Solved

Trying to setup another Site VPN on my PIX and cannot get either one to work.

Posted on 2008-10-15
7
376 Views
Last Modified: 2012-05-05
Below is my configuration.  I do not know if my firewall will support more than one configuration.  Both of the vendors I am connecting to do not know anything about PIX configuration and I really need to get these up and running.  Thanks in advance.
PIX Version 6.3(1)                  
interface ethernet0 10baset                           
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                   
enable password cnSVlRPJeYQiI/UE encrypted                                          
passwd cnSVlRPJeYQiI/UE encrypted                                 
hostname pixfirewall                    
domain-name hurmem.com                      
fixup protocol ftp 21                     
fixup protocol h323 h225 1720                             
fixup protocol h323 ras 1718-1719                                 
fixup protocol http 80                      
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                       
fixup protocol sip 5060                       
fixup protocol sip udp 5060                           
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
names     
access-list pix_intf2 permit ip 172.20.1.0 255.255.255.0 192.168.0.0 255.255.0.0                                                                                
 
access-list acl_outside permit icmp any any                                           
access-list ACL_OUTSIDE permit tcp any any                                          
access-list 108 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0                                                                            
access-list nonat_inside permit ip 192.168.0.0                                            
5.0   
access-list nonat_inside permit ip host 192.168.5.251 208.50.249.192 255.255.255                                                                                
.224    
access-list nonat_pix/intf2 permit ip 172.20.1.0 255.255.255.0 172.16.1.0 255.25                                                                                
5.255.0       
access-list vrc permit ip host 192.168.5.251 208.50.249.192 255.255.255.224                                                                           
pager lines 24              
logging on          
logging buffered debugging                          
mtu outside 1500                
mtu inside 1500               
ip address outside 64.119.60.157 255.255.255.240                                                
ip address inside 192.168.0.2 255.255.0.0                                         
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool test 172.16.1.1-17                              
no failover           
failover timeout 0:00:00                        
failover poll 15                
failover ip address outside 216.144.220.220                                           
failover ip address inside 192.168.0.252                                        
pdm history enable                  
arp timeout 14400                 
nat (inside) 0 access-list nonat_inside                                       
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
access-group acl_outside in interface outside                                             
rip inside passive version 1                            
route outside 0.0.0.0 0.0.0.0 64.119.60.145 1                                             
timeout xlate 3:00:00                     
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                             
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 s                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                   
aaa-server RADIUS protocol radius                                 
aaa-server LOCAL protocol local                               
no snmp-server location                       
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                           
floodguard enable                 
sysopt connection permit-ipsec                              
crypto ipsec transform-set HMCSET esp-des esp-md5-hmac                                                      
crypto ipsec transform-set strong esp-des esp-sha-hmac                                                      
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac                                                         
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac                                                         
crypto map cisco 10 ipsec-isakmp                                
crypto map cisco 10 match address vrc                                     
crypto map cisco 10 set peer 208.50.249.33                                          
crypto map cisco 10 set transform-set 3des-sha                                              
crypto map cisco interface outside                                  
isakmp enable outside                     
isakmp key ******** address 167.242.50.1 netmask 255.255.255.255                                                                
isakmp key ******** address 208.50.249.33 netmask 255.255.255.255               
isakmp identity address
isakmp keepalive 10 3
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 28800
vpngroup HMCMAP address-pool test
vpngroup HMCMAP wins-server 192.168.0.158
vpngroup HMCMAP default-domain hurmen.com
vpngroup HMCMAP idle-time 1800
vpngroup HMCMAP password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:c6ae0d942ea52c4a1959e735ca051f7c

Open in new window

0
Comment
Question by:Heiden_Consulting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 18

Accepted Solution

by:
decoleur earned 500 total points
ID: 22725396
so yes that shouldn't work... and your pix should be able to handle multiple vpn tunnels but how you set them up is also going to be dependent on what they have to terminate their end.

in simple terms you need to identify interesting traffic, associate the interesting traffic with a crypto map and apply that crypto map to an interface.

the isakmp policy, the transform sets, and the authentication mechanism need to match on both sides.

the interesting traffic is defined using an ACL :
access-list VPN1 permit ip (our stuff) (their stuff)
a key and a crypto map that associates the key, the transform set and the interesting traffic.
isakmp key ******** address  (their vpn endpoint) netmask 255.255.255.255                                                                
crypto map cisco 10 ipsec-isakmp                                
crypto map cisco 10 match address VPN1                                    
crypto map cisco 10 set peer (their vpn endpoint)
crypto map cisco 10 set transform-set 3des-sha                                              

to do a second one create "crypto map cisco 20..."

let me know if you need more assistance.

-t
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22725928
it will support more than one tunnel no problem

>PIX Version 6.3(1)
This is a very buggy version of PIX OS. Highly recommend upgrading to 6.3(5)

Your config should look like this, but we need much more detail as to how the two ends need to setup the configuration. The VPNx access-lists must match on both sides to define the tunnel.

access-list VPN1 permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list VPN2 permit ip <your network> <mask> <their network> <mask>

access-list NONAT permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list NONAT permit ip host <your network> <mask> <their network> <mask>

nat (inside) 0 access-list NONAT

crypto map cisco 10 ipsec-isakmp                                
crypto map cisco 10 match address VPN1                                    
crypto map cisco 10 set peer 208.50.249.33                                          
crypto map cisco 10 set transform-set 3des-sha  
crypto map cisco 20 ipsec-isakmp                                
crypto map cisco 20 match address VPN2                                    
crypto map cisco 20 set peer 167.242.50.1                                        
crypto map cisco 20 set transform-set 3des-sha                                              
crypto map cisco interface outside                                  
isakmp enable outside                    
isakmp key ******** address 167.242.50.1 netmask 255.255.255.255                                                                
isakmp key ******** address 208.50.249.33 netmask 255.255.255.255


0
 

Author Comment

by:Heiden_Consulting
ID: 22730208
Well I edited my config and made some progress.  The other end can send traffic accross, I however cannot see the other side.  I attached my revised config, please let me know what I am missing (knowing me its probably staring me right in the face)  Thanks again!
: Saved
: Written by enable_15 at 09:14:50.302 UTC Thu Oct 16 2008
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password cnSVlRPJeYQiI/UE encrypted
passwd cnSVlRPJeYQiI/UE encrypted
hostname pixfirewall
domain-name hurmem.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list pix_intf2 permit ip 172.20.1.0 255.255.255.0 192.168.0.0 255.255.0.0
 
access-list acl_outside permit icmp any any
access-list ACL_OUTSIDE permit tcp any any
access-list 108 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat_inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.25
5.0
access-list nonat_inside permit ip host 192.168.5.251 208.50.249.192 255.255.255
.224
access-list nonat_pix/intf2 permit ip 172.20.1.0 255.255.255.0 172.16.1.0 255.25
5.255.0
access-list vrc permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list VPN1 permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list VPN2 permit ip host 192.168.103.0 172.23.0.0 255.255.0.0
access-list NONAT permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list NONAT permit ip host 192.168.103.0 172.23.0.0 255.255.0.0
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 64.119.60.157 255.255.255.240
ip address inside 192.168.0.2 255.255.0.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool test 172.16.1.1-172.16.1.255
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside in interface outside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 64.119.60.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set HMCSET esp-des esp-md5-hmac
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto map cisco 10 ipsec-isakmp
crypto map cisco 10 match address VPN1
crypto map cisco 10 set peer 208.50.249.33
crypto map cisco 10 set transform-set 3des-sha
crypto map cisco 20 ipsec-isakmp
crypto map cisco 20 match address VPN2
crypto map cisco 20 set peer 167.242.50.1
crypto map cisco 20 set peer 216.138.152.149
crypto map cisco 20 set transform-set 3des-sha
crypto map cisco interface outside
crypto map covenant 20 ipsec-isakmp
crypto map covenant 20 set peer 216.138.152.149
crypto map covenant 20 set transform-set 3des-sha
crypto map COVENANT 20 ipsec-isakmp
isakmp enable outside
isakmp key ******** address 167.242.50.1 netmask 255.255.255.255
isakmp key ******** address 208.50.249.33 netmask 255.255.255.255
isakmp key ******** address 216.138.152.149 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 3
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 28800
vpngroup HMCMAP address-pool test
vpngroup HMCMAP wins-server 192.168.0.158
vpngroup HMCMAP default-domain hurmen.com
vpngroup HMCMAP idle-time 1800
vpngroup HMCMAP password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:73f831d8530ee1e291ebe5bcdfebf20f

Open in new window

0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 18

Expert Comment

by:decoleur
ID: 22735117
the problem is most liekly in your nonat section...

you have:
access-list nonat_inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.25
5.0
access-list nonat_inside permit ip host 192.168.5.251 208.50.249.192 255.255.255
.224
access-list nonat_pix/intf2 permit ip 172.20.1.0 255.255.255.0 172.16.1.0 255.25
5.255.0

which are unused and should most likely disappear...
and you have
access-list NONAT permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list NONAT permit ip host 192.168.103.0 172.23.0.0 255.255.0.0
which match up with the ACLS for VPN1 and VPN2...

but are those the addressess that you try to connect to?
when you try to communicate to VPN1 is it just to 208.50.249.192?

hope this helps.

-t
0
 

Author Comment

by:Heiden_Consulting
ID: 22739862
VPN2 is the network I am having the issues with.  I am trying to route all of my 192.168.103.0 traffic to the 172.23.0.0 network on the other side.  VPN1 is working fine.

Thanks.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22739979
>access-list VPN2 permit ip host 192.168.103.0 172.23.0.0 255.255.0.0
>access-list NONAT permit ip host 192.168.103.0 172.23.0.0 255.255.0.0

Change these two entries to remove "host"

access-list VPN2 permit ip 192.168.103.0 255.255.255.0 172.23.0.0 255.255.0.0
access-list NONAT permit ip 192.168.103.0 255.255.255.0 172.23.0.0 255.255.0.0
0
 

Author Comment

by:Heiden_Consulting
ID: 22743135
The rep from the other side of the tunnel still tells me that he cannot see any data coming accross from my side.  But he can see the tunnel come up and data go accross.  It is like my side cannot complete the route statement and route traffic back accross the tunnel.  Attached is my current config any help would be greatly appreciated.  Thanks so far for all your help.  It's getting closer.

: Saved
: Written by enable_15 at 09:27:35.854 UTC Fri Oct 17 2008
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password cnSVlRPJeYQiI/UE encrypted
passwd cnSVlRPJeYQiI/UE encrypted
hostname pixfirewall
domain-name hurmem.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list pix_intf2 permit ip 172.20.1.0 255.255.255.0 192.168.0.0 255.255.0.0
 
access-list acl_outside permit icmp any any
access-list ACL_OUTSIDE permit tcp any any
access-list 108 permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat_inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.25
5.0
access-list nonat_inside permit ip host 192.168.5.251 208.50.249.192 255.255.255
.224
access-list nonat_pix/intf2 permit ip 172.20.1.0 255.255.255.0 172.16.1.0 255.25
5.255.0
access-list vrc permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list VPN1 permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list VPN2 permit ip 192.168.22.0 255.255.255.0 172.23.0.0 255.255.0.0
access-list NONAT permit ip host 192.168.5.251 208.50.249.192 255.255.255.224
access-list NONAT permit ip 192.168.22.0 255.255.255.0 172.23.0.0 255.255.0.0
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 64.119.60.157 255.255.255.240
ip address inside 192.168.0.2 255.255.0.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool test 172.16.1.1-172.16.1.255
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside in interface outside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 64.119.60.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set HMCSET esp-des esp-md5-hmac
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto map cisco 10 ipsec-isakmp
crypto map cisco 10 match address VPN1
crypto map cisco 10 set peer 208.50.249.33
crypto map cisco 10 set transform-set 3des-sha
crypto map cisco 20 ipsec-isakmp
crypto map cisco 20 match address VPN2
crypto map cisco 20 set peer 167.242.50.1
crypto map cisco 20 set peer 216.138.152.149
crypto map cisco 20 set transform-set 3des-sha
crypto map cisco interface outside
crypto map COVENANT 20 ipsec-isakmp
isakmp enable outside
isakmp key ******** address 167.242.50.1 netmask 255.255.255.255
isakmp key ******** address 208.50.249.33 netmask 255.255.255.255
isakmp key ******** address 216.138.152.149 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 3
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 28800
vpngroup HMCMAP address-pool test
vpngroup HMCMAP wins-server 192.168.0.158
vpngroup HMCMAP default-domain hurmen.com
vpngroup HMCMAP idle-time 1800
vpngroup HMCMAP password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:4c0c0407aea1f60351c9c74519381701

Open in new window

0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month11 days, 7 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question