Solved

VPN Tunnel Trouble Between Cisco PIX 506E and Cisco 851 Router

Posted on 2009-04-03
6
705 Views
Last Modified: 2013-11-12
This is my first time posting. That being said, if there is something that I am leaving out, please let me know. Also, thank you in advance for taking the time to help.

We have 2 offices that we are going to be creating a VPN tunnel between. I am very familiar with creating tunnels between PIX's, but one of the offices in this project has a Cisco 851 Router. Any help with this would be greatly appreciated. Please see below for a detailed copy of the configurations.

Office 1 with Cisco PIX 506E (hub)

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list nonat permit ip 192.168.101.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list nonat permit ip 192.168.101.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list nonat permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.101.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list out_in permit icmp any any
access-list out_in permit tcp any any eq 3389
access-list idx permit ip 192.168.181.160 255.255.255.248 193.37.92.240 255.255.255.252
access-list ecomm permit ip 192.168.181.160 255.255.255.248 204.165.247.0 255.255.255.0
access-list southvpn permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list gpvpn permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list rdvpn permit ip 192.168.101.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list macombvpn permit ip 192.168.101.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list sterlingvpn permit ip 192.168.101.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list rochestervpn permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.53 255.255.255.248
ip address inside 192.168.101.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.101.1 3389 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.181.160 192.168.101.50 netmask 255.255.255.255 0 0
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.49 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set idxvpn esp-3des esp-sha-hmac
crypto map idxmap 1 ipsec-isakmp
crypto map idxmap 1 match address idx
crypto map idxmap 1 set peer *.*.*.213
crypto map idxmap 1 set transform-set idxvpn
crypto map idxmap 2 ipsec-isakmp
crypto map idxmap 2 match address ecomm
crypto map idxmap 2 set peer *.*.*.204
crypto map idxmap 2 set transform-set idxvpn
crypto map idxmap 3 ipsec-isakmp
crypto map idxmap 3 match address southvpn
crypto map idxmap 3 set peer *.*.*.66
crypto map idxmap 3 set transform-set idxvpn
crypto map idxmap 4 ipsec-isakmp
crypto map idxmap 4 match address gpvpn
crypto map idxmap 4 set peer *.*.*.100
crypto map idxmap 4 set transform-set idxvpn
crypto map idxmap 5 ipsec-isakmp
crypto map idxmap 5 match address rdvpn
crypto map idxmap 5 set peer *.*.*.235
crypto map idxmap 5 set transform-set idxvpn
crypto map idxmap 6 ipsec-isakmp
crypto map idxmap 6 match address macombvpn
crypto map idxmap 6 set peer *.*.*.1
crypto map idxmap 6 set transform-set idxvpn
crypto map idxmap 7 ipsec-isakmp
crypto map idxmap 7 match address sterlingvpn
crypto map idxmap 7 set peer *.*.*.165
crypto map idxmap 7 set transform-set idxvpn
crypto map idxmap 8 ipsec-isakmp
crypto map idxmap 8 match address rochestervpn
crypto map idxmap 8 set peer *.*.*.209
crypto map idxmap 8 set transform-set idxvpn
crypto map idxmap interface outside
isakmp enable outside
isakmp key ******** address *.*.*.100 netmask 255.255.255.255 no-xauth
isakmp key ******** address *.*.*.213 netmask 255.255.255.255 no-xauth
isakmp key ******** address *.*.*.204 netmask 255.255.255.255 no-xauth
isakmp key ******** address *.*.*.235 netmask 255.255.255.255 no-xauth
isakmp key ******** address *.*.*.66 netmask 255.255.255.255 no-xauth
isakmp key ******** address *.*.*.1 netmask 255.255.255.255 no-xauth
isakmp key ******** address *.*.*.209 netmask 255.255.255.255 no-xauth
isakmp key ******** address *.*.*.165 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800
management-access inside
console timeout 0
terminal width 80


Office 2 with Cisco 851 Router (spoke)

clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key *** address *.*.*.169
crypto isakmp key *** address *.*.*.209
crypto isakmp key *** address *.*.*.53
!
!
crypto ipsec transform-set dr-xform esp-3des esp-md5-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
crypto ipsec transform-set idxvpn esp-3des esp-sha-hmac
!
crypto map INTERNETVPN 1260 ipsec-isakmp
 description Covisint VPN1
 set peer *.*.*.169
 set transform-set dr-xform
 match address COVISINT
crypto map INTERNETVPN 1261 ipsec-isakmp
 description ROCHESTER
 set peer *.*.*.209
 set transform-set dr-xform
 match address 104
crypto map INTERNETVPN 1262 ipsec-isakmp
 description clintonvpn
 set peer *.*.*.53
 set transform-set idxvpn
 match address 112
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address *.*.*.165 255.255.255.248
 ip access-group 111 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map INTERNETVPN
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.0.0.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 crypto map INTERNETVPN
!
ip classless
ip route 0.0.0.0 0.0.0.0 *.*.*.166
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.0.0.253 25 interface FastEthernet4 25
ip nat inside source static tcp 10.0.0.253 4125 interface FastEthernet4 4125
ip nat inside source static tcp 10.0.0.253 443 interface FastEthernet4 443
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list extended COV-TUNNEL
 remark Covisint Rule
 remark SDM_ACL Category=4
 permit ip any *.*.*.0 0.0.0.127
 permit ip any *.*.*.0 0.0.0.255
 remark Covisint Rule
 remark SDM_ACL Category=4
ip access-list extended COVISINT
 remark SDM_ACL Category=16
 permit ip host *.*.*.165 *.*.*.0 0.0.0.127
 permit ip host *.*.*.165 *.*.*.0 0.0.0.255
 remark SDM_ACL Category=16
ip access-list extended ROCHESTER
 remark SDM_ACL Category=16
 permit ip host *.*.*.165 192.168.1.0 0.0.0.255
 remark SDM_ACL Category=16
ip access-list extended clintonvpn
 permit ip host *.*.*.165 192.168.101.0 0.0.0.255
!
logging trap critical
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit udp host *.*.*.209 host 10.0.0.1 eq non500-isakmp
access-list 100 permit udp host *.*.*.209 host 10.0.0.1 eq isakmp
access-list 100 permit esp host *.*.*.209 host 10.0.0.1
access-list 100 permit ahp host *.*.*.209 host 10.0.0.1
access-list 100 permit ip *.*.*.0 0.0.0.255 host *.*.*.165
access-list 100 permit ip *.*.*.0 0.0.0.127 host *.*.*.165
access-list 100 permit udp host *.*.*.169 host 10.0.0.1 eq non500-isakmp
access-list 100 permit udp host *.*.*.169 host 10.0.0.1 eq isakmp
access-list 100 permit esp host *.*.*.169 host 10.0.0.1
access-list 100 permit ahp host *.*.*.169 host 10.0.0.1
access-list 100 deny   ip *.*.*.160 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by Cisco SDM Express firewall configuratio
access-list 100 remark SDM_ACL Category=1
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.101.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit udp host *.*.*.53 host 10.0.0.1 eq non500-isakmp
access-list 100 permit udp host *.*.*.53 host 10.0.0.1 eq isakmp
access-list 100 permit esp host *.*.*.53 host 10.0.0.1
access-list 100 permit ahp host *.*.*.53 host 10.0.0.1
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host *.*.*.165 echo-reply
access-list 101 permit icmp any host *.*.*.165 time-exceeded
access-list 101 permit icmp any host *.*.*.165 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny   ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny   ip host *.*.*.165 *.*.*.0 0.0.0.255
access-list 102 deny   ip host *.*.*.165 *.*.*.0 0.0.0.127
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 remark IPSec Rule
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 111 remark auto generated by Cisco SDM Express firewall configuratin
access-list 111 remark SDM_ACL Category=1
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 111 permit udp host *.*.*.209 host *.*.*.165 eq non500-isak
mp
access-list 111 permit udp host *.*.*.209 host *.*.*.165 eq isakmp
access-list 111 permit esp host *.*.*.209 host *.*.*.165
access-list 111 permit ahp host *.*.*.209 host *.*.*.165
access-list 111 permit ip *.*.*.0 0.0.0.255 host *.*.*.165
access-list 111 permit ip *.*.*.0 0.0.0.127 host *.*.*.165
access-list 111 permit udp host *.*.*.169 host *.*.*.165 eq non500-isakm
p
access-list 111 permit udp host *.*.*.169 host *.*.*.165 eq isakmp
access-list 111 permit esp host *.*.*.169 host *.*.*.165
access-list 111 permit ahp host *.*.*.169 host *.*.*.165
access-list 111 deny   ip 10.0.0.0 0.0.0.255 any
access-list 111 permit icmp any host *.*.*.165 echo-reply
access-list 111 permit icmp any host *.*.*.165 time-exceeded
access-list 111 permit icmp any host *.*.*.165 unreachable
access-list 111 permit tcp any host *.*.*.165 eq 3389
access-list 111 permit tcp any host *.*.*.165 eq smtp
access-list 111 permit tcp any host *.*.*.165 eq 4125
access-list 111 permit tcp any host *.*.*.165 eq 443
access-list 111 deny   ip 10.0.0.0 0.255.255.255 any
access-list 111 deny   ip 172.16.0.0 0.15.255.255 any
access-list 111 deny   ip 192.168.0.0 0.0.255.255 any
access-list 111 deny   ip 127.0.0.0 0.255.255.255 any
access-list 111 deny   ip host 255.255.255.255 any
access-list 111 deny   ip host 0.0.0.0 any
access-list 111 deny   ip any any
access-list 111 remark auto generated by Cisco SDM Express firewall configuratin
access-list 111 remark SDM_ACL Category=1
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.101.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 111 permit udp host *.*.*.53 host *.*.*.165 eq non500-isakmp
access-list 111 permit udp host *.*.*.53 host *.*.*.165 eq isakmp
access-list 111 permit esp host *.*.*.53 host *.*.*.165
access-list 111 permit ahp host *.*.*.53 host *.*.*.165
access-list 112 permit ip 10.0.0.0 0.0.0.255 192.168.101.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
Comment
Question by:SmoothChange
  • 3
  • 3
6 Comments
 
LVL 6

Assisted Solution

by:cosmicfox
cosmicfox earned 60 total points
ID: 24064719
Could be a isakmp lifetime mis-match. on your pix your lifetime is 28800, and don't see it on your router. and the default isakmp lifetime is 86400
0
 

Author Comment

by:SmoothChange
ID: 24072492
That didn't seem to have any effect on it, but I did make the change. Good catch.
0
 
LVL 6

Assisted Solution

by:cosmicfox
cosmicfox earned 60 total points
ID: 24072794
Your isakmp policy on your router isn't setup to use sha hash.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:SmoothChange
ID: 24076593
Good catch, but I have a problem. Whenever I go to type that into the command line, it acts as if it took it. I get no error or sign of a problem, but after a wr mem, it does not appear in the configuration. Any thoughts?
0
 
LVL 6

Assisted Solution

by:cosmicfox
cosmicfox earned 60 total points
ID: 24079010
you could just create a new isakmp policy

crypto isakmp policy 20
 encr 3des
 authentication pre-share
 hash sha
 group 2
0
 

Accepted Solution

by:
SmoothChange earned 0 total points
ID: 24129626
It actually turned out to be the order of the ACL's. Our permits came after the denies. We had to take out the whole ACL and put it back in the correct order.
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Join & Write a Comment

Today sees the launch of a new case study, focusing on BYOD technologies we have been working with for some time now.  But with the advent of 802.11ac wireless technologies and the story behind our landmark developments, we would like to share this …
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now