• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1212
  • Last Modified:

IPSec / IKE VPN not working - CIsco PIX < - > Cisco WRV210

Hi Experts!

I have managed to successfully set up a VPN connection between a Cisco PIX and Cisco (Linksys) WRV210 VPN router.  This is according to both the PDM monitoring on the PIX as well as the status screen on the WRV210 web interface.  Unfortunately, that is all that I can do... attempts to ping or access resources across the VPN aside from the PIX itself consistently fail.

While I've tried any number of configuration changes on the WRV210 and PIX I'm sure that there are rules/settings that I'm missing.

I do have other VPN connection methods (namely PPTP) working.  If I connect from the Windows VPN client to the PIX I can ping internal computers without a problem.

Here are the particulars:
WRV210 is set up as 192.168.129.1
PIX is set up as 192.168.2.1
VPN Tunnel A has the correct remote gateway, with remote group of 192.168.2.0/24 and local group of 192.168.129.0/24

Attempts to ping from the 129.x network succeed to external network traffic (google.com) and the the VPN end-point (192.168.2.1) but fail to anything internal.

Attempts to ping from the 2.x network fail to anything on the 129.x network.

My *guess* is that there are things that need to be done on the PIX but I haven't the foggiest idea what those changes would be.

My only access to the PIX is via the PDM version 3.0.  I've tried using Telnet access but the enable password has been lost.
0
kc5sig
Asked:
kc5sig
  • 4
  • 3
2 Solutions
 
pegla12Commented:
What about ACLs? Did you permit any traffic through you're VPN tunnel?
0
 
baker9sCommented:
I assume you have the Ipsec tunnels configured with main mode.  If this is the case, you would need to define access lists that determine what gets encrypted and sent over the ipsec tunnel.

Do you have Crypto maps defined on the Pix?

0
 
kc5sigAuthor Commented:
I do not think that they are needed - the "Bypass access check for all IPSec traffic" box is checked under VPN -> VPN System Options
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
kc5sigAuthor Commented:
Baker9s: where would I go to look for "Crypto maps"?
0
 
baker9sCommented:
What model is this PIX and do you have access to the command line or are you using ASDM?  This would be much easier to see if you are on the command line.

It would be in the running config.  Can you post the running config of the PIX?  (make sure you remove any passwords/sensitive info before posting.)  :)
0
 
baker9sCommented:
I meant to say PDM not ASDM in that last post.
0
 
kc5sigAuthor Commented:
This is a PIX 501 and while I'm generally using the Cisco PIX Device Manager, I was able to pull the following from the telnet session:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password podusghioauhg encrypted
passwd 00uuiojlijli;adfglirej encrypted
hostname ESCPIX
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list acl_out permit ip any any
access-list ESCVPN permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list ESCVPN permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip 10.1.1.0 255.255.255.0 any
access-list WAN-ACL permit icmp any any
access-list WAN-ACL permit tcp any any eq 10000
access-list WAN-ACL remark Premcom
access-list WAN-ACL permit ip 72.45.244.0 255.255.255.0 any
access-list WAN-ACL permit tcp host 65.117.59.42 host 208.125.186.126 eq 3389
access-list WAN-ACL permit udp any host 208.125.186.126 eq 4500
access-list WAN-ACL permit tcp any interface outside eq www
access-list WAN-ACL permit udp any host 208.125.186.126 eq 1604
access-list WAN-ACL permit tcp any host 208.125.186.126 eq 8080
access-list WAN-ACL permit tcp any host 208.125.186.126 eq citrix-ica
access-list WAN-ACL permit tcp any interface outside eq 88
access-list WAN-ACL permit tcp any host 208.125.186.126 eq pop3
access-list WAN-ACL permit tcp any host 208.125.186.126 eq smtp
access-list ESCVPN-2 permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0
no pager
logging on
logging timestamp
logging buffered debugging
logging trap informational
logging host inside 192.168.2.174
mtu outside 1500
mtu inside 1500
ip address outside 208.125.186.126 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.1.1.1-10.1.1.25
ip local pool IPSec 10.1.1.26-10.1.1.50
pdm location 141.149.132.0 255.255.255.0 outside
pdm location 192.168.2.170 255.255.255.255 inside
pdm location 10.1.1.0 255.255.255.0 outside
pdm location 65.117.59.42 255.255.255.255 outside
pdm location 192.168.2.154 255.255.255.255 inside
pdm location 10.1.1.0 255.255.255.0 inside
pdm location 192.168.2.124 255.255.255.255 inside
pdm location 72.45.244.0 255.255.255.0 outside
pdm location 141.149.132.27 255.255.255.255 outside
pdm location 192.168.2.174 255.255.255.255 inside
pdm location 192.168.2.162 255.255.255.255 inside
pdm location 72.45.244.27 255.255.255.255 outside
pdm location 192.168.20.0 255.255.255.0 outside
pdm location 67.252.137.144 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list ESCVPN
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface citrix-ica 192.168.2.154 citrix-ica netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.2.154 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 88 192.168.2.162 www netmask 255.255.255.255 0 0
static (inside,outside) udp interface 1494 192.168.2.154 1494 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 1604 192.168.2.154 1604 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8080 192.168.2.154 8080 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.2.124 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.2.124 pop3 netmask 255.255.255.255 0 0
access-group WAN-ACL in interface outside
access-group acl_out in interface inside
route outside 0.0.0.0 0.0.0.0 208.125.186.125 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication secure-http-client
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
ntp server 130.236.254.102 source outside prefer
http server enable
http 72.45.244.0 255.255.255.0 outside
http 192.168.2.0 255.255.255.0 inside
http 10.1.1.0 255.255.255.0 inside
snmp-server host outside 72.45.244.27 poll
snmp-server location Amherst, NY 14228
snmp-server contact Premcom 716-691-0791
snmp-server community mocmerp85
snmp-server enable traps
tftp-server outside 72.45.244.94 /escpix.txt
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set transet1 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map vpndynmap 10 set pfs group2
crypto dynamic-map vpndynmap 10 set transform-set ESP-DES-SHA
crypto dynamic-map vpndynmap 20 set pfs group2
crypto dynamic-map vpndynmap 20 set transform-set ESP-3DES-SHA
crypto map vpnmap 10 ipsec-isakmp dynamic vpndynmap
crypto map vpnmap client configuration address initiate
crypto map vpnmap client configuration address respond
crypto map vpnmap interface outside
crypto map inside_map client configuration address initiate
crypto map inside_map client configuration address respond
crypto map inside_map interface inside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp client configuration address-pool local vpnpool outside
isakmp nat-traversal 500
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpngroup ESCVPNgroup address-pool vpnpool
vpngroup ESCVPNgroup dns-server 192.168.2.124
vpngroup ESCVPNgroup wins-server 192.168.2.124
vpngroup ESCVPNgroup default-domain esc.local
vpngroup ESCVPNgroup split-tunnel ESCVPN-2
vpngroup ESCVPNgroup pfs
vpngroup ESCVPNgroup idle-time 1800
vpngroup ESCVPNgroup password ********
telnet 192.168.2.0 255.255.255.0 inside
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh 72.45.244.0 255.255.255.0 outside
ssh 67.252.137.144 255.255.255.255 outside
ssh timeout 30
management-access inside
console timeout 0
vpdn group pptp accept dialin pptp
vpdn group pptp ppp authentication chap
vpdn group pptp ppp authentication mschap
vpdn group pptp ppp encryption mppe auto
vpdn group pptp client configuration address local vpnpool
vpdn group pptp client configuration dns 192.168.2.124
vpdn group pptp client configuration wins 192.168.2.124
vpdn group pptp pptp echo 60
vpdn group pptp client authentication local
vpdn username chumphrey password *********
vpdn username mmedina password *********
vpdn username ESCRemote password *********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username premcom password as[p9 turjencrypted privilege 15
username EscPIX password sa;o 4w encrypted privilege 15
username escadmin password sda[f9ijwf encrypted privilege 2
username ysommer password sdailrjwe encrypted privilege 15
username CHatton password sa;ld  encrypted privilege 15
terminal width 80
banner exec Access by person(s) not authorized by ESC is forbidden
banner login Access by person(s) not authorized by ESC is forbidden
banner motd Access by person(s) not authorized by ESC is forbidden
Cryptochecksum:dsjf;l kasd;l klsa
: end
0
 
kc5sigAuthor Commented:
Thanks to everyone for the comments, I found that the solution came from adding an exception for the remote machine's IP address in the PDM.  This is, in effect, an answer based on the combination of the comments provided by both of you, so I'm going to split the points between you.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now