Issue with PIX to Route VPN

Discussion in 'Cisco' started by VeeDub, Nov 5, 2006.

  1. VeeDub

    VeeDub Guest

    Hi

    I am setting up a test VPN between a PIX 515 and 1841 Router running
    Firewall IOS. The Tunnel seems to come up fine and is encrypting
    traffic on the router side but there seems to be an issue on the PIX
    side as it does not seem to be encrypting/decrypting. I have checked
    the ACL used in the crypto map on the PIX and it seems to be fine. Can
    anyone help from the following configuration?

    _____________________________________________________________
    PIX

    PIX# sh run
    : Saved
    :
    PIX Version 7.0(1)
    names
    !
    interface Ethernet0
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address 192.168.1.2 255.255.255.0
    !
    interface Ethernet1
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 10.0.1.1 255.255.255.0
    !
    interface Ethernet2
    speed 100
    duplex full
    nameif dmz
    security-level 50
    ip address 172.16.1.1 255.255.255.0
    !
    interface Ethernet3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet5
    shutdown
    no nameif
    no security-level
    no ip address
    !
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname PIX
    ftp mode passive
    access-list CRYPTO-ACL extended permit ip 10.0.1.0 255.255.255.0
    10.0.2.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip audit name INFOPOLICY info action alarm reset
    ip audit interface inside INFOPOLICY
    ip audit signature 4052 disable
    no failover
    monitor-interface outside
    monitor-interface inside
    monitor-interface dmz
    no asdm history enable
    arp timeout 14400
    route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp
    crypto ipsec transform-set TEST-TS esp-3des esp-sha-hmac
    crypto map RTR 10 match address CRYPTO-ACL
    crypto map RTR 10 set peer 192.168.2.2
    crypto map RTR 10 set transform-set TEST-TS
    crypto map RTR interface outside
    isakmp identity address
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 5
    isakmp policy 10 lifetime 86400
    isakmp policy 65535 authentication pre-share
    isakmp policy 65535 encryption 3des
    isakmp policy 65535 hash sha
    isakmp policy 65535 group 2
    isakmp policy 65535 lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    tunnel-group 192.168.2.2 type ipsec-l2l
    tunnel-group 192.168.2.2 ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    Cryptochecksum:d329d214da16974fe6a4972319bc7dc2
    : end

    _________________________________________________________________________
    1841 Router

    TR# sh run
    Building configuration...

    Current configuration : 1544 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname RTR
    !
    boot-start-marker
    boot-end-marker
    !
    no aaa new-model
    !
    resource policy
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip subnet-zero
    ip cef
    !
    no ip dhcp use vrf connected
    !
    ip inspect name OUTBOUND icmp
    ip inspect name OUTBOUND http
    no ip ips deny-action ips-interface
    !
    crypto isakmp policy 110
    encr 3des
    authentication pre-share
    group 5
    crypto isakmp key cisco address 192.168.1.2
    !
    crypto ipsec transform-set MINE esp-3des esp-sha-hmac
    !
    crypto map PIX-VPN 10 ipsec-isakmp
    set peer 192.168.1.2
    set transform-set MINE
    match address ENCR-ACL
    !!
    interface FastEthernet0/0
    ip address 192.168.2.2 255.255.255.0
    duplex auto
    speed auto
    crypto map PIX-VPN
    !
    interface FastEthernet0/1
    ip address 10.0.2.1 255.255.255.0
    ip inspect OUTBOUND in
    duplex auto
    speed auto
    !
    interface FastEthernet0/0/0
    !
    interface FastEthernet0/0/1
    !
    interface FastEthernet0/0/2
    !
    interface FastEthernet0/0/3
    !
    interface Vlan1
    no ip address
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.2.1
    !
    ip http server
    no ip http secure-server
    !
    ip access-list extended ACCESS-SRV
    permit icmp any host 10.0.2.10
    ip access-list extended ENCR-ACL
    permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
    ip access-list extended INBOUND-BLOCK
    deny ip any any
    !
    control-plane
    !
    line con 0
    line aux 0
    line vty 0 4
    login
    !
    end

    RTR#
     
    VeeDub, Nov 5, 2006
    #1
    1. Advertising

  2. In article <>,
    VeeDub <> wrote:

    >I am setting up a test VPN between a PIX 515 and 1841 Router running
    >Firewall IOS. The Tunnel seems to come up fine and is encrypting
    >traffic on the router side but there seems to be an issue on the PIX
    >side as it does not seem to be encrypting/decrypting. I have checked
    >the ACL used in the crypto map on the PIX and it seems to be fine. Can
    >anyone help from the following configuration?


    >PIX Version 7.0(1)


    Hmmm, lots and lots of bugs associated with that version.


    >isakmp policy 10 authentication pre-share
    >isakmp policy 10 encryption 3des
    >isakmp policy 10 hash sha
    >isakmp policy 10 group 5


    Try knocking the transmitter down to group 2 -- 3DES group 5 is
    unusual enough that it might tickle one of the many bugs in 7.0(1).
     
    Walter Roberson, Nov 5, 2006
    #2
    1. Advertising

  3. VeeDub

    VeeDub Guest

    I will give that a shot Walter. Can you tell me though why you think
    the 3DES/DH-5 is an unusual combination?

    Thanks


    Walter Roberson wrote:
    > In article <>,
    > VeeDub <> wrote:
    >
    > >I am setting up a test VPN between a PIX 515 and 1841 Router running
    > >Firewall IOS. The Tunnel seems to come up fine and is encrypting
    > >traffic on the router side but there seems to be an issue on the PIX
    > >side as it does not seem to be encrypting/decrypting. I have checked
    > >the ACL used in the crypto map on the PIX and it seems to be fine. Can
    > >anyone help from the following configuration?

    >
    > >PIX Version 7.0(1)

    >
    > Hmmm, lots and lots of bugs associated with that version.
    >
    >
    > >isakmp policy 10 authentication pre-share
    > >isakmp policy 10 encryption 3des
    > >isakmp policy 10 hash sha
    > >isakmp policy 10 group 5

    >
    > Try knocking the transmitter down to group 2 -- 3DES group 5 is
    > unusual enough that it might tickle one of the many bugs in 7.0(1).
     
    VeeDub, Nov 6, 2006
    #3
  4. VeeDub

    Brian V Guest

    "VeeDub" <> wrote in message
    news:...
    >I will give that a shot Walter. Can you tell me though why you think
    > the 3DES/DH-5 is an unusual combination?
    >
    > Thanks
    >
    >
    > Walter Roberson wrote:
    >> In article <>,
    >> VeeDub <> wrote:
    >>
    >> >I am setting up a test VPN between a PIX 515 and 1841 Router running
    >> >Firewall IOS. The Tunnel seems to come up fine and is encrypting
    >> >traffic on the router side but there seems to be an issue on the PIX
    >> >side as it does not seem to be encrypting/decrypting. I have checked
    >> >the ACL used in the crypto map on the PIX and it seems to be fine. Can
    >> >anyone help from the following configuration?

    >>
    >> >PIX Version 7.0(1)

    >>
    >> Hmmm, lots and lots of bugs associated with that version.
    >>
    >>
    >> >isakmp policy 10 authentication pre-share
    >> >isakmp policy 10 encryption 3des
    >> >isakmp policy 10 hash sha
    >> >isakmp policy 10 group 5

    >>
    >> Try knocking the transmitter down to group 2 -- 3DES group 5 is
    >> unusual enough that it might tickle one of the many bugs in 7.0(1).

    >


    Because the standard in our industry is group 1 or group 2, group 2 for
    almost 99% of what we do.
     
    Brian V, Nov 6, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,838
    Martin Bilgrav
    Feb 6, 2004
  2. Clemens Schwaighofer
    Replies:
    7
    Views:
    4,435
    Walter Roberson
    Jun 13, 2005
  3. Karnov
    Replies:
    3
    Views:
    6,468
    Walter Roberson
    Feb 2, 2006
  4. Svenn
    Replies:
    3
    Views:
    741
    Svenn
    Mar 13, 2006
  5. Replies:
    9
    Views:
    5,123
    Scott Perry
    Aug 7, 2008
Loading...

Share This Page