 set peer 208.50.249.33                                          
crypto map cisco 10 set transform-set 3des-sha                                              
crypto map cisco interface outside                                  
isakmp enable outside                     
isakmp key ******** address 167.242.50.1 netmask 255.255.255.255                                                                
isakmp key ******** address 208.50.249.33 netmask 255.255.255.255               
isakmp identity address
isakmp keepalive 10 3
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 28800
vpngroup HMCMAP address-pool test
vpngroup HMCMAP wins-server 192.168.0.158
vpngroup HMCMAP default-domain hurmen.com
vpngroup HMCMAP idle-time 1800
vpngroup HMCMAP password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:c6ae0d942ea52c4a1959e735ca051f7c

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of decoleur
decoleur

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Les Moore
it will support more than one tunnel no problem

>PIX Version 6.3(1)
This is a very buggy version of PIX OS. Highly recommend upgrading to 6.3(5)

Your config should look like this, but we need much more detail as to how the two ends need to setup the configuration. The VPNx access-lists must match on both sides to define the tunnel.

access-list VPN1 permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list VPN2 permit ip <your network> <mask> <their network> <mask>

access-list NONAT permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list NONAT permit ip host <your network> <mask> <their network> <mask>

nat (inside) 0 access-list NONAT

crypto map cisco 10 ipsec-isakmp                                
crypto map cisco 10 match address VPN1                                    
crypto map cisco 10 set peer 208.50.249.33                                          
crypto map cisco 10 set transform-set 3des-sha  
crypto map cisco 20 ipsec-isakmp                                
crypto map cisco 20 match address VPN2                                    
crypto map cisco 20 set peer 167.242.50.1                                        
crypto map cisco 20 set transform-set 3des-sha                                              
crypto map cisco interface outside                                  
isakmp enable outside                    
isakmp key ******** address 167.242.50.1 netmask 255.255.255.255                                                                
isakmp key ******** address 208.50.249.33 netmask 255.255.255.255


Avatar of Heiden Engineer

ASKER

Well I edited my config and made some progress.  The other end can send traffic accross, I however cannot see the other side.  I attached my revised config, please let me know what I am missing (knowing me its probably staring me right in the face)  Thanks again!
: Saved
: Written by enable_15 at 09:14:50.302 UTC Thu Oct 16 2008
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password cnSVlRPJeYQiI/UE encrypted
passwd cnSVlRPJeYQiI/UE encrypted
hostname pixfirewall
domain-name hurmem.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list pix_intf2 permit ip 172.20.1.0 255.255.255.0 192.168.0.0 255.255.0.0
 
access-list acl_outside permit icmp any any
access-list ACL_OUTSIDE permit tcp any any
access-list 108 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat_inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.25
5.0
access-list nonat_inside permit ip host 192.168.5.251 208.50.249.192 255.255.255
.224
access-list nonat_pix/intf2 permit ip 172.20.1.0 255.255.255.0 172.16.1.0 255.25
5.255.0
access-list vrc permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list VPN1 permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list VPN2 permit ip host 192.168.103.0 172.23.0.0 255.255.0.0
access-list NONAT permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list NONAT permit ip host 192.168.103.0 172.23.0.0 255.255.0.0
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 64.119.60.157 255.255.255.240
ip address inside 192.168.0.2 255.255.0.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool test 172.16.1.1-172.16.1.255
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside in interface outside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 64.119.60.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set HMCSET esp-des esp-md5-hmac
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto map cisco 10 ipsec-isakmp
crypto map cisco 10 match address VPN1
crypto map cisco 10 set peer 208.50.249.33
crypto map cisco 10 set transform-set 3des-sha
crypto map cisco 20 ipsec-isakmp
crypto map cisco 20 match address VPN2
crypto map cisco 20 set peer 167.242.50.1
crypto map cisco 20 set peer 216.138.152.149
crypto map cisco 20 set transform-set 3des-sha
crypto map cisco interface outside
crypto map covenant 20 ipsec-isakmp
crypto map covenant 20 set peer 216.138.152.149
crypto map covenant 20 set transform-set 3des-sha
crypto map COVENANT 20 ipsec-isakmp
isakmp enable outside
isakmp key ******** address 167.242.50.1 netmask 255.255.255.255
isakmp key ******** address 208.50.249.33 netmask 255.255.255.255
isakmp key ******** address 216.138.152.149 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 3
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 28800
vpngroup HMCMAP address-pool test
vpngroup HMCMAP wins-server 192.168.0.158
vpngroup HMCMAP default-domain hurmen.com
vpngroup HMCMAP idle-time 1800
vpngroup HMCMAP password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:73f831d8530ee1e291ebe5bcdfebf20f

Open in new window

Avatar of decoleur
decoleur

the problem is most liekly in your nonat section...

you have:
access-list nonat_inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.25
5.0
access-list nonat_inside permit ip host 192.168.5.251 208.50.249.192 255.255.255
.224
access-list nonat_pix/intf2 permit ip 172.20.1.0 255.255.255.0 172.16.1.0 255.25
5.255.0

which are unused and should most likely disappear...
and you have
access-list NONAT permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list NONAT permit ip host 192.168.103.0 172.23.0.0 255.255.0.0
which match up with the ACLS for VPN1 and VPN2...

but are those the addressess that you try to connect to?
when you try to communicate to VPN1 is it just to 208.50.249.192?

hope this helps.

-t
VPN2 is the network I am having the issues with.  I am trying to route all of my 192.168.103.0 traffic to the 172.23.0.0 network on the other side.  VPN1 is working fine.

Thanks.
>access-list VPN2 permit ip host 192.168.103.0 172.23.0.0 255.255.0.0
>access-list NONAT permit ip host 192.168.103.0 172.23.0.0 255.255.0.0

Change these two entries to remove "host"

access-list VPN2 permit ip 192.168.103.0 255.255.255.0 172.23.0.0 255.255.0.0
access-list NONAT permit ip 192.168.103.0 255.255.255.0 172.23.0.0 255.255.0.0
The rep from the other side of the tunnel still tells me that he cannot see any data coming accross from my side.  But he can see the tunnel come up and data go accross.  It is like my side cannot complete the route statement and route traffic back accross the tunnel.  Attached is my current config any help would be greatly appreciated.  Thanks so far for all your help.  It's getting closer.

: Saved
: Written by enable_15 at 09:27:35.854 UTC Fri Oct 17 2008
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password cnSVlRPJeYQiI/UE encrypted
passwd cnSVlRPJeYQiI/UE encrypted
hostname pixfirewall
domain-name hurmem.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list pix_intf2 permit ip 172.20.1.0 255.255.255.0 192.168.0.0 255.255.0.0
 
access-list acl_outside permit icmp any any
access-list ACL_OUTSIDE permit tcp any any
access-list 108 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat_inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.25
5.0
access-list nonat_inside permit ip host 192.168.5.251 208.50.249.192 255.255.255
.224
access-list nonat_pix/intf2 permit ip 172.20.1.0 255.255.255.0 172.16.1.0 255.25
5.255.0
access-list vrc permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list VPN1 permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list VPN2 permit ip 192.168.22.0 255.255.255.0 172.23.0.0 255.255.0.0
access-list NONAT permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list NONAT permit ip 192.168.22.0 255.255.255.0 172.23.0.0 255.255.0.0
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 64.119.60.157 255.255.255.240
ip address inside 192.168.0.2 255.255.0.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool test 172.16.1.1-172.16.1.255
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside in interface outside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 64.119.60.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set HMCSET esp-des esp-md5-hmac
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto map cisco 10 ipsec-isakmp
crypto map cisco 10 match address VPN1
crypto map cisco 10 set peer 208.50.249.33
crypto map cisco 10 set transform-set 3des-sha
crypto map cisco 20 ipsec-isakmp
crypto map cisco 20 match address VPN2
crypto map cisco 20 set peer 167.242.50.1
crypto map cisco 20 set peer 216.138.152.149
crypto map cisco 20 set transform-set 3des-sha
crypto map cisco interface outside
crypto map COVENANT 20 ipsec-isakmp
isakmp enable outside
isakmp key ******** address 167.242.50.1 netmask 255.255.255.255
isakmp key ******** address 208.50.249.33 netmask 255.255.255.255
isakmp key ******** address 216.138.152.149 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 3
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 28800
vpngroup HMCMAP address-pool test
vpngroup HMCMAP wins-server 192.168.0.158
vpngroup HMCMAP default-domain hurmen.com
vpngroup HMCMAP idle-time 1800
vpngroup HMCMAP password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:4c0c0407aea1f60351c9c74519381701

Open in new window