Solved

Cisco Pix 501 to Netopia 3340 IPSec Configuration Problem

Posted on 2008-10-25
8
604 Views
Last Modified: 2011-10-19
I am trying to configure a gateway-to-gateway IPSec VPN between a Netopia 3340 broadband router and a Cisco Pix 501 firewall (ver 6.3) using pre-shared keys. I have made what I think are the necessary configuration changes on both ends but cannot get the tunnel to set up. The Netopia setup is very simple and I am fairly certain it is correct. I believe the problem is on the Cisco side. I suspect this because when I ping from the local (cisco) network (192.168.16.X) to the remote (netopia) network, (192.168.1.X), the ISP gateway router returns "destination host unreachable". Performing the same ping test from the netopia side (192.168.1.X) to the cisco side (192.168.60.x), I get "request timed out" responses. It seems to me if the tunnel was up, the non-routable addresses going from the cisco to the netopia would pass through correctly and I would not get the unreachable error.
I have attached a file with both configurations. for the Pix 501, I have highlighted the changes I made to the existing configuration file.  Local public IPs are shown as XXX.XXX.XXX.XXX. Remote peer public IP is shown as YYY.YYY.YYY.192. Thanks for your help.
Pix-501-config.doc
0
Comment
Question by:pharostech
  • 4
  • 2
  • 2
8 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 22804168
In your question above you have two location with three different LANs: which two LANs do you have? 192.168.1.0, 192.168.16.0 192.168.60.0?

Here is a question:
The LOCAL LAN on the CISCO is 192.168.60.x.
What is the local LAN on the Netopia Side?  is it 192.168.1.x or is it 192.168.16.x?
The cisco access list reflects 192.168.16.0 as the IP in the nat0 rule.

Check the cisco and the netopia logs dealing with the VPN connection attempts.

run on the cisco
show crypto ipsec sa
show crypto iskamp sa.
0
 

Author Comment

by:pharostech
ID: 22804290
Thank you for the extra set of eyes. My apologies. I had overlooked the 192.168.16.0 error! There is no such subnet.  These are the correct subnets.
    Local LAN (cisco) = 192.168.60.0
    Peer LAN (netopia) = 192.168.1.0

I have updated the two ACLs to reflect the correct subnet of 192.168.60.0.  They now look like this:
    access-list inside_nat0_outbound permit ip 192.168.16.0 255.255.255.0 testvpn 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.16.0 255.255.255.0 testvpn 255.255.255.0

However, there must be another problem as I am getting the exact same "destination host unreachable" error. Thanks.
0
 

Author Comment

by:pharostech
ID: 22804305
Disregard the previous response. Trying to cut and paste and making mistakes. It should have been:
-------------------------------
Thank you for the extra set of eyes. My apologies. I had overlooked the 192.168.16.0 error! There is no such subnet.  These are the correct subnets.
    Local LAN (cisco) = 192.168.60.0
    Peer LAN (netopia) = 192.168.1.0

I have updated the two ACLs to reflect the correct subnet of 192.168.60.0.  They now look like this:
    access-list inside_nat0_outbound permit ip 192.168.60.0 255.255.255.0 testvpn 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.60.0 255.255.255.0 testvpn 255.255.255.0

However, there must be another problem as I am getting the exact same "destination host unreachable" error. Thanks.
0
 
LVL 76

Expert Comment

by:arnold
ID: 22804758
Does a VPN connection get established?
Please run on the cisco the following commands and post the results:
show crypto ipsec sa
show crypto iskamp sa

0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 79

Expert Comment

by:lrmoore
ID: 22805039
Also add this to the pix:

  isakmp identity address

0
 

Author Comment

by:pharostech
ID: 22805703
Here is output from the two commands you requested:
--------------------
CH-PIX# show crypto ipsec sa

interface: outside
    Crypto map tag: outside_map, local addr. XXX.XXX.XXX.106

CH-PIX# show crypto isakmp sa
Total     : 0
Embryonic : 0
        dst               src        state     pending     created
CH-PIX#
--------------
I also added "isakmp identity address" to the configuration.

Also, I turned on debug (debug crypto ipsec) and pinged the remote peer from the cisco. Here is the output:
CH-PIX# IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created

FYI...I am no longer getting "destination host unreachable" messages, only "request timed out" messages when I ping the peer from the cisco side.

I am attaching the latest config file as a word doc. Thanks for your help in solving this. Once I get this working, it will be implemented at 13 locations.
Pix501-2.doc
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 22805951
The configs look OK.
Try debug crypto isakmp
Try re-setting the shared key on both sides
Is there another page of config on the Netopia? I don't see where you put the peer ip address....
0
 

Author Closing Comment

by:pharostech
ID: 31509963
The problem is resolved. It was related to the Public IP address of the cisco pix. The interface has four IPs assigned., XXX.XXX.XXX.205 - XXX.XXX.XXX.208. The one we forward to our mail server is XXX.XXX.XXX.207 and that is the one I was using. For some reason, the IPSec config wanted XXX.XXX.XXX.206. Once I changed it on the Netopia side, everything worked.

Thanks immensely for your help and the quick responses.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Sophos UTM Endpoint VPN 2 31
Simple Guest VLAN Help 17 38
cisco nexus experiance 2 30
Cisco / asa /Nagios 3 10
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now