?
Solved

ASA-PIX VPN won't come up, PIX ISP is running a Netopia router as gateway

Posted on 2009-02-14
3
Medium Priority
?
1,080 Views
Last Modified: 2012-05-06
Hello,

'm having problem getting a site-site VPN up between an ASA5505 and a PIX501
The ASA5505 is in the main office and 2 remote sites with PIX501.
Both PIX501 are configured the same way.

Site1:client-VPN is working fine but not the site-site VPN.
Site2:both client-VPN and site-site VPN are running no problems

Site1 ISP is AT&T, on the front end they have a Netopia Model 3346N DSL Ethernet Switch and behind it is our pix.
When we disabled the firewall on the Netopia (BreakWater Firewall       ClearSailing) I could ping and SSH our pix.

I ran debug crypto ipsec and isakmp on the ASA, nothing related to site1 SA, only for site2 which works great.
The "PEER_REAPER_TIMER" message shows on site1 pix which apparently means the SA key is getting deleted?

I also copy&pasted the key on both devices numerous times to make sure they matches.

here's a short snip from the sh crypto ipsec sa on the site1 pix
---------------------------------------------------------------------------------------------------------------
    code:interface: outside
        Crypto map tag: transam, local addr. 71.137.x.x

       local  ident (addr/mask/prot/port): (192.168.33.0/255.255.255.0/0/0)
       remote ident (addr/mask/prot/port): (Calgary/255.255.255.0/0/0)
       current_peer: 66.18.x.x:0
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0

         local crypto endpt.: 71.137.x.x, remote crypto endpt.: 66.18.x.x
         path mtu 1500, ipsec overhead 0, media mtu 1500
         current outbound spi: 0
---------------------------------------------------------------------------------------------------------------


this current_peer: 66.18.x.x:0 is rather odd, on our site2 pix it says current_peer: 66.18.x.x:500 which is the UDP port for ISAKMP.



There's an IPSec option on the Netopia router
---------------------------------------------------------------------------------------------------------------
Two separate mechanisms for IPSec tunnel support are provided by your Gateway:

* IPSec PassThrough supports VPN clients running on LAN-connected computers. Disable this checkbox if your LAN-side VPN client includes its own NAT interoperability solution.
* SafeHarbour is a keyed feature that enables Gateway-terminated VPN support.


IPSec PassThrough
Enable IPSec PassThrough

SafeHarbour IPSec
Enable SafeHarbour IPSec
---------------------------------------------------------------------------------------------------------------
currently both options are unchecked.
ASA Config
ostname asa5505
domain-name
enable password
passwd
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.31.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.224
!
interface Vlan5
 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 5
!
interface Ethernet0/2
 switchport access vlan 5
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name
!
access-list inside_access_in extended permit ip 192.168.31.0 255.255.255.0 any
!
access-list dmz_access_in extended permit tcp host 172.16.1.3 any eq smtp
!
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit icmp any interface outside
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 444
access-list outside_access_in extended permit tcp any interface outside eq 4125
access-list outside_access_in extended permit udp any interface outside eq 4125
access-list outside_access_in extended permit tcp any interface outside eq ldap
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq pptp
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit udp any interface outside eq ntp
!
access-list 101 extended permit ip 192.168.31.0 255.255.255.0 192.168.33.0 255.255.255.0
!
access-list 102 extended permit ip 192.168.31.0 255.255.255.0 192.168.32.0 255.255.255.0
!
access-list NoNAT extended permit ip 192.168.31.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.31.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.31.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.31.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.31.0 255.255.255.0 192.168.30.0 255.255.255.0
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
!
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface smtp 172.16.1.3 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 444 192.168.31.5 444 netmask 255.255.255.255
static (inside,outside) tcp interface imap4 192.168.31.5 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface 4125 192.168.31.5 4125 netmask 255.255.255.255
static (inside,outside) udp interface 4125 192.168.31.5 4125 netmask 255.255.255.255
static (inside,outside) tcp interface ldap 192.168.31.5 ldap netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.31.5 https netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.31.5 pptp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.31.5 pop3 netmask 255.255.255.255
static (inside,outside) udp interface ntp 192.168.31.5 ntp netmask 255.255.255.255
static (inside,dmz) 192.168.31.0 192.168.31.0 netmask 255.255.255.0
 
!
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
!
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
route dmz 192.168.31.5 255.255.255.255 192.168.31.10 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.31.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
crypto dynamic-map dynmap 30 set transform-set myset
crypto dynamic-map dynmap 30 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 30 set security-association lifetime kilobytes 4608000
!
crypto map transam 10 match address 101
crypto map transam 10 set peer site1
crypto map transam 10 set transform-set myset
crypto map transam 10 set security-association lifetime seconds 28800
crypto map transam 10 set security-association lifetime kilobytes 4608000
!
crypto map transam 20 match address 102
crypto map transam 20 set peer site2
crypto map transam 20 set transform-set myset
crypto map transam 20 set security-association lifetime seconds 28800
crypto map transam 20 set security-association lifetime kilobytes 4608000
!
crypto map transam 65000 ipsec-isakmp dynamic dynmap
crypto map transam interface outside
!
crypto isakmp enable outside
!
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
!
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
!
telnet timeout 5
!
ssh 192.168.31.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
!
console timeout 0
!
dhcpd auto_config outside
!
dhcpd address 192.168.31.51-192.168.31.254 inside
dhcpd dns 192.168.31.5 interface inside
dhcpd wins 192.168.31.5 interface inside
dhcpd lease 302400 interface inside
!
 
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
tunnel-group site2 type ipsec-l2l
tunnel-group site2 ipsec-attributes
 pre-shared-key *
!
tunnel-group site1 type ipsec-l2l
tunnel-group site1 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map type inspect dns pres
 parameters
!
service-policy global_policy global
prompt hostname context
!
end
 
 
 
 
 
PIX Config
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname
domain-name
!
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
!
names
name 192.168.31.0 Calgary
!
access-list 101 permit ip 192.168.33.0 255.255.255.0 Calgary 255.255.255.0
access-list NoNAT permit ip 192.168.33.0 255.255.255.0 Calgary 255.255.255.0
access-list NoNAT permit ip 192.168.33.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list NoNAT permit ip Calgary 255.255.255.0 192.168.30.0 255.255.255.0
access-list NoNAT permit ip 192.168.33.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NoNAT permit ip Calgary 255.255.255.0 192.168.10.0 255.255.255.0
!
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
!
access-list split_tunnel_acl permit ip Calgary 255.255.255.0 192.168.30.0 255.255.255.0
access-list split_tunnel_acl permit ip 192.168.33.0 255.255.255.0 192.168.30.0 255.255.255.0
!
pager lines 24
mtu outside 1500
mtu inside 1500
!
ip address outside x.x.x.x 255.255.255.248
ip address inside 192.168.33.1 255.255.255.0
!
ip audit info action alarm
ip audit attack action alarm
!
ip local pool clientpool 192.168.30.1-192.168.30.254
!
pdm location 192.168.33.0 255.255.255.0 inside
pdm location 192.168.33.2 255.255.255.255 inside
pdm location 192.168.30.0 255.255.255.0 outside
pdm location Calgary 255.255.255.0 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.33.0 255.255.255.255 outside
pdm location 192.168.33.0 255.255.255.0 outside
pdm location 192.168.33.5 255.255.255.255 inside
pdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 80
route inside 192.168.30.0 255.255.255.0 192.168.33.1 1
route inside Calgary 255.255.255.0 192.168.33.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
!
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
!
http server enable
http 192.168.33.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
!
sysopt connection permit-ipsec
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
!
crypto map transam 10 ipsec-isakmp
crypto map transam 10 match address 101
crypto map transam 10 set peer x.x.x.x
crypto map transam 10 set transform-set myset
crypto map transam 65000 ipsec-isakmp dynamic dynmap
crypto map transam interface outside
!
isakmp enable outside
isakmp key * address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
!
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
!
vpngroup * address-pool clientpool
vpngroup * dns-server 192.168.33.1
vpngroup * default-domain
vpngroup * split-tunnel split_tunnel_acl
vpngroup * idle-time 1000
vpngroup * password *
!
telnet timeout 5
!
ssh 0.0.0.0 0.0.0.0 outside
ssh x.x.x.x 255.255.255.255 outside
ssh 192.168.33.0 255.255.255.0 inside
ssh timeout 5
!
management-access inside
console timeout 0
!
dhcpd address 192.168.33.30-192.168.33.61 inside
dhcpd dns x
dhcpd lease 3600
dhcpd ping_timeout 100
dhcpd auto_config outside
dhcpd enable inside
dhcprelay timeout 60
!
terminal width 80
end

Open in new window

0
Comment
Question by:champoo
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 1200 total points
ID: 23643437
On ASA, add:
 crypto isakmp nat-traversal 25
 
I would set the Netopia to system bridge mode and let the PIX get the public IP address
0
 
LVL 9

Assisted Solution

by:Press2Esc
Press2Esc earned 800 total points
ID: 23653112
I would agree w/LR and bridge the Netopia, otherwise I would recommend you place the attached Cisco in the Netopia router DMZ...  
Pls note to bridge the Netopia, requires multiple (manual) config steps.  Alternately, to DMZ your Cisco, you can select he IP Passthrough (or IPMap) modes in the Netopia....  
0
 

Author Closing Comment

by:champoo
ID: 31546972
setting the nat-traversal to 25 fixed the VPN after I re-enabed IPSec passthrough on the netopia box.

Thanks for the help guys
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question