Solved

Trying to setup another Site VPN on my PIX and cannot get either one to work.

Posted on 2008-10-15
7
323 Views
Last Modified: 2012-05-05
Below is my configuration.  I do not know if my firewall will support more than one configuration.  Both of the vendors I am connecting to do not know anything about PIX configuration and I really need to get these up and running.  Thanks in advance.
PIX Version 6.3(1)                  

interface ethernet0 10baset                           

interface ethernet1 auto                        

nameif ethernet0 outside security0                                  

nameif ethernet1 inside security100                                   

enable password cnSVlRPJeYQiI/UE encrypted                                          

passwd cnSVlRPJeYQiI/UE encrypted                                 

hostname pixfirewall                    

domain-name hurmem.com                      

fixup protocol ftp 21                     

fixup protocol h323 h225 1720                             

fixup protocol h323 ras 1718-1719                                 

fixup protocol http 80                      

fixup protocol ils 389                      

fixup protocol rsh 514                      

fixup protocol rtsp 554                       

fixup protocol sip 5060                       

fixup protocol sip udp 5060                           

fixup protocol skinny 2000                          

fixup protocol smtp 25                      

fixup protocol sqlnet 1521                          

names     

access-list pix_intf2 permit ip 172.20.1.0 255.255.255.0 192.168.0.0 255.255.0.0                                                                                
 

access-list acl_outside permit icmp any any                                           

access-list ACL_OUTSIDE permit tcp any any                                          

access-list 108 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0                                                                            

access-list nonat_inside permit ip 192.168.0.0                                            

5.0   

access-list nonat_inside permit ip host 192.168.5.251 208.50.249.192 255.255.255                                                                                

.224    

access-list nonat_pix/intf2 permit ip 172.20.1.0 255.255.255.0 172.16.1.0 255.25                                                                                

5.255.0       

access-list vrc permit ip host 192.168.5.251 208.50.249.192 255.255.255.224                                                                           

pager lines 24              

logging on          

logging buffered debugging                          

mtu outside 1500                

mtu inside 1500               

ip address outside 64.119.60.157 255.255.255.240                                                

ip address inside 192.168.0.2 255.255.0.0                                         

ip audit info action alarm                          

ip audit attack action alarm                            

ip local pool test 172.16.1.1-17                              

no failover           

failover timeout 0:00:00                        

failover poll 15                

failover ip address outside 216.144.220.220                                           

failover ip address inside 192.168.0.252                                        

pdm history enable                  

arp timeout 14400                 

nat (inside) 0 access-list nonat_inside                                       

nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  

access-group acl_outside in interface outside                                             

rip inside passive version 1                            

route outside 0.0.0.0 0.0.0.0 64.119.60.145 1                                             

timeout xlate 3:00:00                     

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                             

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 s                                              

timeout uauth 0:05:00 absolute                              

aaa-server TACACS+ protocol tacacs+                                   

aaa-server RADIUS protocol radius                                 

aaa-server LOCAL protocol local                               

no snmp-server location                       

no snmp-server contact                      

snmp-server community public                            

no snmp-server enable traps                           

floodguard enable                 

sysopt connection permit-ipsec                              

crypto ipsec transform-set HMCSET esp-des esp-md5-hmac                                                      

crypto ipsec transform-set strong esp-des esp-sha-hmac                                                      

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac                                                         

crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac                                                         

crypto map cisco 10 ipsec-isakmp                                

crypto map cisco 10 match address vrc                                     

crypto map cisco 10 set peer 208.50.249.33                                          

crypto map cisco 10 set transform-set 3des-sha                                              

crypto map cisco interface outside                                  

isakmp enable outside                     

isakmp key ******** address 167.242.50.1 netmask 255.255.255.255                                                                

isakmp key ******** address 208.50.249.33 netmask 255.255.255.255               

isakmp identity address

isakmp keepalive 10 3

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption 3des

isakmp policy 2 hash sha

isakmp policy 2 group 2

isakmp policy 2 lifetime 28800

vpngroup HMCMAP address-pool test

vpngroup HMCMAP wins-server 192.168.0.158

vpngroup HMCMAP default-domain hurmen.com

vpngroup HMCMAP idle-time 1800

vpngroup HMCMAP password ********

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 20

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:c6ae0d942ea52c4a1959e735ca051f7c

Open in new window

0
Comment
Question by:Heiden_Consulting
  • 3
  • 2
  • 2
7 Comments
 
LVL 18

Accepted Solution

by:
decoleur earned 500 total points
Comment Utility
so yes that shouldn't work... and your pix should be able to handle multiple vpn tunnels but how you set them up is also going to be dependent on what they have to terminate their end.

in simple terms you need to identify interesting traffic, associate the interesting traffic with a crypto map and apply that crypto map to an interface.

the isakmp policy, the transform sets, and the authentication mechanism need to match on both sides.

the interesting traffic is defined using an ACL :
access-list VPN1 permit ip (our stuff) (their stuff)
a key and a crypto map that associates the key, the transform set and the interesting traffic.
isakmp key ******** address  (their vpn endpoint) netmask 255.255.255.255                                                                
crypto map cisco 10 ipsec-isakmp                                
crypto map cisco 10 match address VPN1                                    
crypto map cisco 10 set peer (their vpn endpoint)
crypto map cisco 10 set transform-set 3des-sha                                              

to do a second one create "crypto map cisco 20..."

let me know if you need more assistance.

-t
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
it will support more than one tunnel no problem

>PIX Version 6.3(1)
This is a very buggy version of PIX OS. Highly recommend upgrading to 6.3(5)

Your config should look like this, but we need much more detail as to how the two ends need to setup the configuration. The VPNx access-lists must match on both sides to define the tunnel.

access-list VPN1 permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list VPN2 permit ip <your network> <mask> <their network> <mask>

access-list NONAT permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list NONAT permit ip host <your network> <mask> <their network> <mask>

nat (inside) 0 access-list NONAT

crypto map cisco 10 ipsec-isakmp                                
crypto map cisco 10 match address VPN1                                    
crypto map cisco 10 set peer 208.50.249.33                                          
crypto map cisco 10 set transform-set 3des-sha  
crypto map cisco 20 ipsec-isakmp                                
crypto map cisco 20 match address VPN2                                    
crypto map cisco 20 set peer 167.242.50.1                                        
crypto map cisco 20 set transform-set 3des-sha                                              
crypto map cisco interface outside                                  
isakmp enable outside                    
isakmp key ******** address 167.242.50.1 netmask 255.255.255.255                                                                
isakmp key ******** address 208.50.249.33 netmask 255.255.255.255


0
 

Author Comment

by:Heiden_Consulting
Comment Utility
Well I edited my config and made some progress.  The other end can send traffic accross, I however cannot see the other side.  I attached my revised config, please let me know what I am missing (knowing me its probably staring me right in the face)  Thanks again!
: Saved

: Written by enable_15 at 09:14:50.302 UTC Thu Oct 16 2008

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password cnSVlRPJeYQiI/UE encrypted

passwd cnSVlRPJeYQiI/UE encrypted

hostname pixfirewall

domain-name hurmem.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list pix_intf2 permit ip 172.20.1.0 255.255.255.0 192.168.0.0 255.255.0.0
 

access-list acl_outside permit icmp any any

access-list ACL_OUTSIDE permit tcp any any

access-list 108 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list nonat_inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.25

5.0

access-list nonat_inside permit ip host 192.168.5.251 208.50.249.192 255.255.255

.224

access-list nonat_pix/intf2 permit ip 172.20.1.0 255.255.255.0 172.16.1.0 255.25

5.255.0

access-list vrc permit ip host 192.168.5.251 208.50.249.192 255.255.255.224

access-list VPN1 permit ip host 192.168.5.251 208.50.249.192 255.255.255.224

access-list VPN2 permit ip host 192.168.103.0 172.23.0.0 255.255.0.0

access-list NONAT permit ip host 192.168.5.251 208.50.249.192 255.255.255.224

access-list NONAT permit ip host 192.168.103.0 172.23.0.0 255.255.0.0

pager lines 24

logging on

logging buffered debugging

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 64.119.60.157 255.255.255.240

ip address inside 192.168.0.2 255.255.0.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool test 172.16.1.1-172.16.1.255

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

pdm history enable

arp timeout 14400

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_outside in interface outside

rip inside passive version 1

route outside 0.0.0.0 0.0.0.0 64.119.60.145 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set HMCSET esp-des esp-md5-hmac

crypto ipsec transform-set strong esp-des esp-sha-hmac

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac

crypto map cisco 10 ipsec-isakmp

crypto map cisco 10 match address VPN1

crypto map cisco 10 set peer 208.50.249.33

crypto map cisco 10 set transform-set 3des-sha

crypto map cisco 20 ipsec-isakmp

crypto map cisco 20 match address VPN2

crypto map cisco 20 set peer 167.242.50.1

crypto map cisco 20 set peer 216.138.152.149

crypto map cisco 20 set transform-set 3des-sha

crypto map cisco interface outside

crypto map covenant 20 ipsec-isakmp

crypto map covenant 20 set peer 216.138.152.149

crypto map covenant 20 set transform-set 3des-sha

crypto map COVENANT 20 ipsec-isakmp

isakmp enable outside

isakmp key ******** address 167.242.50.1 netmask 255.255.255.255

isakmp key ******** address 208.50.249.33 netmask 255.255.255.255

isakmp key ******** address 216.138.152.149 netmask 255.255.255.255

isakmp identity address

isakmp keepalive 10 3

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption 3des

isakmp policy 2 hash sha

isakmp policy 2 group 2

isakmp policy 2 lifetime 28800

vpngroup HMCMAP address-pool test

vpngroup HMCMAP wins-server 192.168.0.158

vpngroup HMCMAP default-domain hurmen.com

vpngroup HMCMAP idle-time 1800

vpngroup HMCMAP password ********

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 20

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:73f831d8530ee1e291ebe5bcdfebf20f

Open in new window

0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 18

Expert Comment

by:decoleur
Comment Utility
the problem is most liekly in your nonat section...

you have:
access-list nonat_inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.25
5.0
access-list nonat_inside permit ip host 192.168.5.251 208.50.249.192 255.255.255
.224
access-list nonat_pix/intf2 permit ip 172.20.1.0 255.255.255.0 172.16.1.0 255.25
5.255.0

which are unused and should most likely disappear...
and you have
access-list NONAT permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list NONAT permit ip host 192.168.103.0 172.23.0.0 255.255.0.0
which match up with the ACLS for VPN1 and VPN2...

but are those the addressess that you try to connect to?
when you try to communicate to VPN1 is it just to 208.50.249.192?

hope this helps.

-t
0
 

Author Comment

by:Heiden_Consulting
Comment Utility
VPN2 is the network I am having the issues with.  I am trying to route all of my 192.168.103.0 traffic to the 172.23.0.0 network on the other side.  VPN1 is working fine.

Thanks.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>access-list VPN2 permit ip host 192.168.103.0 172.23.0.0 255.255.0.0
>access-list NONAT permit ip host 192.168.103.0 172.23.0.0 255.255.0.0

Change these two entries to remove "host"

access-list VPN2 permit ip 192.168.103.0 255.255.255.0 172.23.0.0 255.255.0.0
access-list NONAT permit ip 192.168.103.0 255.255.255.0 172.23.0.0 255.255.0.0
0
 

Author Comment

by:Heiden_Consulting
Comment Utility
The rep from the other side of the tunnel still tells me that he cannot see any data coming accross from my side.  But he can see the tunnel come up and data go accross.  It is like my side cannot complete the route statement and route traffic back accross the tunnel.  Attached is my current config any help would be greatly appreciated.  Thanks so far for all your help.  It's getting closer.


: Saved

: Written by enable_15 at 09:27:35.854 UTC Fri Oct 17 2008

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password cnSVlRPJeYQiI/UE encrypted

passwd cnSVlRPJeYQiI/UE encrypted

hostname pixfirewall

domain-name hurmem.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list pix_intf2 permit ip 172.20.1.0 255.255.255.0 192.168.0.0 255.255.0.0
 

access-list acl_outside permit icmp any any

access-list ACL_OUTSIDE permit tcp any any

access-list 108 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list nonat_inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.25

5.0

access-list nonat_inside permit ip host 192.168.5.251 208.50.249.192 255.255.255

.224

access-list nonat_pix/intf2 permit ip 172.20.1.0 255.255.255.0 172.16.1.0 255.25

5.255.0

access-list vrc permit ip host 192.168.5.251 208.50.249.192 255.255.255.224

access-list VPN1 permit ip host 192.168.5.251 208.50.249.192 255.255.255.224

access-list VPN2 permit ip 192.168.22.0 255.255.255.0 172.23.0.0 255.255.0.0

access-list NONAT permit ip host 192.168.5.251 208.50.249.192 255.255.255.224

access-list NONAT permit ip 192.168.22.0 255.255.255.0 172.23.0.0 255.255.0.0

pager lines 24

logging on

logging buffered debugging

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 64.119.60.157 255.255.255.240

ip address inside 192.168.0.2 255.255.0.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool test 172.16.1.1-172.16.1.255

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

pdm history enable

arp timeout 14400

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_outside in interface outside

rip inside passive version 1

route outside 0.0.0.0 0.0.0.0 64.119.60.145 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set HMCSET esp-des esp-md5-hmac

crypto ipsec transform-set strong esp-des esp-sha-hmac

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac

crypto map cisco 10 ipsec-isakmp

crypto map cisco 10 match address VPN1

crypto map cisco 10 set peer 208.50.249.33

crypto map cisco 10 set transform-set 3des-sha

crypto map cisco 20 ipsec-isakmp

crypto map cisco 20 match address VPN2

crypto map cisco 20 set peer 167.242.50.1

crypto map cisco 20 set peer 216.138.152.149

crypto map cisco 20 set transform-set 3des-sha

crypto map cisco interface outside

crypto map COVENANT 20 ipsec-isakmp

isakmp enable outside

isakmp key ******** address 167.242.50.1 netmask 255.255.255.255

isakmp key ******** address 208.50.249.33 netmask 255.255.255.255

isakmp key ******** address 216.138.152.149 netmask 255.255.255.255

isakmp identity address

isakmp keepalive 10 3

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption 3des

isakmp policy 2 hash sha

isakmp policy 2 group 2

isakmp policy 2 lifetime 28800

vpngroup HMCMAP address-pool test

vpngroup HMCMAP wins-server 192.168.0.158

vpngroup HMCMAP default-domain hurmen.com

vpngroup HMCMAP idle-time 1800

vpngroup HMCMAP password ********

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 20

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:4c0c0407aea1f60351c9c74519381701

Open in new window

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now