Link to home
Start Free TrialLog in
Avatar of mboudreaux
mboudreaux

asked on

site to site VPN with a Cisco PIX and Sonicwall Enhanced OS

I am trying to configure a site to site tunnel between a Sonicwall Pro 2040 and a Cisco PIX. I can not get the the tunnel to establish at all. I have verified that all settings match on each peer. I am confident that the Sonic Wall is configured correctly. However, this is the first time I have tried to configure a VPN on a PIX. I have copied the entire PIX config. For the sake of troubleshooting the remote router is 2.2.2.2. The remote LAN is 192.168.111.0. The crypto map is called outside_map and the sequence number I'm using is 60. Thanks everyone.

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password teDzrkvUT00X2ctF encrypted
passwd v.hQtr3xQUfcFhzH encrypted
hostname MCR-MCY
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.1.7 MCR-SQL
name x.x.x.x BT-WEB3
name x.x.x.x WEBSERVER1
name 172.16.1.8 MCR-TS-TEST
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 192.168.
2.0 255.255.255.0
access-list inside_outbound_nat0_acl remark Dial VPN clients
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 192.168.
254.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 192.168.
111.0 255.255.255.0
access-list outside_access_in remark Public web server connection to SQL server
access-list outside_access_in permit tcp host WEBSERVER1 interface outside eq 14
33
access-list outside_access_in permit ip host BT-WEB3 interface outside
access-list mcrentals_splitTunnelAcl permit ip 172.16.1.0 255.255.255.0 any
access-list outside_cryptomap_40 permit ip 172.16.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list 60 permit ip 172.16.1.0 255.255.255.0 192.168.111.0 255.255.255.0
pager lines 24
logging on
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.252
ip address inside 172.16.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mcrentalsvpn 192.168.254.1-192.168.254.254
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 0.0.0.0 0.0.0.0 inside
pdm location 172.16.1.2 255.255.255.255 inside
pdm location MCR-SQL 255.255.255.255 inside
pdm location 172.16.1.63 255.255.255.255 inside
pdm location 172.16.1.0 255.255.255.0 inside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location WEBSERVER1 255.255.255.255 outside
pdm location BT-WEB3 255.255.255.255 outside
pdm location x.x.x.x 255.255.255.255 outside
pdm location x.x.x.x 255.255.255.255 outside
pdm location 172.16.1.3 255.255.255.255 inside
pdm location 172.16.1.12 255.255.255.255 inside
pdm location 192.168.254.0 255.255.255.0 inside
pdm location 192.168.111.0 255.255.255.0 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 9100 172.16.1.63 9100 netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface 1433 MCR-SQL 1433 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface ldap 172.16.1.2 ldap netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface 3389 172.16.1.12 3389 netmask 255.255.255.
255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.41.39.217 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 172.16.1.12 mcrsecret timeout 5
aaa-server RADIUS (inside) host 172.16.1.3 mcrsecret timeout 5
aaa-server LOCAL protocol local
ntp server 68.156.116.26 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 172.16.1.0 255.255.255.0 inside
snmp-server host outside 206.40.234.42
snmp-server host outside 206.41.38.111 poll
snmp-server location Morgan City, LA
snmp-server contact CNSI
snmp-server community CNSInet
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt radius ignore-secret
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer x.x.x.x
crypto map outside_map 40 set peer x.x.x.x
crypto map outside_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address 60
crypto map outside_map 60 set peer 2.2.2.2
crypto map outside_map 60 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map inside_map client configuration address initiate
crypto map inside_map client configuration address respond
crypto map inside_map client authentication RADIUS
crypto map inside_map interface inside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mcrentals address-pool mcrentalsvpn
vpngroup mcrentals dns-server 172.16.1.12
vpngroup mcrentals default-domain morgancityrentals.local
vpngroup mcrentals split-tunnel mcrentals_splitTunnelAcl
vpngroup mcrentals idle-time 1800
vpngroup mcrentals authentication-server RADIUS
vpngroup mcrentals user-authentication
vpngroup mcrentals password ********
telnet 172.16.1.0 255.255.255.0 inside
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:36199e59d80f74288fddf8842f154d37
: end
Avatar of suggestionstick
suggestionstick
Flag of Australia image

Hi

at which stage is it failing: has the isakmp been established

 show crypto isakmp sa

if not do can you paste a debug

debug crypto isakmp

has the ipsec tunnel come up

show crypto ipsec sa

if not do can you paste a debug

debug crypto ipsec

 to turn off the debugs use:

 no debug all



Avatar of mboudreaux
mboudreaux

ASKER

Here's the result of the sh crypto isakmp sa command. Also the Sonicwall log shows NO_PROPOSAL_CHOSEN. 74.x.x.186 is the remote Sonicwall. The active tunnel at 206.x.x.221 is the client's remote office where they have another PIX. 68.x.x.14 is my client VPV session from home. Thanks. I've made some configuration changes since the original post also. Is there any thing I'm missing?

Embryonic : 4
        dst               src        state     pending     created
   206.x.x.218    206.x.x.221    QM_IDLE         0           1
   206.x.x.218   74.x.x.186    MM_NO_STATE   0           0
   206.x.x.218   74.x.x.186   MM_NO_STATE   0           0
 206.x.x.218    74.x.x.186    MM_NO_STATE   0           0
  206.x.x.218    74.x.x.186    QM_IDLE         0           0
   206.x.x.218   74.x.x.186    MM_NO_STATE   0           0
206.x.x.218    68.x.x.14    QM_IDLE         0           3

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password teDzrkvUT00X2ctF encrypted
passwd v.hQtr3xQUfcFhzH encrypted
hostname MCR-MCY
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.1.7 MCR-SQL
name 206.x.x.12 BT-WEB3
name 206.x.x.10 WEBSERVER1
name 172.16.1.8 MCR-TS-TEST
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl remark Dial VPN clients
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list outside_access_in remark Public web server connection to SQL server
access-list outside_access_in permit tcp host WEBSERVER1 interface outside eq 1433
access-list outside_access_in permit ip host BT-WEB3 interface outside
access-list mcrentals_splitTunnelAcl permit ip 172.16.1.0 255.255.255.0 any
access-list outside_cryptomap_40 permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_60 permit ip 172.16.1.0 255.255.255.0 192.168.111.0 255.255.255.0
pager lines 24
logging on
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside 206.x.x.218 255.255.255.252
ip address inside 172.16.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mcrentalsvpn 192.168.254.1-192.168.254.254
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 0.0.0.0 0.0.0.0 inside
pdm location 172.16.1.2 255.255.255.255 inside
pdm location MCR-SQL 255.255.255.255 inside
pdm location 172.16.1.63 255.255.255.255 inside
pdm location 172.16.1.0 255.255.255.0 inside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location WEBSERVER1 255.255.255.255 outside
pdm location BT-WEB3 255.255.255.255 outside
pdm location 206.x.x.111 255.255.255.255 outside
pdm location 206.x.x.42 255.255.255.255 outside
pdm location 172.16.1.3 255.255.255.255 inside
pdm location 172.16.1.12 255.255.255.255 inside
pdm location 192.168.254.0 255.255.255.0 inside
pdm location 192.168.111.0 255.255.255.0 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 9100 172.16.1.63 9100 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1433 MCR-SQL 1433 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ldap 172.16.1.2 ldap netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 172.16.1.12 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.x.x.217 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 172.16.1.12 mcrsecret timeout 5
aaa-server RADIUS (inside) host 172.16.1.3 mcrsecret timeout 5
aaa-server LOCAL protocol local
ntp server 68.156.x.26 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 172.16.1.0 255.255.255.0 inside
snmp-server host outside 206.x.x.42
snmp-server host outside 206.x.x.111 poll
snmp-server location Morgan City, LA
snmp-server contact CNSI
snmp-server community CNSInet
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt radius ignore-secret
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 206.x.x.221
crypto map outside_map 40 set peer 209.x.x.182
crypto map outside_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 74.x.x.186
crypto map outside_map 60 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map inside_map client configuration address initiate
crypto map inside_map client configuration address respond
crypto map inside_map client authentication RADIUS
crypto map inside_map interface inside
isakmp enable outside
isakmp key ******** address 206.x.x.221 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 209.x.x.182 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 74.x.x.186 netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup mcrentals address-pool mcrentalsvpn
vpngroup mcrentals dns-server 172.16.1.12
vpngroup mcrentals default-domain morgancityrentals.local
vpngroup mcrentals split-tunnel mcrentals_splitTunnelAcl
vpngroup mcrentals idle-time 1800
vpngroup mcrentals authentication-server RADIUS
vpngroup mcrentals user-authentication
vpngroup mcrentals password ********
telnet 172.16.1.0 255.255.255.0 inside
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:ba49996c5afd712e95c79e1c0e524dfb
: end
SOLUTION
Avatar of suggestionstick
suggestionstick
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This is the log on the Sonicwall.

VPN IKE      IKE Initiator: Received notify. NO_PROPOSAL_CHOSEN      74.x.x.186, 0, X0      68.x.x.141, 0, X0      
      
2      04/19/2009 21:16:35.096      Info      VPN IKE      RECEIVED<<< ISAKMP OAK INFO (InitCookie:0xf16a12615f33eeba RespCookie:0x757fb1cd4a292da1, MsgID: 0x4CDB9015) *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)      68.x.x.141, 500      74.x.x.186, 500      
        
3      04/19/2009 21:16:35.032      Info      VPN IKE      SENDING>>>> ISAKMP OAK QM (InitCookie:0xf16a12615f33eeba RespCookie:0x757fb1cd4a292da1, MsgID: 0xCD8E4216) *(HASH, SA, NON, ID, ID)      74.x.x.186, 500      68.x.x.141, 500      
        
4      04/19/2009 21:16:35.032      Info      VPN IKE      IKE Initiator: Start Quick Mode (Phase 2).      74.x.x.186, 500      68.x.x.141, 500

Here is the result of the debug crypto ipsec command from the PIX while pinging a host from the remote network across the VPN.

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with  74.x.x.186
IPSEC(key_engine): got a queue event...
make sure that your interesting traffic ACL's are correct on each side

access-list outside_cryptomap_60 permit ip 172.16.1.0 255.255.255.0 192.168.111.0 255.255.255.0
&
destination network on the sonicwall
(step 4 in http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml)

Make sure that the destination network configured on the sonicwall matchs the remote network behind the PIX
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Issue is resolved.