Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Issue with PIX to Route VPN

Reply
Thread Tools

Issue with PIX to Route VPN

 
 
VeeDub
Guest
Posts: n/a
 
      11-05-2006
Hi

I am setting up a test VPN between a PIX 515 and 1841 Router running
Firewall IOS. The Tunnel seems to come up fine and is encrypting
traffic on the router side but there seems to be an issue on the PIX
side as it does not seem to be encrypting/decrypting. I have checked
the ACL used in the crypto map on the PIX and it seems to be fine. Can
anyone help from the following configuration?

__________________________________________________ ___________
PIX

PIX# sh run
: Saved
:
PIX Version 7.0(1)
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Ethernet2
speed 100
duplex full
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
ftp mode passive
access-list CRYPTO-ACL extended permit ip 10.0.1.0 255.255.255.0
10.0.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip audit name INFOPOLICY info action alarm reset
ip audit interface inside INFOPOLICY
ip audit signature 4052 disable
no failover
monitor-interface outside
monitor-interface inside
monitor-interface dmz
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set TEST-TS esp-3des esp-sha-hmac
crypto map RTR 10 match address CRYPTO-ACL
crypto map RTR 10 set peer 192.168.2.2
crypto map RTR 10 set transform-set TEST-TS
crypto map RTR interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 192.168.2.2 type ipsec-l2l
tunnel-group 192.168.2.2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:d329d214da16974fe6a4972319bc7dc2
: end

__________________________________________________ _______________________
1841 Router

TR# sh run
Building configuration...

Current configuration : 1544 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
no ip dhcp use vrf connected
!
ip inspect name OUTBOUND icmp
ip inspect name OUTBOUND http
no ip ips deny-action ips-interface
!
crypto isakmp policy 110
encr 3des
authentication pre-share
group 5
crypto isakmp key cisco address 192.168.1.2
!
crypto ipsec transform-set MINE esp-3des esp-sha-hmac
!
crypto map PIX-VPN 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set MINE
match address ENCR-ACL
!!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
crypto map PIX-VPN
!
interface FastEthernet0/1
ip address 10.0.2.1 255.255.255.0
ip inspect OUTBOUND in
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
ip http server
no ip http secure-server
!
ip access-list extended ACCESS-SRV
permit icmp any host 10.0.2.10
ip access-list extended ENCR-ACL
permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
ip access-list extended INBOUND-BLOCK
deny ip any any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
end

RTR#

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-05-2006
In article <(E-Mail Removed) .com>,
VeeDub <(E-Mail Removed)> wrote:

>I am setting up a test VPN between a PIX 515 and 1841 Router running
>Firewall IOS. The Tunnel seems to come up fine and is encrypting
>traffic on the router side but there seems to be an issue on the PIX
>side as it does not seem to be encrypting/decrypting. I have checked
>the ACL used in the crypto map on the PIX and it seems to be fine. Can
>anyone help from the following configuration?


>PIX Version 7.0(1)


Hmmm, lots and lots of bugs associated with that version.


>isakmp policy 10 authentication pre-share
>isakmp policy 10 encryption 3des
>isakmp policy 10 hash sha
>isakmp policy 10 group 5


Try knocking the transmitter down to group 2 -- 3DES group 5 is
unusual enough that it might tickle one of the many bugs in 7.0(1).
 
Reply With Quote
 
 
 
 
VeeDub
Guest
Posts: n/a
 
      11-06-2006
I will give that a shot Walter. Can you tell me though why you think
the 3DES/DH-5 is an unusual combination?

Thanks


Walter Roberson wrote:
> In article <(E-Mail Removed) .com>,
> VeeDub <(E-Mail Removed)> wrote:
>
> >I am setting up a test VPN between a PIX 515 and 1841 Router running
> >Firewall IOS. The Tunnel seems to come up fine and is encrypting
> >traffic on the router side but there seems to be an issue on the PIX
> >side as it does not seem to be encrypting/decrypting. I have checked
> >the ACL used in the crypto map on the PIX and it seems to be fine. Can
> >anyone help from the following configuration?

>
> >PIX Version 7.0(1)

>
> Hmmm, lots and lots of bugs associated with that version.
>
>
> >isakmp policy 10 authentication pre-share
> >isakmp policy 10 encryption 3des
> >isakmp policy 10 hash sha
> >isakmp policy 10 group 5

>
> Try knocking the transmitter down to group 2 -- 3DES group 5 is
> unusual enough that it might tickle one of the many bugs in 7.0(1).


 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      11-06-2006

"VeeDub" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
>I will give that a shot Walter. Can you tell me though why you think
> the 3DES/DH-5 is an unusual combination?
>
> Thanks
>
>
> Walter Roberson wrote:
>> In article <(E-Mail Removed) .com>,
>> VeeDub <(E-Mail Removed)> wrote:
>>
>> >I am setting up a test VPN between a PIX 515 and 1841 Router running
>> >Firewall IOS. The Tunnel seems to come up fine and is encrypting
>> >traffic on the router side but there seems to be an issue on the PIX
>> >side as it does not seem to be encrypting/decrypting. I have checked
>> >the ACL used in the crypto map on the PIX and it seems to be fine. Can
>> >anyone help from the following configuration?

>>
>> >PIX Version 7.0(1)

>>
>> Hmmm, lots and lots of bugs associated with that version.
>>
>>
>> >isakmp policy 10 authentication pre-share
>> >isakmp policy 10 encryption 3des
>> >isakmp policy 10 hash sha
>> >isakmp policy 10 group 5

>>
>> Try knocking the transmitter down to group 2 -- 3DES group 5 is
>> unusual enough that it might tickle one of the many bugs in 7.0(1).

>


Because the standard in our industry is group 1 or group 2, group 2 for
almost 99% of what we do.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What is the default precedence: local-route, static-route,OSPF-route? ilan.berco@gmail.com Cisco 9 08-07-2008 05:42 PM
VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client Svenn Cisco 3 03-13-2006 09:25 AM
pix no route to host, but there is a route Karnov Cisco 3 02-02-2006 09:03 PM
PIX 515E, VPN client has no route to outside network via vpn Clemens Schwaighofer Cisco 7 06-13-2005 03:48 PM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM



Advertisments