Cisco PIX to PIX VPN issue

Discussion in 'Cisco' started by Michelle J W, Mar 19, 2008.

  1. Michelle J W

    Michelle J W Guest

    I have a client with two locations that I'm setting up a a point-to-
    point VPN. The tunnel was up and idle earlier today, it's nonexistant
    now, and I'm out of ideas.. At no time was I able to ping across the
    PIX's.

    Pix #1 also has a VPN config for remote clients that works fine.

    Here's pertinent info from each configs:

    PIX #1
    name 192.168.1.0 CRVSH
    access-list nonat permit ip 10.0.0.0 255.255.255.0 172.16.10.0
    255.255.255.0
    access-list nonat permit ip 10.0.0.0 255.255.255.0 CRVSH 255.255.255.0
    access-list 101 permit ip 10.0.0.0 255.255.255.0 CRVSH 255.255.255.0
    ip address outside 66.x.x.247 255.255.255.0
    ip address inside 10.0.0.254 255.255.255.0
    ip local pool ipsec-pool 172.16.10.1-172.16.10.50
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 66.x.x.1 1
    sysopt connection permit-ipsec
    no sysopt route dnat
    auth-prompt prompt "You are entering a secure site"
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto ipsec transform-set crvshvpnts esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map crvshvpn 1 ipsec-isakmp
    crypto map crvshvpn 1 match address 101
    crypto map crvshvpn 1 set peer 69.x.x.74
    crypto map crvshvpn 1 set transform-set crvshvpnts
    crypto map crvshvpn interface outside
    isakmp enable outside
    isakmp key ******** address 69.x.x.74 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption des
    isakmp policy 1 hash md5
    isakmp policy 1 group 1
    isakmp policy 1 lifetime 1000
    isakmp policy 8 authentication rsa-sig
    isakmp policy 8 encryption des
    isakmp policy 8 hash sha
    isakmp policy 8 group 1
    isakmp policy 8 lifetime 86400
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup xrrv address-pool ipsec-pool
    vpngroup xrrv dns-server x.x.x.x x.x.x.x
    vpngroup xrrv wins-server 10.0.0.2
    vpngroup xrrv default-domain x
    vpngroup xrrv idle-time 1800
    vpngroup xrrv password ********


    PIX #2
    names
    name 10.0.0.0 CRVRFD
    access-list 101 permit ip 192.168.1.0 255.255.255.0 CRVRFD
    255.255.255.0
    access-list nonat permit ip 192.168.1.0 255.255.255.0 CRVRFD
    255.255.255.0
    ip address outside 69.x.x.74 255.255.255.248
    ip address inside 192.168.1.1 255.255.255.0
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group 110 in interface outside
    route outside 0.0.0.0 0.0.0.0 69.x.x.73 1
    sysopt connection permit-ipsec
    crypto ipsec transform-set crvshvpnts esp-des esp-md5-hmac
    crypto map crvshvpn 1 ipsec-isakmp
    crypto map crvshvpn 1 match address 101
    crypto map crvshvpn 1 set peer 66.x.x.247
    crypto map crvshvpn 1 set transform-set crvshvpnts
    crypto map crvshvpn interface outside
    isakmp enable outside
    isakmp key ******** address 66.x.x.247 netmask 255.255.255.255
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption des
    isakmp policy 1 hash md5
    isakmp policy 1 group 1
    isakmp policy 1 lifetime 1000

    According to my directions from the Cisco site, it looks like I have
    everything I need. The tunnel was up when I did a show crypto isakmp
    sa earlier today, but now it's not showing in the list. My brain is
    fried, and I need a little help. Can someone help shed some light on
    what I've done wrong?

    Michelle
     
    Michelle J W, Mar 19, 2008
    #1
    1. Advertising

  2. Michelle J W

    networkzman Guest

    On Mar 19, 3:02 am, Michelle J W <> wrote:
    > I have a client with two locations that I'm setting up a a point-to-
    > point VPN. The tunnel was up and idle earlier today, it's nonexistant
    > now, and I'm out of ideas.. At no time was I able to ping across the
    > PIX's.
    >
    > Pix #1 also has a VPN config for remote clients that works fine.
    >
    > Here's pertinent info from each configs:
    >
    > PIX #1
    > name 192.168.1.0 CRVSH
    > access-list nonat permit ip 10.0.0.0 255.255.255.0 172.16.10.0
    > 255.255.255.0
    > access-list nonat permit ip 10.0.0.0 255.255.255.0 CRVSH 255.255.255.0
    > access-list 101 permit ip 10.0.0.0 255.255.255.0 CRVSH 255.255.255.0
    > ip address outside 66.x.x.247 255.255.255.0
    > ip address inside 10.0.0.254 255.255.255.0
    > ip local pool ipsec-pool 172.16.10.1-172.16.10.50
    > global (outside) 1 interface
    > nat (inside) 0 access-list nonat
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > route outside 0.0.0.0 0.0.0.0 66.x.x.1 1
    > sysopt connection permit-ipsec
    > no sysopt route dnat
    > auth-prompt prompt "You are entering a secure site"
    > crypto ipsec transform-set myset esp-des esp-md5-hmac
    > crypto ipsec transform-set crvshvpnts esp-des esp-md5-hmac
    > crypto dynamic-map dynmap 10 set transform-set myset
    > crypto map crvshvpn 1 ipsec-isakmp
    > crypto map crvshvpn 1 match address 101
    > crypto map crvshvpn 1 set peer 69.x.x.74
    > crypto map crvshvpn 1 set transform-set crvshvpnts
    > crypto map crvshvpn interface outside
    > isakmp enable outside
    > isakmp key ******** address 69.x.x.74 netmask 255.255.255.255
    > isakmp identity address
    > isakmp policy 1 authentication pre-share
    > isakmp policy 1 encryption des
    > isakmp policy 1 hash md5
    > isakmp policy 1 group 1
    > isakmp policy 1 lifetime 1000
    > isakmp policy 8 authentication rsa-sig
    > isakmp policy 8 encryption des
    > isakmp policy 8 hash sha
    > isakmp policy 8 group 1
    > isakmp policy 8 lifetime 86400
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > vpngroup xrrv address-pool ipsec-pool
    > vpngroup xrrv dns-server x.x.x.x x.x.x.x
    > vpngroup xrrv wins-server 10.0.0.2
    > vpngroup xrrv default-domain x
    > vpngroup xrrv idle-time 1800
    > vpngroup xrrv password ********
    >
    > PIX #2
    > names
    > name 10.0.0.0 CRVRFD
    > access-list 101 permit ip 192.168.1.0 255.255.255.0 CRVRFD
    > 255.255.255.0
    > access-list nonat permit ip 192.168.1.0 255.255.255.0 CRVRFD
    > 255.255.255.0
    > ip address outside 69.x.x.74 255.255.255.248
    > ip address inside 192.168.1.1 255.255.255.0
    > global (outside) 1 interface
    > nat (inside) 0 access-list nonat
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > access-group 110 in interface outside
    > route outside 0.0.0.0 0.0.0.0 69.x.x.73 1
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set crvshvpnts esp-des esp-md5-hmac
    > crypto map crvshvpn 1 ipsec-isakmp
    > crypto map crvshvpn 1 match address 101
    > crypto map crvshvpn 1 set peer 66.x.x.247
    > crypto map crvshvpn 1 set transform-set crvshvpnts
    > crypto map crvshvpn interface outside
    > isakmp enable outside
    > isakmp key ******** address 66.x.x.247 netmask 255.255.255.255
    > isakmp policy 1 authentication pre-share
    > isakmp policy 1 encryption des
    > isakmp policy 1 hash md5
    > isakmp policy 1 group 1
    > isakmp policy 1 lifetime 1000
    >
    > According to my directions from the Cisco site, it looks like I have
    > everything I need. The tunnel was up when I did a show crypto isakmp
    > sa earlier today, but now it's not showing in the list. My brain is
    > fried, and I need a little help. Can someone help shed some light on
    > what I've done wrong?
    >
    > Michelle


    As you say that it was working..just try changing the pre-shared key
    on both the peers.
    You could check what the the status of the tunnel and try doing a
    debug

    show crypto isakmp sa
    debug crypto isakmp
    debug crypto ipsec

    paste the output over here, if it still has issues.

    thanks
     
    networkzman, Mar 20, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,843
    Martin Bilgrav
    Feb 6, 2004
  2. OZ
    Replies:
    3
    Views:
    11,042
  3. Kai
    Replies:
    0
    Views:
    7,650
  4. serge
    Replies:
    3
    Views:
    1,147
    m0bilitee
    May 5, 2008
  5. rudresh02
    Replies:
    1
    Views:
    5,086
    rudresh02
    Feb 24, 2009
Loading...

Share This Page