?
Solved

site to site VPN with a Cisco PIX and Sonicwall Enhanced OS

Posted on 2009-04-16
8
Medium Priority
?
1,168 Views
Last Modified: 2012-05-06
I am trying to configure a site to site tunnel between a Sonicwall Pro 2040 and a Cisco PIX. I can not get the the tunnel to establish at all. I have verified that all settings match on each peer. I am confident that the Sonic Wall is configured correctly. However, this is the first time I have tried to configure a VPN on a PIX. I have copied the entire PIX config. For the sake of troubleshooting the remote router is 2.2.2.2. The remote LAN is 192.168.111.0. The crypto map is called outside_map and the sequence number I'm using is 60. Thanks everyone.

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password teDzrkvUT00X2ctF encrypted
passwd v.hQtr3xQUfcFhzH encrypted
hostname MCR-MCY
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.1.7 MCR-SQL
name x.x.x.x BT-WEB3
name x.x.x.x WEBSERVER1
name 172.16.1.8 MCR-TS-TEST
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 192.168.
2.0 255.255.255.0
access-list inside_outbound_nat0_acl remark Dial VPN clients
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 192.168.
254.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 192.168.
111.0 255.255.255.0
access-list outside_access_in remark Public web server connection to SQL server
access-list outside_access_in permit tcp host WEBSERVER1 interface outside eq 14
33
access-list outside_access_in permit ip host BT-WEB3 interface outside
access-list mcrentals_splitTunnelAcl permit ip 172.16.1.0 255.255.255.0 any
access-list outside_cryptomap_40 permit ip 172.16.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list 60 permit ip 172.16.1.0 255.255.255.0 192.168.111.0 255.255.255.0
pager lines 24
logging on
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.252
ip address inside 172.16.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mcrentalsvpn 192.168.254.1-192.168.254.254
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 0.0.0.0 0.0.0.0 inside
pdm location 172.16.1.2 255.255.255.255 inside
pdm location MCR-SQL 255.255.255.255 inside
pdm location 172.16.1.63 255.255.255.255 inside
pdm location 172.16.1.0 255.255.255.0 inside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location WEBSERVER1 255.255.255.255 outside
pdm location BT-WEB3 255.255.255.255 outside
pdm location x.x.x.x 255.255.255.255 outside
pdm location x.x.x.x 255.255.255.255 outside
pdm location 172.16.1.3 255.255.255.255 inside
pdm location 172.16.1.12 255.255.255.255 inside
pdm location 192.168.254.0 255.255.255.0 inside
pdm location 192.168.111.0 255.255.255.0 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 9100 172.16.1.63 9100 netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface 1433 MCR-SQL 1433 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface ldap 172.16.1.2 ldap netmask 255.255.255.2
55 0 0
static (inside,outside) tcp interface 3389 172.16.1.12 3389 netmask 255.255.255.
255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.41.39.217 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 172.16.1.12 mcrsecret timeout 5
aaa-server RADIUS (inside) host 172.16.1.3 mcrsecret timeout 5
aaa-server LOCAL protocol local
ntp server 68.156.116.26 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 172.16.1.0 255.255.255.0 inside
snmp-server host outside 206.40.234.42
snmp-server host outside 206.41.38.111 poll
snmp-server location Morgan City, LA
snmp-server contact CNSI
snmp-server community CNSInet
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt radius ignore-secret
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer x.x.x.x
crypto map outside_map 40 set peer x.x.x.x
crypto map outside_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address 60
crypto map outside_map 60 set peer 2.2.2.2
crypto map outside_map 60 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map inside_map client configuration address initiate
crypto map inside_map client configuration address respond
crypto map inside_map client authentication RADIUS
crypto map inside_map interface inside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mcrentals address-pool mcrentalsvpn
vpngroup mcrentals dns-server 172.16.1.12
vpngroup mcrentals default-domain morgancityrentals.local
vpngroup mcrentals split-tunnel mcrentals_splitTunnelAcl
vpngroup mcrentals idle-time 1800
vpngroup mcrentals authentication-server RADIUS
vpngroup mcrentals user-authentication
vpngroup mcrentals password ********
telnet 172.16.1.0 255.255.255.0 inside
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:36199e59d80f74288fddf8842f154d37
: end
0
Comment
Question by:mboudreaux
  • 5
  • 3
8 Comments
 
LVL 5

Expert Comment

by:suggestionstick
ID: 24173908
Hi

at which stage is it failing: has the isakmp been established

 show crypto isakmp sa

if not do can you paste a debug

debug crypto isakmp

has the ipsec tunnel come up

show crypto ipsec sa

if not do can you paste a debug

debug crypto ipsec

 to turn off the debugs use:

 no debug all



0
 

Author Comment

by:mboudreaux
ID: 24175953
Here's the result of the sh crypto isakmp sa command. Also the Sonicwall log shows NO_PROPOSAL_CHOSEN. 74.x.x.186 is the remote Sonicwall. The active tunnel at 206.x.x.221 is the client's remote office where they have another PIX. 68.x.x.14 is my client VPV session from home. Thanks. I've made some configuration changes since the original post also. Is there any thing I'm missing?

Embryonic : 4
        dst               src        state     pending     created
   206.x.x.218    206.x.x.221    QM_IDLE         0           1
   206.x.x.218   74.x.x.186    MM_NO_STATE   0           0
   206.x.x.218   74.x.x.186   MM_NO_STATE   0           0
 206.x.x.218    74.x.x.186    MM_NO_STATE   0           0
  206.x.x.218    74.x.x.186    QM_IDLE         0           0
   206.x.x.218   74.x.x.186    MM_NO_STATE   0           0
206.x.x.218    68.x.x.14    QM_IDLE         0           3

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password teDzrkvUT00X2ctF encrypted
passwd v.hQtr3xQUfcFhzH encrypted
hostname MCR-MCY
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.1.7 MCR-SQL
name 206.x.x.12 BT-WEB3
name 206.x.x.10 WEBSERVER1
name 172.16.1.8 MCR-TS-TEST
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl remark Dial VPN clients
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list outside_access_in remark Public web server connection to SQL server
access-list outside_access_in permit tcp host WEBSERVER1 interface outside eq 1433
access-list outside_access_in permit ip host BT-WEB3 interface outside
access-list mcrentals_splitTunnelAcl permit ip 172.16.1.0 255.255.255.0 any
access-list outside_cryptomap_40 permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_60 permit ip 172.16.1.0 255.255.255.0 192.168.111.0 255.255.255.0
pager lines 24
logging on
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside 206.x.x.218 255.255.255.252
ip address inside 172.16.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mcrentalsvpn 192.168.254.1-192.168.254.254
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 0.0.0.0 0.0.0.0 inside
pdm location 172.16.1.2 255.255.255.255 inside
pdm location MCR-SQL 255.255.255.255 inside
pdm location 172.16.1.63 255.255.255.255 inside
pdm location 172.16.1.0 255.255.255.0 inside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location WEBSERVER1 255.255.255.255 outside
pdm location BT-WEB3 255.255.255.255 outside
pdm location 206.x.x.111 255.255.255.255 outside
pdm location 206.x.x.42 255.255.255.255 outside
pdm location 172.16.1.3 255.255.255.255 inside
pdm location 172.16.1.12 255.255.255.255 inside
pdm location 192.168.254.0 255.255.255.0 inside
pdm location 192.168.111.0 255.255.255.0 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 9100 172.16.1.63 9100 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1433 MCR-SQL 1433 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ldap 172.16.1.2 ldap netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 172.16.1.12 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.x.x.217 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 172.16.1.12 mcrsecret timeout 5
aaa-server RADIUS (inside) host 172.16.1.3 mcrsecret timeout 5
aaa-server LOCAL protocol local
ntp server 68.156.x.26 source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 172.16.1.0 255.255.255.0 inside
snmp-server host outside 206.x.x.42
snmp-server host outside 206.x.x.111 poll
snmp-server location Morgan City, LA
snmp-server contact CNSI
snmp-server community CNSInet
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt radius ignore-secret
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 206.x.x.221
crypto map outside_map 40 set peer 209.x.x.182
crypto map outside_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 74.x.x.186
crypto map outside_map 60 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
crypto map inside_map client configuration address initiate
crypto map inside_map client configuration address respond
crypto map inside_map client authentication RADIUS
crypto map inside_map interface inside
isakmp enable outside
isakmp key ******** address 206.x.x.221 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 209.x.x.182 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 74.x.x.186 netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup mcrentals address-pool mcrentalsvpn
vpngroup mcrentals dns-server 172.16.1.12
vpngroup mcrentals default-domain morgancityrentals.local
vpngroup mcrentals split-tunnel mcrentals_splitTunnelAcl
vpngroup mcrentals idle-time 1800
vpngroup mcrentals authentication-server RADIUS
vpngroup mcrentals user-authentication
vpngroup mcrentals password ********
telnet 172.16.1.0 255.255.255.0 inside
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:ba49996c5afd712e95c79e1c0e524dfb
: end
0
 
LVL 5

Assisted Solution

by:suggestionstick
suggestionstick earned 2000 total points
ID: 24177622
Hi h

Looks like there is a configuration difference between the 2 devices:

what is the format of security policy name on the sonic: plain text name or formated like a domain name
your pix by default is configured use the IP address for isakmp identity, so your security policy name  on the sonic should not be formatted like a domain.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml
http://www.sonicwall.com/downloads/Firmware_6.x_VPN_Interop_SonicWALL_VPN_Cisco_IOS_Using_IKE.pdf
 
double check your isakmp setting on each side

isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400

make sure that your interesting traffic ACL's are correct on each side

access-list outside_cryptomap_60 permit ip 172.16.1.0 255.255.255.0 192.168.111.0 255.255.255.0
&
destination network on the sonicwall
(step 4 in http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml)

and if possible provide the debugs



0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mboudreaux
ID: 24181595
This is the log on the Sonicwall.

VPN IKE      IKE Initiator: Received notify. NO_PROPOSAL_CHOSEN      74.x.x.186, 0, X0      68.x.x.141, 0, X0      
      
2      04/19/2009 21:16:35.096      Info      VPN IKE      RECEIVED<<< ISAKMP OAK INFO (InitCookie:0xf16a12615f33eeba RespCookie:0x757fb1cd4a292da1, MsgID: 0x4CDB9015) *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)      68.x.x.141, 500      74.x.x.186, 500      
        
3      04/19/2009 21:16:35.032      Info      VPN IKE      SENDING>>>> ISAKMP OAK QM (InitCookie:0xf16a12615f33eeba RespCookie:0x757fb1cd4a292da1, MsgID: 0xCD8E4216) *(HASH, SA, NON, ID, ID)      74.x.x.186, 500      68.x.x.141, 500      
        
4      04/19/2009 21:16:35.032      Info      VPN IKE      IKE Initiator: Start Quick Mode (Phase 2).      74.x.x.186, 500      68.x.x.141, 500

0
 

Author Comment

by:mboudreaux
ID: 24181695
Here is the result of the debug crypto ipsec command from the PIX while pinging a host from the remote network across the VPN.

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with  74.x.x.186
IPSEC(key_engine): got a queue event...
0
 
LVL 5

Expert Comment

by:suggestionstick
ID: 24181760
make sure that your interesting traffic ACL's are correct on each side

access-list outside_cryptomap_60 permit ip 172.16.1.0 255.255.255.0 192.168.111.0 255.255.255.0
&
destination network on the sonicwall
(step 4 in http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml)

Make sure that the destination network configured on the sonicwall matchs the remote network behind the PIX
0
 

Accepted Solution

by:
mboudreaux earned 0 total points
ID: 24230877
I used PDM to change the device ID in the isakmp policy to IP ADDRESS rather than HOST NAME to resolve the problem. The SonicWall also uses IP ADDRES by default. Thanks for the help.
0
 

Author Comment

by:mboudreaux
ID: 24230892
Issue is resolved.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question