Can't get a second VPN Connection with a cisco pix to work

StefanKittel
StefanKittel used Ask the Experts™
on
Hello,
I've a problem with a cisco pix. It's not my profession but i got a vpn connection between two premisses to work.
Now I need to a add connection to a logistic company and they gave me alist with explicit information (3des, sha, psk, etc).
I did everything but the pix does not connection. The syslog server show no errors and the vpn count is still 2 (1 between the premisses, and 1 by me (ras)).

Maybe somebody can have a look at the configuration.
I don't have access to the other pix(es).

Result of firewall command: "show config"

I replace the passwords and wan ips.
 
: Saved
: Written by format at 17:10:33.875 UTC Mon Jul 20 2009
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname PIXVPN01
domain-name Domain.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.0 Extern1
name 10.160.0.0 Extern2
access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 Extern1 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.20.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 192.168.20.240 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 Extern2 255.255.0.0
access-list outside_cryptomap_20 permit ip 192.168.20.0 255.255.255.0 Extern1 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.20.192 255.255.255.224
access-list outside_cryptomap_dyn_40 permit ip any 192.168.20.240 255.255.255.240
access-list outside_cryptomap_40 permit ip 192.168.20.0 255.255.255.0 Extern2 255.255.0.0
access-list 90 permit ip host 192.168.20.7 host 10.160.120.71
access-list 90 permit ip host 192.168.20.10 host 10.160.120.71
access-list 90 permit ip host 192.168.20.7 host 10.160.120.138
access-list 90 permit ip host 192.168.20.10 host 10.160.120.138
access-list 90 permit ip host 192.168.20.7 host 10.160.120.39
access-list 90 permit ip host 192.168.20.10 host 10.160.120.39
access-list 90 permit ip host 192.168.20.7 host 10.160.120.40
access-list 90 permit ip host 192.168.20.10 host 10.160.120.40
pager lines 24
logging on
logging trap warnings
logging host inside 192.168.20.6
mtu outside 1500
mtu inside 1500
ip address outside OwnPublicIP.162 255.255.255.248
ip address inside 192.168.20.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool LocalDomainShortName 192.168.20.240-192.168.20.254
pdm location 192.168.20.0 255.255.255.0 inside
pdm location Extern1 255.255.255.0 outside
pdm location 192.168.20.192 255.255.255.224 outside
pdm location 192.168.20.0 255.255.255.255 inside
pdm location Extern2 255.255.0.0 outside
pdm location 192.168.20.6 255.255.255.255 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 OwnPublicIP 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.20.0 255.255.255.0 inside
http 192.168.20.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer Extern1PublicIP
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address 90
crypto map outside_map 40 set peer Extern2PublicIP
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 40 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map Extern2 20 ipsec-isakmp
crypto map Extern2 20 match address 90
crypto map Extern2 20 set peer Extern2PublicIP
crypto map Extern2 20 set transform-set ESP-3DES-SHA
isakmp enable outside
isakmp key ******** address Extern1PublicIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address Extern2PublicIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 3600
vpngroup LocalDomainShortName_Staff address-pool LocalDomainShortName
vpngroup LocalDomainShortName_Staff dns-server 192.168.20.5
vpngroup LocalDomainShortName_Staff wins-server 192.168.20.5
vpngroup LocalDomainShortName_Staff default-domain Domain.local
vpngroup LocalDomainShortName_Staff idle-time 1800
vpngroup LocalDomainShortName_Staff password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
username format password xxxxxxxxxxxx encrypted privilege 2
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxx

Thanks

Stefan
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010
Commented:
couls you show me:

sh cry isa sa
sh cry ips sa

Author

Commented:
Hello,

here we go:

sh cry isa sa
Total     : 2
Embryonic : 0
        dst               src        state     pending     created
  OwnPublicIP   DynamicPublicIP    QM_IDLE         0           1
  OwnPublicIP     Extern1PublicIP    QM_IDLE         0           2
LMDEHAVPN1# sh cry ips sa


interface: outside
    Crypto map tag: outside_map, local addr. OwnPublicIP

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.20.240/255.255.255.255/0/0)
   current_peer: DynamicPublicIP:500
   dynamic allocated peer ip: 192.168.20.240

     PERMIT, flags={}
    #pkts encaps: 6502, #pkts encrypt: 6502, #pkts digest 6502
    #pkts decaps: 6133, #pkts decrypt: 6133, #pkts verify 6133
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: OwnPublicIP, remote crypto endpt.: DynamicPublicIP
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 64124a1

     inbound esp sas:
      spi: 0x2421ff3(37887987)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 8, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607263/25823)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x64124a1(104932513)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 7, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4605367/25816)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (LMUK/255.255.255.0/0/0)
   current_peer: Extern1PublicIP:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 660908, #pkts encrypt: 660908, #pkts digest 660908
    #pkts decaps: 833126, #pkts decrypt: 833264, #pkts verify 833264
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: OwnPublicIP, remote crypto endpt.: Extern1PublicIP
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 87255bbb

     inbound esp sas:
      spi: 0x40bb28fc(1086007548)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4547678/7370)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x87255bbb(2267372475)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4499296/7369)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (DHL/255.255.0.0/0/0)
   current_peer: Extern2PublicIP:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 22, #recv errors 0

     local crypto endpt.: OwnPublicIP, remote crypto endpt.: Extern2PublicIP
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:

Thanks

Stefan
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Hi,

Did you made symetric access-list on booth side for crypto???
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Hello,

we defined the "access-list 90". I don't have access to the other side, but they told me they did.

"current_peer: Extern2PublicIP:0"
The zero looks wrong?

Stefan
Stefan,
this is showing as 0 because of this:
 current outbound spi: 0           (about 10 lines below)
and this is 0 because there has either been failure in negotiating ipsec between the sites, or because there has not been any traffic that initiated bringing the ipsec tunnel up. the most likely reason that would happen is that the access lists at each end are not exact reversals of each other, or there just was not any traffic that matched your list 90, or the transform set parameters dont match the config at the other end.

check the lists, and if no go, 'debug cry ipsec" and enable buffer logging (logging buffered debug; logging buffer 64000) then push some test traffic through, then "show log" to see what has happened. dont forget "undebug all" when you are finished.
Hi there,

a cisco "specialist" solved the problem. It was a missing hidden checkbox and a wrong static route in a server.

Thanks

Stefan

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial