Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Pix 501 startup problem (newbie)

Reply
Thread Tools

Pix 501 startup problem (newbie)

 
 
Steve
Guest
Posts: n/a
 
      11-19-2004
I have just installed a PIX 501 at a client's site, and am trying to
establish a VPN with a PIX 515 at another site. My problem is that
the 501 does not appear to be even attempting to set up the VPN. I
see absolutely NO traffic coming out of the OUTSIDE interface, and
when I turn on the ipsec and isakmp debug - there is no output either.
I know I am connected, because I can ping the remote pix from the 501
console port. What simple thing have I missed. I have taken the
confi directly from Cisco's documentation.

Thanks,
Steve Cohn
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-19-2004
In article <(E-Mail Removed) >,
Steve <(E-Mail Removed)> wrote:
:I have just installed a PIX 501 at a client's site, and am trying to
:establish a VPN with a PIX 515 at another site. My problem is that
:the 501 does not appear to be even attempting to set up the VPN. I
:see absolutely NO traffic coming out of the OUTSIDE interface, and
:when I turn on the ipsec and isakmp debug - there is no output either.
: I know I am connected, because I can ping the remote pix from the 501
:console port. What simple thing have I missed. I have taken the
:confi directly from Cisco's documentation.

If you took the config *directly* from Cisco's documentation, then
the first problem is that the IP addresses will not match the real world
IP addresses.

Cisco has a lot of different example configurations. It would help if you
would post your configuration (making sure you don't leave any
passwords in the posted version.)

My preliminary conjecture is that you do not have the correct
ACL for the 'match address' clause of the crypto map.
--
Would you buy a used bit from this man??
 
Reply With Quote
 
 
 
 
Steve
Guest
Posts: n/a
 
      11-22-2004
http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<cnln6h$nv1$(E-Mail Removed)>...
> In article <(E-Mail Removed) >,
> Steve <(E-Mail Removed)> wrote:
> :I have just installed a PIX 501 at a client's site, and am trying to
> :establish a VPN with a PIX 515 at another site. My problem is that
> :the 501 does not appear to be even attempting to set up the VPN. I
> :see absolutely NO traffic coming out of the OUTSIDE interface, and
> :when I turn on the ipsec and isakmp debug - there is no output either.
> : I know I am connected, because I can ping the remote pix from the 501
> :console port. What simple thing have I missed. I have taken the
> :confi directly from Cisco's documentation.
>
> If you took the config *directly* from Cisco's documentation, then
> the first problem is that the IP addresses will not match the real world
> IP addresses.
>
> Cisco has a lot of different example configurations. It would help if you
> would post your configuration (making sure you don't leave any
> passwords in the posted version.)
>
> My preliminary conjecture is that you do not have the correct
> ACL for the 'match address' clause of the crypto map.



OK - here are the details:


Warehouse - > T1 to Net to - > DSL - > Store

First config below is warehouse, second is Store.

The warehouse and it's T1 connection have been around for years, no
problem, can do a remote VPN in, no problem. We had a DSL line put in
the store,and want to do a permanant VPN PIX to PIX, but I can't seem
to get it to work.

WAREHOUSE PIX :

: Written by enable_15 at 09:16:47.467 CST Mon Nov 22 2004
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname hmkr-pix515e
domain-name jewishsource.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.0.1.0 store-net
name 10.0.0.1 h-01-in
name 10.0.0.2 h-02-in
name 10.0.0.6 h-03-in
name 216.146.94.74 h-01-out
name 216.146.94.76 h-02-out
name 216.146.94.75 h-03-out
name 10.0.0.10 h-test-in
name 216.146.94.78 h-test-out
access-list acl-inbound permit tcp any host h-03-out eq www
access-list acl-inbound permit tcp any host h-03-out eq smtp
access-list acl-inbound permit tcp any host h-03-out eq pop3
access-list acl-inbound permit tcp any host h-03-out eq https
access-list acl-inbound permit udp any host h-03-out eq domain
access-list acl-inbound permit tcp any host h-03-out eq domain
access-list acl-inbound permit tcp any host h-03-out eq ftp-data
access-list acl-inbound permit tcp any host h-03-out eq ftp
access-list acl-inbound permit tcp any host h-01-out eq https
access-list acl-inbound permit tcp any host h-01-out eq ftp-data
access-list acl-inbound permit tcp any host h-01-out eq ftp
access-list acl-inbound permit udp any host h-01-out eq domain
access-list acl-inbound permit tcp any host h-01-out eq domain
access-list acl-inbound permit icmp any host h-03-out echo-reply
access-list acl-inbound permit icmp any host h-03-out time-exceeded
access-list acl-inbound permit icmp any host h-01-out echo-reply
access-list acl-inbound permit icmp any host h-01-out time-exceeded
access-list acl-inbound permit udp any host h-01-out eq 407
access-list acl-inbound permit tcp any host h-01-out range 1417 1420
access-list acl-inbound permit tcp any host h-01-out eq www
access-list acl-inbound permit udp any host h-02-out eq 407
access-list acl-inbound permit tcp any host h-02-out range 1417 1420
access-list acl-inbound permit udp any host h-test-out eq 407
access-list acl-inbound permit tcp any host h-test-out range 1417 1420
access-list acl-inbound permit tcp any host h-test-out eq ftp
access-list acl-inbound permit tcp any host h-test-out eq ftp-data
access-list acl-inbound permit tcp any host h-test-out eq www
access-list acl-outbound deny tcp host h-01-in any eq 69
access-list acl-outbound deny udp host h-01-in any eq tftp
access-list acl-outbound permit ip any any log
access-list acl-outbound permit ip host 10.0.0.156 any
access-list acl-outbound permit icmp any any
access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 192.168.75.0
255.255.255.0
access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 store-net
255.255.255.0
access-list 90 permit ip 10.0.0.0 255.255.255.0 store-net
255.255.255.0
pager lines 22
logging on
logging host inside h-03-in
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 216.146.94.77 255.255.255.248
ip address inside 10.0.0.253 255.255.255.0
ip address dmz 127.0.0.1 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool ptpvpnpool 192.168.75.1-192.168.75.100
ip local pool storepool 10.0.0.75-10.0.0.90
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list pptp-vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) h-02-out h-02-in netmask 255.255.255.255 1000
700
static (inside,outside) h-03-out h-03-in netmask 255.255.255.255 3000
2100
static (inside,outside) h-01-out h-01-in netmask 255.255.255.255 3000
2100
static (inside,outside) h-test-out h-test-in netmask 255.255.255.255
1000 700
access-group acl-inbound in interface outside
access-group acl-outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.146.94.73 1
route inside store-net 255.255.255.0 10.0.0.254 2
route inside 10.0.100.0 255.255.255.252 10.0.0.254 1
route inside 192.168.75.0 255.255.255.0 10.0.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
ntp server 10.0.0.100 source inside
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toStore 20 ipsec-isakmp
crypto map toStore 20 match address 90
crypto map toStore 20 set peer 216.146.67.126
crypto map toStore 20 set transform-set strong
crypto map toStore interface outside
isakmp enable outside
isakmp key ******** address 216.146.67.126 netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
vpngroup STORE address-pool storepool
vpngroup STORE idle-time 1800
vpngroup STORE password ********
telnet 192.168.75.0 255.255.255.0 outside
telnet h-03-in 255.255.255.255 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet 192.168.75.0 255.255.255.0 inside
telnet h-03-in 255.255.255.255 dmz
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 45
management-access inside
console timeout 0
vpdn group clientpptp accept dialin pptp
vpdn group clientpptp ppp authentication pap
vpdn group clientpptp ppp authentication chap
vpdn group clientpptp ppp authentication mschap
vpdn group clientpptp ppp encryption mppe 128 required
vpdn group clientpptp client configuration address local ptpvpnpool
vpdn group clientpptp client configuration dns h-03-in
vpdn group clientpptp pptp echo 60
vpdn group clientpptp client authentication local
vpdn group test accept dialin pptp
vpdn group test ppp authentication pap
vpdn group test ppp authentication chap
vpdn group test ppp authentication mschap
vpdn group test ppp encryption mppe 128 required
vpdn group test client configuration address local storepool
vpdn group test client configuration dns h-03-in
vpdn group test client configuration wins h-03-in
vpdn group test pptp echo 60
vpdn group test client authentication local
vpdn enable outside
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
terminal width 60
Cryptochecksum:ca3c3c87971665b6eaecfcfd5d1b0a2f

hmkr-pix515e(config)# show ver

Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 2.0(2)

Compiled on Wed 19-Mar-03 11:49 by morlee

hmkr-pix515e up 5 days 10 hours

Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0009.e89d.032e, irq 10
1: ethernet1: address is 0009.e89d.032f, irq 11
2: ethernet2: address is 0002.b336.3214, irq 5
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Interfaces: 3
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

This PIX has a Restricted (R) license.

Serial Number: 806233226 (0x300e248a)
Running Activation Key: 0x78693c37 0x9d9480fd 0x8786de1b 0xd02dfe70
Configuration last modified by enable_15 at 09:17:27.978 CST Mon Nov
22 2004

hmkr-pix515e(config)#


STORE PIX :

pixfirewall(config)# show conf
: Saved
: Written by enable_15 at 11:01:16.877 UTC Mon Nov 22 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name jewishsource.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 80 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 22
mtu outside 1500
mtu inside 1500
ip address outside 216.146.67.126 255.255.255.252
ip address inside 10.0.1.253 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remotevpn 10.0.1.50-10.0.1.75
pdm location 10.0.0.0 255.0.0.0 outside
pdm location 216.146.94.76 255.255.255.252 outside
pdm location 10.0.1.0 255.255.255.128 outside
pdm group warehouse-net outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 216.146.67.125 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toWhouse 10 ipsec-isakmp
crypto map toWhouse 10 match address 80
crypto map toWhouse 10 set peer 216.146.94.77
crypto map toWhouse 10 set transform-set strong
crypto map toWhouse interface outside
isakmp enable outside
isakmp key ******** address 216.146.94.77 netmask 255.255.255.255
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash sha
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400
telnet 10.0.0.0 255.0.0.0 outside
telnet 216.146.94.76 255.255.255.252 outside
telnet 10.0.1.0 255.255.255.0 outside
telnet 10.0.0.0 255.0.0.0 inside
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group remote accept dialin pptp
vpdn group remote ppp authentication pap
vpdn group remote ppp authentication chap
vpdn group remote ppp authentication mschap
vpdn group remote ppp encryption mppe 128 required
vpdn group remote client configuration address local remotevpn
vpdn group remote client configuration dns 10.0.0.6
vpdn group remote pptp echo 60
vpdn group remote client authentication local
vpdn enable outside
terminal width 80
Cryptochecksum:24941c9dc4746595338453bfe3d9ffeb

pixfirewall(config)# show ver

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

pixfirewall up 2 days 19 hours

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0011.bb3d.bcea, irq 9
1: ethernet1: address is 0011.bb3d.bceb, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 10
Throughput: Unlimited
IKE peers: 10

This PIX has a Restricted (R) license.

Serial Number: 808321753 (0x302e02d9)
Running Activation Key: 0x209b6840 0x01b54239 0x2b3f9100 0xe6cc4495
Configuration last modified by enable_15 at 11:03:21.261 UTC Mon Nov
22 2004

pixfirewall(config)#
 
Reply With Quote
 
PES
Guest
Posts: n/a
 
      11-22-2004
Steve wrote:
> (E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<cnln6h$nv1$(E-Mail Removed)>...
>
>>In article <(E-Mail Removed) >,
>>Steve <(E-Mail Removed)> wrote:
>>:I have just installed a PIX 501 at a client's site, and am trying to
>>:establish a VPN with a PIX 515 at another site. My problem is that
>>:the 501 does not appear to be even attempting to set up the VPN. I
>>:see absolutely NO traffic coming out of the OUTSIDE interface, and
>>:when I turn on the ipsec and isakmp debug - there is no output either.
>>: I know I am connected, because I can ping the remote pix from the 501
>>:console port. What simple thing have I missed. I have taken the
>>:confi directly from Cisco's documentation.
>>
>>If you took the config *directly* from Cisco's documentation, then
>>the first problem is that the IP addresses will not match the real world
>>IP addresses.
>>
>>Cisco has a lot of different example configurations. It would help if you
>>would post your configuration (making sure you don't leave any
>>passwords in the posted version.)
>>
>>My preliminary conjecture is that you do not have the correct
>>ACL for the 'match address' clause of the crypto map.

>
>
>
> OK - here are the details:
>
>
> Warehouse - > T1 to Net to - > DSL - > Store
>
> First config below is warehouse, second is Store.
>
> The warehouse and it's T1 connection have been around for years, no
> problem, can do a remote VPN in, no problem. We had a DSL line put in
> the store,and want to do a permanant VPN PIX to PIX, but I can't seem
> to get it to work.
>

I think the line listed below is causing the packets to be dropped. The
route is back into the interface you would have received the packets on.
On a Pix this will always cause them to be dropped. If you don't have
a 10.0.1.x behind the warehouse pix, you need to remove the following line.

route inside store-net 255.255.255.0 10.0.0.254 2

Now the packets should route properly. The crypto should then be
applied and an association formed. This may not be everything, but we
need to get the packets to the right interface so we can troubleshoot
the vpn.

> WAREHOUSE PIX :
>
> : Written by enable_15 at 09:16:47.467 CST Mon Nov 22 2004
> PIX Version 6.3(1)
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security50
> hostname hmkr-pix515e
> domain-name jewishsource.com
> clock timezone CST -6
> clock summer-time CDT recurring
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> names
> name 10.0.1.0 store-net
> name 10.0.0.1 h-01-in
> name 10.0.0.2 h-02-in
> name 10.0.0.6 h-03-in
> name 216.146.94.74 h-01-out
> name 216.146.94.76 h-02-out
> name 216.146.94.75 h-03-out
> name 10.0.0.10 h-test-in
> name 216.146.94.78 h-test-out
> access-list acl-inbound permit tcp any host h-03-out eq www
> access-list acl-inbound permit tcp any host h-03-out eq smtp
> access-list acl-inbound permit tcp any host h-03-out eq pop3
> access-list acl-inbound permit tcp any host h-03-out eq https
> access-list acl-inbound permit udp any host h-03-out eq domain
> access-list acl-inbound permit tcp any host h-03-out eq domain
> access-list acl-inbound permit tcp any host h-03-out eq ftp-data
> access-list acl-inbound permit tcp any host h-03-out eq ftp
> access-list acl-inbound permit tcp any host h-01-out eq https
> access-list acl-inbound permit tcp any host h-01-out eq ftp-data
> access-list acl-inbound permit tcp any host h-01-out eq ftp
> access-list acl-inbound permit udp any host h-01-out eq domain
> access-list acl-inbound permit tcp any host h-01-out eq domain
> access-list acl-inbound permit icmp any host h-03-out echo-reply
> access-list acl-inbound permit icmp any host h-03-out time-exceeded
> access-list acl-inbound permit icmp any host h-01-out echo-reply
> access-list acl-inbound permit icmp any host h-01-out time-exceeded
> access-list acl-inbound permit udp any host h-01-out eq 407
> access-list acl-inbound permit tcp any host h-01-out range 1417 1420
> access-list acl-inbound permit tcp any host h-01-out eq www
> access-list acl-inbound permit udp any host h-02-out eq 407
> access-list acl-inbound permit tcp any host h-02-out range 1417 1420
> access-list acl-inbound permit udp any host h-test-out eq 407
> access-list acl-inbound permit tcp any host h-test-out range 1417 1420
> access-list acl-inbound permit tcp any host h-test-out eq ftp
> access-list acl-inbound permit tcp any host h-test-out eq ftp-data
> access-list acl-inbound permit tcp any host h-test-out eq www
> access-list acl-outbound deny tcp host h-01-in any eq 69
> access-list acl-outbound deny udp host h-01-in any eq tftp
> access-list acl-outbound permit ip any any log
> access-list acl-outbound permit ip host 10.0.0.156 any
> access-list acl-outbound permit icmp any any
> access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 192.168.75.0
> 255.255.255.0
> access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 store-net
> 255.255.255.0
> access-list 90 permit ip 10.0.0.0 255.255.255.0 store-net
> 255.255.255.0
> pager lines 22
> logging on
> logging host inside h-03-in
> mtu outside 1500
> mtu inside 1500
> mtu dmz 1500
> ip address outside 216.146.94.77 255.255.255.248
> ip address inside 10.0.0.253 255.255.255.0
> ip address dmz 127.0.0.1 255.255.255.0
> ip verify reverse-path interface inside
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool ptpvpnpool 192.168.75.1-192.168.75.100
> ip local pool storepool 10.0.0.75-10.0.0.90
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list pptp-vpn
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) h-02-out h-02-in netmask 255.255.255.255 1000
> 700
> static (inside,outside) h-03-out h-03-in netmask 255.255.255.255 3000
> 2100
> static (inside,outside) h-01-out h-01-in netmask 255.255.255.255 3000
> 2100
> static (inside,outside) h-test-out h-test-in netmask 255.255.255.255
> 1000 700
> access-group acl-inbound in interface outside
> access-group acl-outbound in interface inside
> route outside 0.0.0.0 0.0.0.0 216.146.94.73 1
> route inside store-net 255.255.255.0 10.0.0.254 2
> route inside 10.0.100.0 255.255.255.252 10.0.0.254 1
> route inside 192.168.75.0 255.255.255.0 10.0.0.254 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> aaa authentication ssh console LOCAL
> aaa authorization command LOCAL
> ntp server 10.0.0.100 source inside
> http server enable
> http 10.0.0.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
> crypto ipsec transform-set strong esp-3des esp-sha-hmac
> crypto map toStore 20 ipsec-isakmp
> crypto map toStore 20 match address 90
> crypto map toStore 20 set peer 216.146.67.126
> crypto map toStore 20 set transform-set strong
> crypto map toStore interface outside
> isakmp enable outside
> isakmp key ******** address 216.146.67.126 netmask 255.255.255.255
> isakmp nat-traversal 20
> isakmp policy 9 authentication pre-share
> isakmp policy 9 encryption 3des
> isakmp policy 9 hash sha
> isakmp policy 9 group 1
> isakmp policy 9 lifetime 86400
> vpngroup STORE address-pool storepool
> vpngroup STORE idle-time 1800
> vpngroup STORE password ********
> telnet 192.168.75.0 255.255.255.0 outside
> telnet h-03-in 255.255.255.255 inside
> telnet 10.0.0.0 255.0.0.0 inside
> telnet 192.168.75.0 255.255.255.0 inside
> telnet h-03-in 255.255.255.255 dmz
> telnet timeout 10
> ssh 0.0.0.0 0.0.0.0 outside
> ssh 10.0.0.0 255.255.255.0 inside
> ssh timeout 45
> management-access inside
> console timeout 0
> vpdn group clientpptp accept dialin pptp
> vpdn group clientpptp ppp authentication pap
> vpdn group clientpptp ppp authentication chap
> vpdn group clientpptp ppp authentication mschap
> vpdn group clientpptp ppp encryption mppe 128 required
> vpdn group clientpptp client configuration address local ptpvpnpool
> vpdn group clientpptp client configuration dns h-03-in
> vpdn group clientpptp pptp echo 60
> vpdn group clientpptp client authentication local
> vpdn group test accept dialin pptp
> vpdn group test ppp authentication pap
> vpdn group test ppp authentication chap
> vpdn group test ppp authentication mschap
> vpdn group test ppp encryption mppe 128 required
> vpdn group test client configuration address local storepool
> vpdn group test client configuration dns h-03-in
> vpdn group test client configuration wins h-03-in
> vpdn group test pptp echo 60
> vpdn group test client authentication local
> vpdn enable outside
> privilege show level 0 command version
> privilege show level 0 command curpriv
> privilege show level 3 command pdm
> privilege show level 3 command blocks
> privilege show level 3 command ssh
> privilege configure level 3 command who
> privilege show level 3 command isakmp
> privilege show level 3 command ipsec
> privilege show level 3 command vpdn
> privilege show level 3 command local-host
> privilege show level 3 command interface
> privilege show level 3 command ip
> privilege configure level 3 command ping
> privilege configure level 5 mode enable command configure
> privilege show level 5 command running-config
> privilege show level 5 command privilege
> privilege show level 5 command clock
> privilege show level 5 command ntp
> terminal width 60
> Cryptochecksum:ca3c3c87971665b6eaecfcfd5d1b0a2f
>
> hmkr-pix515e(config)# show ver
>
> Cisco PIX Firewall Version 6.3(1)
> Cisco PIX Device Manager Version 2.0(2)
>
> Compiled on Wed 19-Mar-03 11:49 by morlee
>
> hmkr-pix515e up 5 days 10 hours
>
> Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
> Flash E28F128J3 @ 0x300, 16MB
> BIOS Flash AM29F400B @ 0xfffd8000, 32KB
>
> 0: ethernet0: address is 0009.e89d.032e, irq 10
> 1: ethernet1: address is 0009.e89d.032f, irq 11
> 2: ethernet2: address is 0002.b336.3214, irq 5
> Licensed Features:
> Failover: Disabled
> VPN-DES: Enabled
> VPN-3DES-AES: Enabled
> Maximum Interfaces: 3
> Cut-through Proxy: Enabled
> Guards: Enabled
> URL-filtering: Enabled
> Inside Hosts: Unlimited
> Throughput: Unlimited
> IKE peers: Unlimited
>
> This PIX has a Restricted (R) license.
>
> Serial Number: 806233226 (0x300e248a)
> Running Activation Key: 0x78693c37 0x9d9480fd 0x8786de1b 0xd02dfe70
> Configuration last modified by enable_15 at 09:17:27.978 CST Mon Nov
> 22 2004
>
> hmkr-pix515e(config)#
>
>
> STORE PIX :
>
> pixfirewall(config)# show conf
> : Saved
> : Written by enable_15 at 11:01:16.877 UTC Mon Nov 22 2004
> PIX Version 6.3(3)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname pixfirewall
> domain-name jewishsource.com
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list 80 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
> pager lines 22
> mtu outside 1500
> mtu inside 1500
> ip address outside 216.146.67.126 255.255.255.252
> ip address inside 10.0.1.253 255.0.0.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool remotevpn 10.0.1.50-10.0.1.75
> pdm location 10.0.0.0 255.0.0.0 outside
> pdm location 216.146.94.76 255.255.255.252 outside
> pdm location 10.0.1.0 255.255.255.128 outside
> pdm group warehouse-net outside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list 80
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> route outside 0.0.0.0 0.0.0.0 216.146.67.125 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> http server enable
> http 10.0.0.0 255.0.0.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
> crypto ipsec transform-set strong esp-3des esp-sha-hmac
> crypto map toWhouse 10 ipsec-isakmp
> crypto map toWhouse 10 match address 80
> crypto map toWhouse 10 set peer 216.146.94.77
> crypto map toWhouse 10 set transform-set strong
> crypto map toWhouse interface outside
> isakmp enable outside
> isakmp key ******** address 216.146.94.77 netmask 255.255.255.255
> isakmp policy 8 authentication pre-share
> isakmp policy 8 encryption 3des
> isakmp policy 8 hash sha
> isakmp policy 8 group 1
> isakmp policy 8 lifetime 86400
> telnet 10.0.0.0 255.0.0.0 outside
> telnet 216.146.94.76 255.255.255.252 outside
> telnet 10.0.1.0 255.255.255.0 outside
> telnet 10.0.0.0 255.0.0.0 inside
> telnet 10.0.1.0 255.255.255.0 inside
> telnet timeout 5
> ssh timeout 5
> management-access inside
> console timeout 0
> vpdn group remote accept dialin pptp
> vpdn group remote ppp authentication pap
> vpdn group remote ppp authentication chap
> vpdn group remote ppp authentication mschap
> vpdn group remote ppp encryption mppe 128 required
> vpdn group remote client configuration address local remotevpn
> vpdn group remote client configuration dns 10.0.0.6
> vpdn group remote pptp echo 60
> vpdn group remote client authentication local
> vpdn enable outside
> terminal width 80
> Cryptochecksum:24941c9dc4746595338453bfe3d9ffeb
>
> pixfirewall(config)# show ver
>
> Cisco PIX Firewall Version 6.3(3)
> Cisco PIX Device Manager Version 3.0(1)
>
> Compiled on Wed 13-Aug-03 13:55 by morlee
>
> pixfirewall up 2 days 19 hours
>
> Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
> Flash E28F640J3 @ 0x3000000, 8MB
> BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
>
> 0: ethernet0: address is 0011.bb3d.bcea, irq 9
> 1: ethernet1: address is 0011.bb3d.bceb, irq 10
> Licensed Features:
> Failover: Disabled
> VPN-DES: Enabled
> VPN-3DES-AES: Enabled
> Maximum Physical Interfaces: 2
> Maximum Interfaces: 2
> Cut-through Proxy: Enabled
> Guards: Enabled
> URL-filtering: Enabled
> Inside Hosts: 10
> Throughput: Unlimited
> IKE peers: 10
>
> This PIX has a Restricted (R) license.
>
> Serial Number: 808321753 (0x302e02d9)
> Running Activation Key: 0x209b6840 0x01b54239 0x2b3f9100 0xe6cc4495
> Configuration last modified by enable_15 at 11:03:21.261 UTC Mon Nov
> 22 2004
>
> pixfirewall(config)#



--
-------------------------
Paul Stewart
Lexnet Inc.
Email address is in ROT13
 
Reply With Quote
 
Steve
Guest
Posts: n/a
 
      11-23-2004
(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<cnln6h$nv1$(E-Mail Removed)>...
> In article <(E-Mail Removed) >,
> Steve <(E-Mail Removed)> wrote:
> :I have just installed a PIX 501 at a client's site, and am trying to
> :establish a VPN with a PIX 515 at another site. My problem is that
> :the 501 does not appear to be even attempting to set up the VPN. I
> :see absolutely NO traffic coming out of the OUTSIDE interface, and
> :when I turn on the ipsec and isakmp debug - there is no output either.
> : I know I am connected, because I can ping the remote pix from the 501
> :console port. What simple thing have I missed. I have taken the
> :confi directly from Cisco's documentation.
>
> If you took the config *directly* from Cisco's documentation, then
> the first problem is that the IP addresses will not match the real world
> IP addresses.
>
> Cisco has a lot of different example configurations. It would help if you
> would post your configuration (making sure you don't leave any
> passwords in the posted version.)
>
> My preliminary conjecture is that you do not have the correct
> ACL for the 'match address' clause of the crypto map.


OK - here are the details:


Warehouse - > T1 to Net to - > DSL - > Store

First config below is warehouse, second is Store.

The warehouse and it's T1 connection have been around for years, no
problem, can do a remote VPN in, no problem. We had a DSL line put in
the store,and want to do a permanant VPN PIX to PIX, but I can't seem
to get it to work.

WAREHOUSE PIX :

: Written by enable_15 at 09:16:47.467 CST Mon Nov 22 2004
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname hmkr-pix515e
domain-name jewishsource.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.0.1.0 store-net
name 10.0.0.1 h-01-in
name 10.0.0.2 h-02-in
name 10.0.0.6 h-03-in
name 216.146.94.74 h-01-out
name 216.146.94.76 h-02-out
name 216.146.94.75 h-03-out
name 10.0.0.10 h-test-in
name 216.146.94.78 h-test-out
access-list acl-inbound permit tcp any host h-03-out eq www
access-list acl-inbound permit tcp any host h-03-out eq smtp
access-list acl-inbound permit tcp any host h-03-out eq pop3
access-list acl-inbound permit tcp any host h-03-out eq https
access-list acl-inbound permit udp any host h-03-out eq domain
access-list acl-inbound permit tcp any host h-03-out eq domain
access-list acl-inbound permit tcp any host h-03-out eq ftp-data
access-list acl-inbound permit tcp any host h-03-out eq ftp
access-list acl-inbound permit tcp any host h-01-out eq https
access-list acl-inbound permit tcp any host h-01-out eq ftp-data
access-list acl-inbound permit tcp any host h-01-out eq ftp
access-list acl-inbound permit udp any host h-01-out eq domain
access-list acl-inbound permit tcp any host h-01-out eq domain
access-list acl-inbound permit icmp any host h-03-out echo-reply
access-list acl-inbound permit icmp any host h-03-out time-exceeded
access-list acl-inbound permit icmp any host h-01-out echo-reply
access-list acl-inbound permit icmp any host h-01-out time-exceeded
access-list acl-inbound permit udp any host h-01-out eq 407
access-list acl-inbound permit tcp any host h-01-out range 1417 1420
access-list acl-inbound permit tcp any host h-01-out eq www
access-list acl-inbound permit udp any host h-02-out eq 407
access-list acl-inbound permit tcp any host h-02-out range 1417 1420
access-list acl-inbound permit udp any host h-test-out eq 407
access-list acl-inbound permit tcp any host h-test-out range 1417 1420
access-list acl-inbound permit tcp any host h-test-out eq ftp
access-list acl-inbound permit tcp any host h-test-out eq ftp-data
access-list acl-inbound permit tcp any host h-test-out eq www
access-list acl-outbound deny tcp host h-01-in any eq 69
access-list acl-outbound deny udp host h-01-in any eq tftp
access-list acl-outbound permit ip any any log
access-list acl-outbound permit ip host 10.0.0.156 any
access-list acl-outbound permit icmp any any
access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 192.168.75.0
255.255.255.0
access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 store-net
255.255.255.0
access-list 90 permit ip 10.0.0.0 255.255.255.0 store-net
255.255.255.0
pager lines 22
logging on
logging host inside h-03-in
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 216.146.94.77 255.255.255.248
ip address inside 10.0.0.253 255.255.255.0
ip address dmz 127.0.0.1 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool ptpvpnpool 192.168.75.1-192.168.75.100
ip local pool storepool 10.0.0.75-10.0.0.90
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list pptp-vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) h-02-out h-02-in netmask 255.255.255.255 1000
700
static (inside,outside) h-03-out h-03-in netmask 255.255.255.255 3000
2100
static (inside,outside) h-01-out h-01-in netmask 255.255.255.255 3000
2100
static (inside,outside) h-test-out h-test-in netmask 255.255.255.255
1000 700
access-group acl-inbound in interface outside
access-group acl-outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.146.94.73 1
route inside store-net 255.255.255.0 10.0.0.254 2
route inside 10.0.100.0 255.255.255.252 10.0.0.254 1
route inside 192.168.75.0 255.255.255.0 10.0.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
ntp server 10.0.0.100 source inside
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toStore 20 ipsec-isakmp
crypto map toStore 20 match address 90
crypto map toStore 20 set peer 216.146.67.126
crypto map toStore 20 set transform-set strong
crypto map toStore interface outside
isakmp enable outside
isakmp key ******** address 216.146.67.126 netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
vpngroup STORE address-pool storepool
vpngroup STORE idle-time 1800
vpngroup STORE password ********
telnet 192.168.75.0 255.255.255.0 outside
telnet h-03-in 255.255.255.255 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet 192.168.75.0 255.255.255.0 inside
telnet h-03-in 255.255.255.255 dmz
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 45
management-access inside
console timeout 0
vpdn group clientpptp accept dialin pptp
vpdn group clientpptp ppp authentication pap
vpdn group clientpptp ppp authentication chap
vpdn group clientpptp ppp authentication mschap
vpdn group clientpptp ppp encryption mppe 128 required
vpdn group clientpptp client configuration address local ptpvpnpool
vpdn group clientpptp client configuration dns h-03-in
vpdn group clientpptp pptp echo 60
vpdn group clientpptp client authentication local
vpdn group test accept dialin pptp
vpdn group test ppp authentication pap
vpdn group test ppp authentication chap
vpdn group test ppp authentication mschap
vpdn group test ppp encryption mppe 128 required
vpdn group test client configuration address local storepool
vpdn group test client configuration dns h-03-in
vpdn group test client configuration wins h-03-in
vpdn group test pptp echo 60
vpdn group test client authentication local
vpdn enable outside
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
terminal width 60
Cryptochecksum:ca3c3c87971665b6eaecfcfd5d1b0a2f

hmkr-pix515e(config)# show ver

Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 2.0(2)

Compiled on Wed 19-Mar-03 11:49 by morlee

hmkr-pix515e up 5 days 10 hours

Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0009.e89d.032e, irq 10
1: ethernet1: address is 0009.e89d.032f, irq 11
2: ethernet2: address is 0002.b336.3214, irq 5
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Interfaces: 3
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

This PIX has a Restricted (R) license.

Serial Number: 806233226 (0x300e248a)
Running Activation Key: 0x78693c37 0x9d9480fd 0x8786de1b 0xd02dfe70
Configuration last modified by enable_15 at 09:17:27.978 CST Mon Nov
22 2004

hmkr-pix515e(config)#


STORE PIX :

pixfirewall(config)# show conf
: Saved
: Written by enable_15 at 11:01:16.877 UTC Mon Nov 22 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name jewishsource.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 80 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 22
mtu outside 1500
mtu inside 1500
ip address outside 216.146.67.126 255.255.255.252
ip address inside 10.0.1.253 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remotevpn 10.0.1.50-10.0.1.75
pdm location 10.0.0.0 255.0.0.0 outside
pdm location 216.146.94.76 255.255.255.252 outside
pdm location 10.0.1.0 255.255.255.128 outside
pdm group warehouse-net outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 216.146.67.125 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toWhouse 10 ipsec-isakmp
crypto map toWhouse 10 match address 80
crypto map toWhouse 10 set peer 216.146.94.77
crypto map toWhouse 10 set transform-set strong
crypto map toWhouse interface outside
isakmp enable outside
isakmp key ******** address 216.146.94.77 netmask 255.255.255.255
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash sha
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400
telnet 10.0.0.0 255.0.0.0 outside
telnet 216.146.94.76 255.255.255.252 outside
telnet 10.0.1.0 255.255.255.0 outside
telnet 10.0.0.0 255.0.0.0 inside
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group remote accept dialin pptp
vpdn group remote ppp authentication pap
vpdn group remote ppp authentication chap
vpdn group remote ppp authentication mschap
vpdn group remote ppp encryption mppe 128 required
vpdn group remote client configuration address local remotevpn
vpdn group remote client configuration dns 10.0.0.6
vpdn group remote pptp echo 60
vpdn group remote client authentication local
vpdn enable outside
terminal width 80
Cryptochecksum:24941c9dc4746595338453bfe3d9ffeb

pixfirewall(config)# show ver

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

pixfirewall up 2 days 19 hours

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0011.bb3d.bcea, irq 9
1: ethernet1: address is 0011.bb3d.bceb, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 10
Throughput: Unlimited
IKE peers: 10

This PIX has a Restricted (R) license.

Serial Number: 808321753 (0x302e02d9)
Running Activation Key: 0x209b6840 0x01b54239 0x2b3f9100 0xe6cc4495
Configuration last modified by enable_15 at 11:03:21.261 UTC Mon Nov
22 2004

pixfirewall(config)#
 
Reply With Quote
 
Steve
Guest
Posts: n/a
 
      11-23-2004
PES - This may be part of it, (it is there currently beacuse there is
a leased line connection to the store currently that I am replacing),
but how does this explain why the STORE Pix does not even SEND any
packets out to try to establish the Crypto SA? I guess my basic
quesation is - what is it that actually causes the PIX to try to
establish the SAs? And which PIX will start it - or do they both try?

Steve

PES <(E-Mail Removed)> wrote in message news:<41a23ced$(E-Mail Removed)>...
> Steve wrote:
> > (E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<cnln6h$nv1$(E-Mail Removed)>...
> >
> >>In article <(E-Mail Removed) >,
> >>Steve <(E-Mail Removed)> wrote:
> >>:I have just installed a PIX 501 at a client's site, and am trying to
> >>:establish a VPN with a PIX 515 at another site. My problem is that
> >>:the 501 does not appear to be even attempting to set up the VPN. I
> >>:see absolutely NO traffic coming out of the OUTSIDE interface, and
> >>:when I turn on the ipsec and isakmp debug - there is no output either.
> >>: I know I am connected, because I can ping the remote pix from the 501
> >>:console port. What simple thing have I missed. I have taken the
> >>:confi directly from Cisco's documentation.
> >>
> >>If you took the config *directly* from Cisco's documentation, then
> >>the first problem is that the IP addresses will not match the real world
> >>IP addresses.
> >>
> >>Cisco has a lot of different example configurations. It would help if you
> >>would post your configuration (making sure you don't leave any
> >>passwords in the posted version.)
> >>
> >>My preliminary conjecture is that you do not have the correct
> >>ACL for the 'match address' clause of the crypto map.

> >
> >
> >
> > OK - here are the details:
> >
> >
> > Warehouse - > T1 to Net to - > DSL - > Store
> >
> > First config below is warehouse, second is Store.
> >
> > The warehouse and it's T1 connection have been around for years, no
> > problem, can do a remote VPN in, no problem. We had a DSL line put in
> > the store,and want to do a permanant VPN PIX to PIX, but I can't seem
> > to get it to work.
> >

> I think the line listed below is causing the packets to be dropped. The
> route is back into the interface you would have received the packets on.
> On a Pix this will always cause them to be dropped. If you don't have
> a 10.0.1.x behind the warehouse pix, you need to remove the following line.
>
> route inside store-net 255.255.255.0 10.0.0.254 2
>
> Now the packets should route properly. The crypto should then be
> applied and an association formed. This may not be everything, but we
> need to get the packets to the right interface so we can troubleshoot
> the vpn.
>
> > WAREHOUSE PIX :
> >
> > : Written by enable_15 at 09:16:47.467 CST Mon Nov 22 2004
> > PIX Version 6.3(1)
> > interface ethernet0 auto
> > interface ethernet1 auto
> > interface ethernet2 auto
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > nameif ethernet2 dmz security50
> > hostname hmkr-pix515e
> > domain-name jewishsource.com
> > clock timezone CST -6
> > clock summer-time CDT recurring
> > fixup protocol ftp 21
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol http 80
> > fixup protocol ils 389
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol sip 5060
> > fixup protocol sip udp 5060
> > fixup protocol skinny 2000
> > fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > names
> > name 10.0.1.0 store-net
> > name 10.0.0.1 h-01-in
> > name 10.0.0.2 h-02-in
> > name 10.0.0.6 h-03-in
> > name 216.146.94.74 h-01-out
> > name 216.146.94.76 h-02-out
> > name 216.146.94.75 h-03-out
> > name 10.0.0.10 h-test-in
> > name 216.146.94.78 h-test-out
> > access-list acl-inbound permit tcp any host h-03-out eq www
> > access-list acl-inbound permit tcp any host h-03-out eq smtp
> > access-list acl-inbound permit tcp any host h-03-out eq pop3
> > access-list acl-inbound permit tcp any host h-03-out eq https
> > access-list acl-inbound permit udp any host h-03-out eq domain
> > access-list acl-inbound permit tcp any host h-03-out eq domain
> > access-list acl-inbound permit tcp any host h-03-out eq ftp-data
> > access-list acl-inbound permit tcp any host h-03-out eq ftp
> > access-list acl-inbound permit tcp any host h-01-out eq https
> > access-list acl-inbound permit tcp any host h-01-out eq ftp-data
> > access-list acl-inbound permit tcp any host h-01-out eq ftp
> > access-list acl-inbound permit udp any host h-01-out eq domain
> > access-list acl-inbound permit tcp any host h-01-out eq domain
> > access-list acl-inbound permit icmp any host h-03-out echo-reply
> > access-list acl-inbound permit icmp any host h-03-out time-exceeded
> > access-list acl-inbound permit icmp any host h-01-out echo-reply
> > access-list acl-inbound permit icmp any host h-01-out time-exceeded
> > access-list acl-inbound permit udp any host h-01-out eq 407
> > access-list acl-inbound permit tcp any host h-01-out range 1417 1420
> > access-list acl-inbound permit tcp any host h-01-out eq www
> > access-list acl-inbound permit udp any host h-02-out eq 407
> > access-list acl-inbound permit tcp any host h-02-out range 1417 1420
> > access-list acl-inbound permit udp any host h-test-out eq 407
> > access-list acl-inbound permit tcp any host h-test-out range 1417 1420
> > access-list acl-inbound permit tcp any host h-test-out eq ftp
> > access-list acl-inbound permit tcp any host h-test-out eq ftp-data
> > access-list acl-inbound permit tcp any host h-test-out eq www
> > access-list acl-outbound deny tcp host h-01-in any eq 69
> > access-list acl-outbound deny udp host h-01-in any eq tftp
> > access-list acl-outbound permit ip any any log
> > access-list acl-outbound permit ip host 10.0.0.156 any
> > access-list acl-outbound permit icmp any any
> > access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 192.168.75.0
> > 255.255.255.0
> > access-list pptp-vpn permit ip 10.0.0.0 255.255.255.0 store-net
> > 255.255.255.0
> > access-list 90 permit ip 10.0.0.0 255.255.255.0 store-net
> > 255.255.255.0
> > pager lines 22
> > logging on
> > logging host inside h-03-in
> > mtu outside 1500
> > mtu inside 1500
> > mtu dmz 1500
> > ip address outside 216.146.94.77 255.255.255.248
> > ip address inside 10.0.0.253 255.255.255.0
> > ip address dmz 127.0.0.1 255.255.255.0
> > ip verify reverse-path interface inside
> > ip audit info action alarm
> > ip audit attack action alarm
> > ip local pool ptpvpnpool 192.168.75.1-192.168.75.100
> > ip local pool storepool 10.0.0.75-10.0.0.90
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 0 access-list pptp-vpn
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > static (inside,outside) h-02-out h-02-in netmask 255.255.255.255 1000
> > 700
> > static (inside,outside) h-03-out h-03-in netmask 255.255.255.255 3000
> > 2100
> > static (inside,outside) h-01-out h-01-in netmask 255.255.255.255 3000
> > 2100
> > static (inside,outside) h-test-out h-test-in netmask 255.255.255.255
> > 1000 700
> > access-group acl-inbound in interface outside
> > access-group acl-outbound in interface inside
> > route outside 0.0.0.0 0.0.0.0 216.146.94.73 1
> > route inside store-net 255.255.255.0 10.0.0.254 2
> > route inside 10.0.100.0 255.255.255.252 10.0.0.254 1
> > route inside 192.168.75.0 255.255.255.0 10.0.0.254 1
> > timeout xlate 3:00:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > 1:00:00
> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server RADIUS protocol radius
> > aaa-server LOCAL protocol local
> > aaa authentication ssh console LOCAL
> > aaa authorization command LOCAL
> > ntp server 10.0.0.100 source inside
> > http server enable
> > http 10.0.0.0 255.255.255.0 inside
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community public
> > no snmp-server enable traps
> > floodguard enable
> > sysopt connection permit-ipsec
> > sysopt connection permit-pptp
> > crypto ipsec transform-set strong esp-3des esp-sha-hmac
> > crypto map toStore 20 ipsec-isakmp
> > crypto map toStore 20 match address 90
> > crypto map toStore 20 set peer 216.146.67.126
> > crypto map toStore 20 set transform-set strong
> > crypto map toStore interface outside
> > isakmp enable outside
> > isakmp key ******** address 216.146.67.126 netmask 255.255.255.255
> > isakmp nat-traversal 20
> > isakmp policy 9 authentication pre-share
> > isakmp policy 9 encryption 3des
> > isakmp policy 9 hash sha
> > isakmp policy 9 group 1
> > isakmp policy 9 lifetime 86400
> > vpngroup STORE address-pool storepool
> > vpngroup STORE idle-time 1800
> > vpngroup STORE password ********
> > telnet 192.168.75.0 255.255.255.0 outside
> > telnet h-03-in 255.255.255.255 inside
> > telnet 10.0.0.0 255.0.0.0 inside
> > telnet 192.168.75.0 255.255.255.0 inside
> > telnet h-03-in 255.255.255.255 dmz
> > telnet timeout 10
> > ssh 0.0.0.0 0.0.0.0 outside
> > ssh 10.0.0.0 255.255.255.0 inside
> > ssh timeout 45
> > management-access inside
> > console timeout 0
> > vpdn group clientpptp accept dialin pptp
> > vpdn group clientpptp ppp authentication pap
> > vpdn group clientpptp ppp authentication chap
> > vpdn group clientpptp ppp authentication mschap
> > vpdn group clientpptp ppp encryption mppe 128 required
> > vpdn group clientpptp client configuration address local ptpvpnpool
> > vpdn group clientpptp client configuration dns h-03-in
> > vpdn group clientpptp pptp echo 60
> > vpdn group clientpptp client authentication local
> > vpdn group test accept dialin pptp
> > vpdn group test ppp authentication pap
> > vpdn group test ppp authentication chap
> > vpdn group test ppp authentication mschap
> > vpdn group test ppp encryption mppe 128 required
> > vpdn group test client configuration address local storepool
> > vpdn group test client configuration dns h-03-in
> > vpdn group test client configuration wins h-03-in
> > vpdn group test pptp echo 60
> > vpdn group test client authentication local
> > vpdn enable outside
> > privilege show level 0 command version
> > privilege show level 0 command curpriv
> > privilege show level 3 command pdm
> > privilege show level 3 command blocks
> > privilege show level 3 command ssh
> > privilege configure level 3 command who
> > privilege show level 3 command isakmp
> > privilege show level 3 command ipsec
> > privilege show level 3 command vpdn
> > privilege show level 3 command local-host
> > privilege show level 3 command interface
> > privilege show level 3 command ip
> > privilege configure level 3 command ping
> > privilege configure level 5 mode enable command configure
> > privilege show level 5 command running-config
> > privilege show level 5 command privilege
> > privilege show level 5 command clock
> > privilege show level 5 command ntp
> > terminal width 60
> > Cryptochecksum:ca3c3c87971665b6eaecfcfd5d1b0a2f
> >
> > hmkr-pix515e(config)# show ver
> >
> > Cisco PIX Firewall Version 6.3(1)
> > Cisco PIX Device Manager Version 2.0(2)
> >
> > Compiled on Wed 19-Mar-03 11:49 by morlee
> >
> > hmkr-pix515e up 5 days 10 hours
> >
> > Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
> > Flash E28F128J3 @ 0x300, 16MB
> > BIOS Flash AM29F400B @ 0xfffd8000, 32KB
> >
> > 0: ethernet0: address is 0009.e89d.032e, irq 10
> > 1: ethernet1: address is 0009.e89d.032f, irq 11
> > 2: ethernet2: address is 0002.b336.3214, irq 5
> > Licensed Features:
> > Failover: Disabled
> > VPN-DES: Enabled
> > VPN-3DES-AES: Enabled
> > Maximum Interfaces: 3
> > Cut-through Proxy: Enabled
> > Guards: Enabled
> > URL-filtering: Enabled
> > Inside Hosts: Unlimited
> > Throughput: Unlimited
> > IKE peers: Unlimited
> >
> > This PIX has a Restricted (R) license.
> >
> > Serial Number: 806233226 (0x300e248a)
> > Running Activation Key: 0x78693c37 0x9d9480fd 0x8786de1b 0xd02dfe70
> > Configuration last modified by enable_15 at 09:17:27.978 CST Mon Nov
> > 22 2004
> >
> > hmkr-pix515e(config)#
> >
> >
> > STORE PIX :
> >
> > pixfirewall(config)# show conf
> > : Saved
> > : Written by enable_15 at 11:01:16.877 UTC Mon Nov 22 2004
> > PIX Version 6.3(3)
> > interface ethernet0 auto
> > interface ethernet1 100full
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > hostname pixfirewall
> > domain-name jewishsource.com
> > fixup protocol dns maximum-length 512
> > fixup protocol ftp 21
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol http 80
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol sip 5060
> > fixup protocol sip udp 5060
> > fixup protocol skinny 2000
> > fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > fixup protocol tftp 69
> > names
> > access-list 80 permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
> > pager lines 22
> > mtu outside 1500
> > mtu inside 1500
> > ip address outside 216.146.67.126 255.255.255.252
> > ip address inside 10.0.1.253 255.0.0.0
> > ip audit info action alarm
> > ip audit attack action alarm
> > ip local pool remotevpn 10.0.1.50-10.0.1.75
> > pdm location 10.0.0.0 255.0.0.0 outside
> > pdm location 216.146.94.76 255.255.255.252 outside
> > pdm location 10.0.1.0 255.255.255.128 outside
> > pdm group warehouse-net outside
> > pdm logging informational 100
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 0 access-list 80
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > route outside 0.0.0.0 0.0.0.0 216.146.67.125 1
> > timeout xlate 0:05:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > 1:00:00
> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server RADIUS protocol radius
> > aaa-server LOCAL protocol local
> > http server enable
> > http 10.0.0.0 255.0.0.0 inside
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community public
> > no snmp-server enable traps
> > floodguard enable
> > sysopt connection permit-ipsec
> > sysopt connection permit-pptp
> > crypto ipsec transform-set strong esp-3des esp-sha-hmac
> > crypto map toWhouse 10 ipsec-isakmp
> > crypto map toWhouse 10 match address 80
> > crypto map toWhouse 10 set peer 216.146.94.77
> > crypto map toWhouse 10 set transform-set strong
> > crypto map toWhouse interface outside
> > isakmp enable outside
> > isakmp key ******** address 216.146.94.77 netmask 255.255.255.255
> > isakmp policy 8 authentication pre-share
> > isakmp policy 8 encryption 3des
> > isakmp policy 8 hash sha
> > isakmp policy 8 group 1
> > isakmp policy 8 lifetime 86400
> > telnet 10.0.0.0 255.0.0.0 outside
> > telnet 216.146.94.76 255.255.255.252 outside
> > telnet 10.0.1.0 255.255.255.0 outside
> > telnet 10.0.0.0 255.0.0.0 inside
> > telnet 10.0.1.0 255.255.255.0 inside
> > telnet timeout 5
> > ssh timeout 5
> > management-access inside
> > console timeout 0
> > vpdn group remote accept dialin pptp
> > vpdn group remote ppp authentication pap
> > vpdn group remote ppp authentication chap
> > vpdn group remote ppp authentication mschap
> > vpdn group remote ppp encryption mppe 128 required
> > vpdn group remote client configuration address local remotevpn
> > vpdn group remote client configuration dns 10.0.0.6
> > vpdn group remote pptp echo 60
> > vpdn group remote client authentication local
> > vpdn enable outside
> > terminal width 80
> > Cryptochecksum:24941c9dc4746595338453bfe3d9ffeb
> >
> > pixfirewall(config)# show ver
> >
> > Cisco PIX Firewall Version 6.3(3)
> > Cisco PIX Device Manager Version 3.0(1)
> >
> > Compiled on Wed 13-Aug-03 13:55 by morlee
> >
> > pixfirewall up 2 days 19 hours
> >
> > Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
> > Flash E28F640J3 @ 0x3000000, 8MB
> > BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
> >
> > 0: ethernet0: address is 0011.bb3d.bcea, irq 9
> > 1: ethernet1: address is 0011.bb3d.bceb, irq 10
> > Licensed Features:
> > Failover: Disabled
> > VPN-DES: Enabled
> > VPN-3DES-AES: Enabled
> > Maximum Physical Interfaces: 2
> > Maximum Interfaces: 2
> > Cut-through Proxy: Enabled
> > Guards: Enabled
> > URL-filtering: Enabled
> > Inside Hosts: 10
> > Throughput: Unlimited
> > IKE peers: 10
> >
> > This PIX has a Restricted (R) license.
> >
> > Serial Number: 808321753 (0x302e02d9)
> > Running Activation Key: 0x209b6840 0x01b54239 0x2b3f9100 0xe6cc4495
> > Configuration last modified by enable_15 at 11:03:21.261 UTC Mon Nov
> > 22 2004
> >
> > pixfirewall(config)#

 
Reply With Quote
 
PES
Guest
Posts: n/a
 
      11-23-2004
Steve wrote:
> PES - This may be part of it, (it is there currently beacuse there is
> a leased line connection to the store currently that I am replacing),
> but how does this explain why the STORE Pix does not even SEND any
> packets out to try to establish the Crypto SA?


The pix must first have a route that matches the packet. In most cases
it is the default gateway or 0 route. As a packet is handled by the
interface (in most cases the outside), the paramaters are applied based
on the crypto map. At that point, an established tunnel will be used.
If no tunnel is in place, but the packet matches a crypto policy, an
attempt for establishment will be made. If one cannot be made the
transmission will be lost and the next packet will restart the operation.

> I guess my basic
> quesation is - what is it that actually causes the PIX to try to
> establish the SAs?


A packet matching a crypto policy leaving an interface with that
associated crypto policy.

> And which PIX will start it - or do they both try?
>


The pix with the first packet going through it. Neither will try on
their own. Either will try if they have a packet flowing through the
correct interface that matches a crypto acl.

<SNIP>




--
-------------------------
Paul Stewart
Lexnet Inc.
Email address is in ROT13
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      11-23-2004
In article <41a3398f$(E-Mail Removed)>, PES <(E-Mail Removed)> wrote:
:Steve wrote:
:> And which PIX will start it - or do they both try?


:The pix with the first packet going through it. Neither will try on
:their own. Either will try if they have a packet flowing through the
:correct interface that matches a crypto acl.

Given the context, it might be worth mentioning crypto dynamic maps.

A PIX which has been set up with a pure [and complete] crypto map
entry will attempt to contact it's peer when there is traffic matching
the 'match address' acl (default if there is no "match address" is
to try to send *all* traffic over the VPN.)

A PIX can also be set up with a "dynamic" crypto map configuration,
which consists of a at least one 'crypto dynamic-map' entry that
is imported into a normal 'crypto map'. When a dynamic map is
configured, typically no 'set peer' clause would appear, and often
no 'match address' clause appears either. dynamic map entries never
attempt to start a new connection when there is "interesting" traffic,
but they will use an existing SA if it has already been built. The SA
would be built by the other side contacting the device that has
been configured for a dynamic map.

For example, I want a site-to-site VPN between my house and my
workplace. I cannot configure a 'set peer' on the PIX at my
workplace because my IP at home changes at least once a week,
at times that are basically unpredictable (the provider doesn't
even seem to wait for a pppoe lease to expire.) I can, though,
configure a 'set peer' on the PIX at home, because the IP address
of my workplace is static. To handle this situation, I configure
a regular "crypto map" setup at home, but at work I create a
crypto dynamic-map, which sets out the transforms for the connection
and leaves the endpoint address unspecified. Work cannot start a new
connection to my home because it wouldn't know the current IP, but
work will happily talk to the device at home for days once the device
at my home has connected to work upon the device at home detecting
that it had interesting traffic to send in.


If you are in a situation where you don't know the IP address of
the remote end ahead of time, and you must be able to initiate
connections towards that remote device, then either "Don't DO that!"
or else find some out-of-band method of signalling the remote end
to start a connection back.

[Back when I used dialup from home, I set the idle time fairly short,
about 2 minutes, but I had a cron job that fired about every 1/2 hour
that would trigger a dialup to work by requesting a ping with 10
packets. If I was at work and I needed to fetch something from home,
I would start a continuous ping at work targetting the host at
home; when the regular crontab firing at home caused home to
connect to work, the continuous ping going on from work would be
enough traffic to keep the dialup connection going until I got around
to doing whatever I needed to over the link and killing the ping.]
--
Come to think of it, there are already a million monkeys on a million
typewriters, and Usenet is NOTHING like Shakespeare. -- Blair Houghton.
 
Reply With Quote
 
Steve
Guest
Posts: n/a
 
      11-23-2004
Peter/Walter - everything that the 2 of you said makes perfect sense, but I
am still stuck. Here is what I did. I changed the STORE pix to be on
subnet 10.0.2.x (inside accress 10.0.2.253), and hooked up a pc to it at
10.0.2.10. I then changed the relavant access-list entries and still no go.
I configuerd the PC to use 10.0.2.253 as its gateway. It has 10.0.0.6 as
its DNS, so any net access should cause it to do a DNS lookup, which is on
the warehouse side, so my assumption is that this should start up the
tunnel - but it does not appear to do so. Also, I have tried to access the
10.0.2.10 PC from the warehouse Here are the relavant lines from the
Warehouse PIX:
<snip>
name 10.0.2.0 store-net2
<snip>
access-list 90 permit ip 10.0.0.0 255.255.255.0 store-net2 255.255.255.0

<snip>
global (outside) 1 interface
nat (inside) 0 access-list pptp-vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) h-02-out h-02-in netmask 255.255.255.255 1000 700
static (inside,outside) h-03-out h-03-in netmask 255.255.255.255 3000 2100
static (inside,outside) h-01-out h-01-in netmask 255.255.255.255 3000 2100
static (inside,outside) h-test-out h-test-in netmask 255.255.255.255 1000
700
access-group acl-inbound in interface outside
access-group acl-outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.146.94.73 1
route inside store-net 255.255.255.0 10.0.0.254 2
route inside 10.0.100.0 255.255.255.252 10.0.0.254 1
route inside 192.168.75.0 255.255.255.0 10.0.0.254 1

<snip>
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toStore 20 ipsec-isakmp
crypto map toStore 20 match address 90
crypto map toStore 20 set peer 216.146.67.126
crypto map toStore 20 set transform-set strong
crypto map toStore interface outside
isakmp enable outside
isakmp key ******** address 216.146.67.126 netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400

<snip>

and here is the output from a show crypto ipsec sa:
interface: outside
Crypto map tag: toStore, local addr. 216.146.94.77

local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (store-net2/255.255.255.0/0/0)
current_peer: 216.146.67.126:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 216.146.94.77, remote crypto endpt.:
216.146.67.126
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0

inbound esp sas:


inbound ah sas:


inbound pcp sas:


outbound esp sas:


outbound ah sas:


outbound pcp sas:


What do I look for next???

Thanks,
Steve



"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:cnvfmi$iml$(E-Mail Removed)...
> In article <41a3398f$(E-Mail Removed)>, PES <(E-Mail Removed)>

wrote:
> :Steve wrote:
> :> And which PIX will start it - or do they both try?
>
>
> :The pix with the first packet going through it. Neither will try on
> :their own. Either will try if they have a packet flowing through the
> :correct interface that matches a crypto acl.
>
> Given the context, it might be worth mentioning crypto dynamic maps.


<snip>
I know the IPs and they are fixed.
 
Reply With Quote
 
PES
Guest
Posts: n/a
 
      11-23-2004
Steve wrote:
> Peter/Walter - everything that the 2 of you said makes perfect sense, but I
> am still stuck. Here is what I did. I changed the STORE pix to be on
> subnet 10.0.2.x (inside accress 10.0.2.253), and hooked up a pc to it at
> 10.0.2.10. I then changed the relavant access-list entries and still no go.
> I configuerd the PC to use 10.0.2.253 as its gateway. It has 10.0.0.6 as
> its DNS, so any net access should cause it to do a DNS lookup, which is on
> the warehouse side, so my assumption is that this should start up the
> tunnel - but it does not appear to do so. Also, I have tried to access the
> 10.0.2.10 PC from the warehouse Here are the relavant lines from the
> Warehouse PIX:
> <snip>
> name 10.0.2.0 store-net2
> <snip>
> access-list 90 permit ip 10.0.0.0 255.255.255.0 store-net2 255.255.255.0
>
> <snip>
> global (outside) 1 interface
> nat (inside) 0 access-list pptp-vpn
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) h-02-out h-02-in netmask 255.255.255.255 1000 700
> static (inside,outside) h-03-out h-03-in netmask 255.255.255.255 3000 2100
> static (inside,outside) h-01-out h-01-in netmask 255.255.255.255 3000 2100
> static (inside,outside) h-test-out h-test-in netmask 255.255.255.255 1000
> 700
> access-group acl-inbound in interface outside
> access-group acl-outbound in interface inside
> route outside 0.0.0.0 0.0.0.0 216.146.94.73 1
> route inside store-net 255.255.255.0 10.0.0.254 2
> route inside 10.0.100.0 255.255.255.252 10.0.0.254 1
> route inside 192.168.75.0 255.255.255.0 10.0.0.254 1
>
> <snip>
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
> crypto ipsec transform-set strong esp-3des esp-sha-hmac
> crypto map toStore 20 ipsec-isakmp
> crypto map toStore 20 match address 90
> crypto map toStore 20 set peer 216.146.67.126
> crypto map toStore 20 set transform-set strong
> crypto map toStore interface outside
> isakmp enable outside
> isakmp key ******** address 216.146.67.126 netmask 255.255.255.255
> isakmp nat-traversal 20
> isakmp policy 9 authentication pre-share
> isakmp policy 9 encryption 3des
> isakmp policy 9 hash sha
> isakmp policy 9 group 1
> isakmp policy 9 lifetime 86400
>
> <snip>
>
> and here is the output from a show crypto ipsec sa:
> interface: outside
> Crypto map tag: toStore, local addr. 216.146.94.77
>
> local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
> remote ident (addr/mask/prot/port): (store-net2/255.255.255.0/0/0)
> current_peer: 216.146.67.126:0
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> failed: 0
> #send errors 0, #recv errors 0
>
> local crypto endpt.: 216.146.94.77, remote crypto endpt.:
> 216.146.67.126
> path mtu 1500, ipsec overhead 0, media mtu 1500
> current outbound spi: 0
>
> inbound esp sas:
>
>
> inbound ah sas:
>
>
> inbound pcp sas:
>
>
> outbound esp sas:
>
>
> outbound ah sas:
>
>
> outbound pcp sas:
>
>
> What do I look for next???
>
> Thanks,
> Steve
>
>
>
> "Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
> news:cnvfmi$iml$(E-Mail Removed)...
>
>>In article <41a3398f$(E-Mail Removed)>, PES <(E-Mail Removed)>

>
> wrote:
>
>>:Steve wrote:
>>:> And which PIX will start it - or do they both try?
>>
>>
>>:The pix with the first packet going through it. Neither will try on
>>:their own. Either will try if they have a packet flowing through the
>>:correct interface that matches a crypto acl.
>>
>>Given the context, it might be worth mentioning crypto dynamic maps.

>
>
> <snip>
> I know the IPs and they are fixed.


At this point, the line "route inside store-net 255.255.255.0 10.0.0.254
2" is preventing your packets to 10.0.2.x from getting to the crypto
process running and bound on the outside. If you remove it and it uses
the default gateway, we shold get packtes on the sa or at least errors.

--
-------------------------
Paul Stewart
Lexnet Inc.
Email address is in ROT13
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco pix 501 vs 501-50 cdoc Cisco 6 05-20-2006 03:53 AM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
PIX 501 newbie aaa servers for pix Greg Gibson Cisco 3 05-09-2004 06:33 PM
pix 515 to pix 501 Cisco 2 02-05-2004 01:55 AM
Cisco VPN through a PIX 501 to another PIX? Andrew J Instone-Cowie Cisco 5 01-22-2004 05:44 PM



Advertisments