• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 865
  • Last Modified:

Dynamic PIX 501 6.3 to Static PIX 515e 6.3 Site-to-Site VPN

I've been trying to set up this VPN for a few days now. It consists of one PIX 515e on a static IP address and one PIX 501 on a dynamic IP address. I've been following this Cisco example:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

Both devices are running software version 6.3.

The last time i set them up I tried to follow the example as closely as possible, including the host names. Lion has the static IP: 69.169.146.8 and Tiger grabs a dynamic IP. I was wondering if anyone can find any errors in my config file or at least help me do some troubleshooting. 'show crypto isakmp sa' produces nothing and 'show crypto IPSec sa' doesn't show anything being transfered. Here are the config files:

Lion (Static 515):

PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password **** encrypted
passwd **** encrypted
hostname lion
domain-name cisco.com
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 permit ip 10.2.2.0 255.255.255.0 10.3.3.0 255.255.255.0
pager lines 24
logging on
logging buffered debugging
logging trap errors
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 69.169.146.8 255.255.255.0
ip address inside 10.2.2.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 69.169.146.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key cisco123 address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.2.2.10-10.2.2.30 inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:****


Tiger (Dynamic 501):

PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname tiger
domain-name cisco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 50
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 101
crypto map newmap 10 set peer 69.169.146.8
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key cisco123 address 69.169.146.8 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5
ssh 10.2.2.10 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 10.1.1.10-10.1.1.30 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username bomis password xlcxmvUepn4tLD7g encrypted privilege 15
terminal width 80
0
frebb
Asked:
frebb
  • 11
  • 7
2 Solutions
 
geergonCommented:
You do not have any isakmp policy in LION

Please add this:

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
0
 
frebbAuthor Commented:
After posting I went and added the rest of the code from the example. I still don't have a connection though. here is the code I added:

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup unityclient address-pool clientpool
vpngroup unityclient dns-server 10.1.1.3
vpngroup unityclient wins-server 10.1.1.3
vpngroup unityclient default-domain cisco.com
vpngroup unityclient idle-time 1800
vpngroup unityclient password ********


I don't need the stuff above that you didn't tell me to add unless i am using a vpn client, correct?
0
 
geergonCommented:
That is correct, if you are not using VPn clients, you do not need the vpngroup commands:

try to set this on the LION FW:
isakmp key cisco123 address 0.0.0.0 netmask 0.0.0.0 no-xauth no-con

after that try to bring the tunnel up from Tiger doing :
ping inside 10.2.2.1

Then set the debugs on lion
debug crypto isa 150
debug crypto ipsec 150

And post the output information please.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
frebbAuthor Commented:
I entered the command and issued the ping and the VPN light came on (on the 501) as well as showing there was an active tunnel in the PDM monitor. I was unable to ping though.

tiger(config)# ping inside 10.2.2.1
        10.2.2.1 NO response received -- 1000ms

Lion output from debug crypto isa 150 (I should note that Tiger usually acquires the address: 69.169.146.90).

lion(config)# debug crypto isa 150
lion(config)#
PEER_REAPER_TIMER
PEER_REAPER_TIMER
......
REAPER_TIMER
ISADB: reaper checking SA 0xedf444, conn_id = 0
PEER_REAPER_TIMER
......

ISAKMP msg received
crypto_isakmp_process_block:src:69.169.146.190, dest:69.169.146.8 spt:500 dpt:50
0
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x0

validate_payload: len 80
valid_payload:
valid_sa:
valid_transform:
isadb_create_sa:
crypto_isakmp_init_phase1_fields: responder
is_auth_policy_configured: auth 4
gen_cookie:
gen_cookie:
OAK_MM exchange
oakley_process_mm:
OAK_MM_NO_STATE
process_isakmp_packet:
process_sa: mess_id 0x0
ISAKMP (0): processing SA payload. message ID = 0

check_isakmp_proposal:
is_auth_policy_configured: auth 1
is_auth_policy_configured: auth 4
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 1000
ISAKMP (0): atts are acceptable. Next payload is 0
crypto_generate_DH_parameters: dhset 0xedf6fc, phase 0
DH_ALG_PHASE1
process_sa: DONE - status 0x0
delete_sa_offers:
process_isakmp_packet: OAK_MM
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
construct_header: message_id 0x0
construct_isakmp_sa: auth 7
set_proposal: protocol 0x1, proposal_num 1, extra_info 0x7
return status is IKMP_NO_ERROR
throw: mess_id 0x0
send_response:
isakmp_send: ip 69.169.146.190, port 500

ISAKMP msg received
crypto_isakmp_process_block:src:69.169.146.190, dest:69.169.146.8 spt:500 dpt:50
0
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0x0

validate_payload: len 80
valid_payload:
valid_sa:
valid_transform:
isadb_create_sa:
crypto_isakmp_init_phase1_fields: responder
is_auth_policy_configured: auth 4
gen_cookie:
gen_cookie:
OAK_MM exchange
oakley_process_mm:
OAK_MM_NO_STATE
process_isakmp_packet:
process_sa: mess_id 0x0
ISAKMP (0): processing SA payload. message ID = 0

check_isakmp_proposal:
is_auth_policy_configured: auth 1
is_auth_policy_configured: auth 4
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 1000
ISAKMP (0): atts are acceptable. Next payload is 0
crypto_generate_DH_parameters: dhset 0xee141c, phase 0
DH_ALG_PHASE1
process_sa: DONE - status 0x0
delete_sa_offers:
process_isakmp_packet: OAK_MM
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
construct_header: message_id 0x0
construct_isakmp_sa: auth 7
set_proposal: protocol 0x1, proposal_num 1, extra_info 0x7
return status is IKMP_NO_ERROR
throw: mess_id 0x0
send_response:
isakmp_send: ip 69.169.146.190, port 500

ISAKMP msg received
crypto_isakmp_process_block:src:69.169.146.190, dest:69.169.146.8 spt:500 dpt:50
0
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0xedf444

validate_payload: len 224
valid_payload:
valid_payload:
valid_payload:
valid_payload:
valid_payload:
valid_payload:
OAK_MM exchange
oakley_process_mm:
OAK_MM_SA_SETUP
process_isakmp_packet:
process_ke:
ISAKMP (0): processing KE payload. message ID = 0

crypto_generate_DH_parameters: dhset 0xedf6fc, phase 1
DH_ALG_PHASE2
process_isakmp_packet: OAK_MM
process_nonce:
ISAKMP (0): processing NONCE payload. message ID = 0

process_isakmp_packet: OAK_MM
pix_create_skeys:
skey_pre_shar:
process_vendor_id:
ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

process_isakmp_packet: OAK_MM
process_vendor_id:
ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

process_isakmp_packet: OAK_MM
process_vendor_id:
ISAKMP (0): processing vendor id payload

not cisco peer
process_udp_enc_vendor_id:
process_isakmp_packet: OAK_MM
process_vendor_id:
ISAKMP (0): processing vendor id payload


ISAKMP msg received
crypto_isakmp_process_block:src:69.169.146.190, dest:69.169.146.8 spt:500 dpt:50
0
gen_cookie:
fill_sa_key:
gen_cookie:isadb_search returned sa = 0xedf444

isakmp_ce_decrypt_payload:
pix_des_decrypt: data 0x823e28, len 48
des_encdec:
validate_payload: len 76
valid_payload:
valid_payload:
OAK_MM exchange

ISAKMP msg received

ISAKMP msg received
REAPER_TIMER
ISADB: reaper checking SA 0xedf444, conn_id = 0
PEER_REAPER_TIMER


The 'debug crypto ipsec 150' command output the following:

lion(config)# IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 69.169.146.8, src= 69.169.146.190,
    dest_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
    src_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x840b2e31(2215325233) for SA
        from  69.169.146.190 to    69.169.146.8 for prot 3
IPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
  (key eng. msg.) dest= 69.169.146.8, src= 69.169.146.190,
    dest_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
    src_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 28800s and 4608000kb,
    spi= 0x840b2e31(2215325233), conn_id= 1, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
  (key eng. msg.) src= 69.169.146.8, dest= 69.169.146.190,
    src_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
    dest_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 28800s and 4608000kb,
    spi= 0x93ebefc4(2481713092), conn_id= 2, keysize= 0, flags= 0x4
0
 
frebbAuthor Commented:
Then i got this message a few times on Lion:

IPSEC(sw_esp_decap): fail antireplay check
IPSEC(cipher_ipsec_request): decap failed for 69.169.146.190 -> 69.169.146.8
IPSEC(sw_esp_decap): fail antireplay check
IPSEC(cipher_ipsec_request): decap failed for 69.169.146.190 -> 69.169.146.8
IPSEC(sw_esp_decap): fail antireplay check
0
 
geergonCommented:
Set this in both sides::
fixup protocol icmp

And add the output of the command "show crypto ipsec sa" after trying to send more traffic.
0
 
frebbAuthor Commented:
That exact command didn't work, it told me the command I could enter was 'fixup protocol icmp error'. So I did that. Let me know if you intended something else. Following are the requested outputs:


This is the output from Lion:

lion(config)# show crypto ipsec sa

interface: outside
    Crypto map tag: dyn-map, local addr. 69.169.146.8
lion(config)# show crypto ipsec sa

interface: outside
    Crypto map tag: dyn-map, local addr. 69.169.146.8

   local  ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   current_peer: 69.169.146.190:500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 69.169.146.8, remote crypto endpt.: 69.169.146.190
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 424986b

     inbound esp sas:
      spi: 0xa2e8fa40(2733177408)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: dyn-map
        sa timing: remaining key lifetime (k/sec): (4608000/28779)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x424986b(69507179)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: dyn-map
        sa timing: remaining key lifetime (k/sec): (4608000/28779)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

lion(config)#



Here is the output for Tiger:

tiger(config)# show crypto ipsec sa

interface: outside
    Crypto map tag: newmap, local addr. 69.169.146.190

   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   current_peer: 69.169.146.8:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 69.169.146.190, remote crypto endpt.: 69.169.146.8
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 8a91b288

     inbound esp sas:
      spi: 0x63f84028(1677213736)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: newmap
        sa timing: remaining key lifetime (k/sec): (4608000/28788)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8a91b288(2324804232)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: newmap
        sa timing: remaining key lifetime (k/sec): (4608000/28786)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

tiger(config)#

0
 
geergonCommented:
I do not see encryptions or decryptions....

Please set
sysopt connection tcpmss 1380

Enable logging
logging on
logging buffered 7

Try to send more traffic through the tunnel, after that do "show logging" very quick and verify if there is something useful that can guide us to the core of the problem.
0
 
frebbAuthor Commented:
I enabled the logging and the other command. Using a browser to go to the IP of Lion I generated the following log. You can see that at the bottom of this log file snippet:

lion(config)# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 432 messages logged
    Trap logging: level errors, 0 messages logged
    History logging: disabled
    Device ID: disabled
carded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: TCP request discarded from 216.155.194.229/80 to outside:69.169.146.8/13
53
710005: TCP request discarded from 216.155.194.229/80 to outside:69.169.146.8/13
53
710005: UDP request discarded from 69.169.147.59/52651 to outside:255.255.255.25
5/2223
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
302010: 2 in use, 9 most used
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 69.169.147.207/65352 to outside:255.255.255.2
55/2223
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 69.169.147.83/2190 to outside:255.255.255.255
/2190
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 69.169.147.207/65507 to outside:255.255.255.2
55/2223
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 69.169.146.205/54630 to outside:255.255.255.2
55/2223
710005: UDP request discarded from 69.169.147.117/49440 to outside:255.255.255.2
55/2222
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 69.169.147.207/50075 to outside:255.255.255.2
55/2223
710005: UDP request discarded from 69.169.147.46/68 to outside:255.255.255.255/b
ootps
710005: UDP request discarded from 69.169.147.59/52656 to outside:255.255.255.25
5/2223
710005: UDP request discarded from 69.169.147.59/52657 to outside:255.255.255.25
5/2223
710005: TCP request discarded from 216.155.194.229/80 to outside:69.169.146.8/13
53
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: TCP request discarded from 58.91.77.18/37099 to outside:69.169.146.8/320
56
710005: TCP request discarded from 58.91.77.18/37099 to outside:69.169.146.8/320
56
710005: UDP request discarded from 69.169.147.207/52386 to outside:255.255.255.2
55/2223
710005: TCP request discarded from 58.91.77.18/37099 to outside:69.169.146.8/320
56
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 69.169.147.83/2190 to outside:255.255.255.255
/2190
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: TCP request discarded from 58.91.77.18/37099 to outside:69.169.146.8/320
56
710005: UDP request discarded from 69.169.147.207/57119 to outside:255.255.255.2
55/2223
710005: UDP request discarded from 69.169.146.205/54634 to outside:255.255.255.2
55/2223
710005: UDP request discarded from 69.169.147.117/49441 to outside:255.255.255.2
55/2222
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 69.169.147.207/55966 to outside:255.255.255.2
55/2223
710005: UDP request discarded from 69.169.147.59/52658 to outside:255.255.255.25
5/2223
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 69.169.147.59/52659 to outside:255.255.255.25
5/2223
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
111009: User 'enable_15' executed cmd: show logging
710005: TCP request discarded from 58.91.77.18/37099 to outside:69.169.146.8/320
56
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
302013: Built inbound TCP connection 32 for outside:10.1.1.10/2153 (10.1.1.10/21
53) to inside:10.2.2.1/80 (10.2.2.1/80)

Then I tried accessing a computer on the inside of Lions network at 10.2.2.11 and received the following log which looks to be much more descriptive:


lion(config)# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 709 messages logged
    Trap logging: level errors, 0 messages logged
    History logging: disabled
    Device ID: disabled
mic UDP translation from inside:10.2.2.11/65208 to outside:69.169.146.8/1048 dur
ation 0:00:35
710005: UDP request discarded from 10.2.2.11/138 to inside:10.2.2.255/netbios-dg
m
710005: UDP request discarded from 10.2.2.11/138 to inside:10.2.2.255/netbios-dg
m
710005: UDP request discarded from 10.2.2.11/137 to inside:10.2.2.255/netbios-ns
710005: UDP request discarded from 10.2.2.11/137 to inside:10.2.2.255/netbios-ns
710005: UDP request discarded from 10.2.2.11/137 to inside:10.2.2.255/netbios-ns
710005: UDP request discarded from 10.2.2.11/137 to inside:10.2.2.255/netbios-ns
710005: UDP request discarded from 10.2.2.11/137 to inside:10.2.2.255/netbios-ns
710005: UDP request discarded from 10.2.2.11/137 to inside:10.2.2.255/netbios-ns
710005: UDP request discarded from 69.169.147.207/56843 to outside:255.255.255.2
55/2223
710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/bootps
710005: UDP request discarded from 10.2.2.11/137 to inside:10.2.2.255/netbios-ns
710005: UDP request discarded from 10.2.2.11/137 to inside:10.2.2.255/netbios-ns
710005: UDP request discarded from 10.2.2.11/138 to inside:10.2.2.255/netbios-dg
m
710005: UDP request discarded from 10.2.2.11/138 to inside:10.2.2.255/netbios-dg
m
710005: UDP request discarded from 10.2.2.11/138 to inside:10.2.2.255/netbios-dg
m
710005: UDP request discarded from 69.169.147.59/52678 to outside:255.255.255.25
5/2223
305011: Built dynamic TCP translation from inside:10.2.2.11/4569 to outside:69.1
69.146.8/1032
302013: Built outbound TCP connection 46 for outside:66.102.7.99/80 (66.102.7.99
/80) to inside:10.2.2.11/4569 (69.169.146.8/1032)
304001: 10.2.2.11 Accessed URL 66.102.7.99:/ig/api?hl=en&stock=GE&stock=GOOG&sto
ck=DJI&stock=COMPX&stock=NYA%2EX
305011: Built dynamic UDP translation from inside:10.2.2.11/52798 to outside:69.
169.146.8/1056
302015: Built outbound UDP connection 47 for outside:8.8.8.8/53 (8.8.8.8/53) to
inside:10.2.2.11/52798 (69.169.146.8/1056)
305011: Built dynamic UDP translation from inside:10.2.2.11/56076 to outside:69.
169.146.8/1057
302015: Built outbound UDP connection 48 for outside:8.8.8.8/53 (8.8.8.8/53) to
inside:10.2.2.11/56076 (69.169.146.8/1057)
305011: Built dynamic UDP translation from inside:10.2.2.11/49775 to outside:69.
169.146.8/1058
302015: Built outbound UDP connection 49 for outside:8.8.8.8/53 (8.8.8.8/53) to
inside:10.2.2.11/49775 (69.169.146.8/1058)
302016: Teardown UDP connection 49 for outside:8.8.8.8/53 to inside:10.2.2.11/49
775 duration 0:00:01 bytes 196
302016: Teardown UDP connection 47 for outside:8.8.8.8/53 to inside:10.2.2.11/52
798 duration 0:00:01 bytes 173
305011: Built dynamic TCP translation from inside:10.2.2.11/4570 to outside:69.1
69.146.8/1033
302013: Built outbound TCP connection 50 for outside:74.125.19.18/443 (74.125.19
.18/443) to inside:10.2.2.11/4570 (69.169.146.8/1033)
302016: Teardown UDP connection 48 for outside:8.8.8.8/53 to inside:10.2.2.11/56
076 duration 0:00:01 bytes 202
302013: Built inbound TCP connection 51 for outside:10.1.1.10/2174 (10.1.1.10/21
74) to inside:10.2.2.11/445 (10.2.2.11/445)
302013: Built inbound TCP connection 52 for outside:10.1.1.10/2175 (10.1.1.10/21
75) to inside:10.2.2.11/139 (10.2.2.11/139)
305012: Teardown dynamic UDP translation from inside:10.2.2.11/51057 to outside:
69.169.146.8/1051 duration 0:00:31
710005: UDP request discarded from 69.169.147.59/52679 to outside:255.255.255.25
5/2223
305011: Built dynamic TCP translation from inside:10.2.2.11/4571 to outside:69.1
69.146.8/1034
302013: Built outbound TCP connection 53 for outside:74.125.19.18/443 (74.125.19
.18/443) to inside:10.2.2.11/4571 (69.169.146.8/1034)
305012: Teardown dynamic UDP translation from inside:10.2.2.11/58310 to outside:
69.169.146.8/1052 duration 0:00:31
305012: Teardown dynamic UDP translation from inside:10.2.2.11/51170 to outside:
69.169.146.8/1053 duration 0:00:31
305012: Teardown dynamic UDP translation from inside:10.2.2.11/63743 to outside:
69.169.146.8/1054 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:10.2.2.11/4568 to outside:6
9.169.146.8/1031 duration 0:00:31
0
 
frebbAuthor Commented:
Oh and thanks for all your help so far.
0
 
geergonCommented:
What you need to accomplish for now is to check if you see encaps or decaps in one of the sides.
"show crypto ipsec sa"

The logs are not very useful for now, clear them(clear logging) and try again... BUT the
browser is not a good test... Try to send just ICMP traffic...
"ping inside the_other_network"

this will source the ping with the internal ip of the firewall trying to go to the other side.


I think that the firewall is dropping the packets before send it through the tunnel.

Also do "show version" and check if the column "inside hosts" said ---> unlimited.
0
 
geergonCommented:
Also you can filter the logs

Suppose that you are in Tiger

ping inside 10.2.2.1

then

show logging | in 10.2.2.1


To source the ping you need to have this command in both firewalls:
management-access inside
0
 
frebbAuthor Commented:
I'm now out of town for the holidays. Ii'll be gone for the rest of this week. I hope that we can resume this when I return.
0
 
frebbAuthor Commented:
So when I came back and hooked everything back up, and pinged the inside network from tiger with "ping inside 10.2.2.1" it was able to ping. Then i was also able to ping in both directions between computers on the two different networks.

To answer your question, the pix 515e has unlimited inside hosts, but the pix 501 only has 10 inside hosts. Is that the number of hosts that can connect through the device to the VPN?

I guess now that i have a connection with packets being encrypted and decrypted the next step would be to allow a computer to access the resources on another computer. I currently can't do that, any thoughts as to why?
0
 
frebbAuthor Commented:
when i try to access the computer behind tiger with the computer behind lion the log shows the following:

tiger(config)# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 30968 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
111008: User 'bomis' executed the 'clear logging' command.
302013: Built inbound TCP connection 122 for outside:10.2.2.10/1876 (10.2.2.10/1
876) to inside:10.1.1.10/445 (10.1.1.10/445)
302013: Built inbound TCP connection 123 for outside:10.2.2.10/1877 (10.2.2.10/1
877) to inside:10.1.1.10/139 (10.1.1.10/139)
0
 
frebbAuthor Commented:
You can disregard what i said before. The VPN is working now. I do have one last question and will award you the points.

I can only browse the computers with their IP address. Is this because I don't have a DNS or Wins server? if so what would be the best/easiest way to go to enable us to browse computers by name?
0
 
geergonCommented:
Well , those computers may have a DNS server, right?
Depending to the DNS server they are pointing to you will be able to  resolves using names.

Which is the DNS of the computers?
Do you have a local DNS server?

0
 
frebbAuthor Commented:
We don't have a local DNS server. I will set one up soon. I just wanted to confirm that that was the problem. Thank you for all the help.
0

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

  • 11
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now