problems with cisco <-> netscreen

Discussion in 'Cisco' started by scubabri@gmail.com, Jan 21, 2006.

  1. Guest

    It appears that my cisco 806 is trying to forward the packets out my
    public interface without encrypting them and sending them to the peer.
    I can route packets from my 192.168.22.0 network where the netscreen
    is, they make it over to the 192.168.23.0 network, but the responses
    never make it back.

    Anyone care to help me out on this?

    Here is the router config.

    Using 4991 out of 131072 bytes
    !
    version 12.3
    no parser cache
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname cisco-rtr
    !
    boot-start-marker
    boot-end-marker
    !
    logging cns-events debugging

    !
    clock timezone Central -6
    clock summer-time CDT recurring 1 Sun Apr 3:00 last Sun Oct 3:00
    aaa new-model
    !
    !
    aaa authentication ppp default local
    aaa authorization network default if-authenticated
    aaa session-id common
    ip subnet-zero
    no ip source-route
    ip domain name int.fl240.com
    ip name-server 192.168.23.26
    ip dhcp excluded-address 192.168.23.200 192.168.23.201
    ip dhcp excluded-address 192.168.23.1 192.168.23.39
    !
    no ip bootp server
    ip inspect name myfw cuseeme audit-trail on timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw http java-list 3 audit-trail on timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw smtp timeout 3600
    ip inspect name myfw tftp timeout 30
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw h323 timeout 3600
    vpdn enable
    vpdn ip udp ignore checksum
    !
    vpdn-group 1
    ! Default L2TP VPDN group
    ! Default PPTP VPDN group
    accept-dialin
    protocol any
    virtual-template 1
    !
    !
    !
    !
    class-map match-all VONAGE
    match access-group 101
    !
    !
    policy-map ALL
    class VONAGE
    bandwidth 256
    class class-default
    fair-queue
    !
    !
    !
    crypto isakmp policy 5
    hash md5
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key netscreen address netscreen
    !
    !
    crypto ipsec transform-set aptset esp-3des esp-sha-hmac
    crypto ipsec transform-set ns-interop esp-des esp-md5-hmac
    !
    crypto map aptmap 2 ipsec-isakmp
    set peer 192.168.22.200
    set transform-set aptset
    match address 111
    !
    crypto map netscreen-net 10 ipsec-isakmp
    set peer netscreen
    set transform-set ns-interop
    match address 130
    !
    !
    !
    interface Ethernet0
    ip address 192.168.23.1 255.255.255.0
    ip nat inside
    ip policy route-map proxy-redirect
    no cdp enable
    hold-queue 32 in
    !
    interface Ethernet1
    ip address address 255.255.255.0
    ip access-group 111 in
    no ip unreachables
    ip nat outside
    ip inspect myfw out
    no cdp enable
    crypto map netscreen-net
    service-policy output ALL
    !
    interface Virtual-Template1
    ip unnumbered Ethernet1
    ip mroute-cache
    peer default ip address pool pptp
    ppp encrypt mppe 40
    ppp authentication ms-chap
    !
    ip local pool pptp 192.168.23.200 192.168.23.201
    ip nat inside source list 102 interface Ethernet1 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Ethernet1 permanent
    no ip http server
    no ip http secure-server
    !
    logging facility local5
    logging 192.168.23.27
    access-list 1 permit 192.168.23.0 0.0.0.255
    access-list 1 permit any
    access-list 3 permit any
    access-list 23 permit 192.168.23.0 0.0.0.255
    access-list 101 permit udp host 192.168.23.40 any
    access-list 101 permit udp any host 192.168.23.40
    access-list 102 permit ip 192.168.23.0 0.0.0.255 any
    access-list 104 permit ip address 0.0.0.255 any
    access-list 104 permit udp address 0.0.0.255 any eq isakmp
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    access-list 111 permit udp any eq bootps any eq bootpc
    access-list 111 permit udp any eq bootps any eq bootps
    access-list 111 permit udp any eq domain any
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit udp any any eq 10000
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit gre any any
    access-list 111 permit tcp any any eq 22
    access-list 111 permit ip 192.168.22.0 0.0.0.255 192.168.23.0 0.0.0.255
    log
    access-list 111 permit ip 192.168.23.0 0.0.0.255 192.168.22.0 0.0.0.255
    log
    access-list 120 deny tcp any any neq www
    access-list 120 deny tcp host 192.168.23.26 any
    access-list 120 permit tcp any any
    access-list 130 permit ip 192.168.22.0 0.0.0.255 192.168.23.0 0.0.0.255
    log
    access-list 130 permit ip 192.168.23.0 0.0.0.255 192.168.22.0 0.0.0.255
    log
    no cdp run
    route-map proxy-redirect permit 10
    match ip address 120
    set ip next-hop 192.168.23.26
    !
    banner motd ^C
    go away or I will track you down and sue you and you will go to jail

    Enter Password:

    ^C
    !
    line con 0
    exec-timeout 120 0
    stopbits 1
    line vty 0 4
    access-class 1 in
    exec-timeout 0 0
    password 7
    transport input ssh
    !
    scheduler max-task-time 5000
    end


    here is an output from debug ipsec sa
    cisco-rtr#debug crypto ipsec
    Crypto IPSEC debugging is on
    cisco-rtr#terminal monitor
    cisco-rtr#clear crypto sa peer netscreen
    cisco-rtr#
    12:18:44: IPSEC(delete_sa): deleting SA,
    (sa) sa_dest= cisco, sa_prot= 50,
    sa_spi= 0x54464F6D(1413893997),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2004
    12:18:44: IPSEC(add_sa): have new SAs -- expire existing in 30 sec.,
    (sa) sa_dest= netscreen, sa_prot= 50,
    sa_spi= 0x4C131F1C(1276321564),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2005,
    (identity) local= cisco, remote= netscreen,
    local_proxy= 192.168.23.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4)
    12:18:44: IPSEC(delete_sa): deleting SA,
    (sa) sa_dest= netscreen, sa_prot= 50,
    sa_spi= 0x4C131F1C(1276321564),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2005
    12:18:44: ISAKMP: Unlocking IPSEC struct 0x813F3908 from
    delete_siblings, count 0
    12:18:44: ISAKMP: received ke message (3/1)
    12:18:44: ISAKMP: set new node -844168567 to QM_IDLE
    12:18:44: ISAKMP (0:1): sending packet to netscreen my_port 500
    peer_port 500 (I) QM_IDLE
    12:18:44: ISAKMP (0:1): purging node -844168567
    12:18:44: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
    12:18:44: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State =
    IKE_P1_COMPLETE

    12:18:53: ISAKMP (0:1): received packet from netscreen dport 500 sport
    500 Global (I) QM_IDLE
    12:18:53: ISAKMP: set new node -928160302 to QM_IDLE
    12:18:53: ISAKMP (0:1): processing HASH payload. message ID =
    -928160302
    12:18:53: ISAKMP (0:1): processing SA payload. message ID = -928160302
    12:18:53: ISAKMP (0:1): Checking IPSec proposal 1
    12:18:53: ISAKMP: transform 1, ESP_DES
    12:18:53: ISAKMP: attributes in transform:
    12:18:53: ISAKMP: SA life type in seconds
    12:18:53: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
    12:18:53: ISAKMP: encaps is 1 (Tunnel)
    12:18:53: ISAKMP: authenticator is HMAC-MD5
    12:18:53: ISAKMP (0:1): atts are acceptable.
    12:18:53: IPSEC(validate_proposal_request): proposal part #1,
    (key eng. msg.) INBOUND local= cisco, remote= netscreen,
    local_proxy= 192.168.23.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
    12:18:53: IPSEC(kei_proxy): head = netscreen-net, map->ivrf = ,
    kei->ivrf =
    12:18:53: ISAKMP (0:1): processing NONCE payload. message ID =
    -928160302
    12:18:53: ISAKMP (0:1): processing ID payload. message ID = -928160302
    12:18:53: ISAKMP (0:1): processing ID payload. message ID = -928160302
    12:18:53: ISAKMP (0:1): asking for 1 spis from ipsec
    12:18:53: ISAKMP (0:1): Node -928160302, Input = IKE_MESG_FROM_PEER,
    IKE_QM_EXCH
    12:18:53: ISAKMP (0:1): Old State = IKE_QM_READY New State =
    IKE_QM_SPI_STARVE
    12:18:53: IPSEC(key_engine): got a queue event...
    12:18:53: IPSEC(spi_response): getting spi 1606767518 for SA
    from cisco to netscreen for prot 3
    12:18:53: ISAKMP: received ke message (2/1)
    12:18:53: ISAKMP: Locking peer struct 0x813F3908, IPSEC refcount 1 for
    for stuff_ke
    12:18:53: ISAKMP (0:1): Creating IPSec SAs
    12:18:53: inbound SA from netscreen to cisco (f/i) 0/ 0
    (proxy 192.168.22.0 to 192.168.23.0)
    12:18:53: has spi 0x5FC5539E and conn_id 2000 and flags 2
    12:18:53: lifetime of 3600 seconds
    12:18:53: has client flags 0x0
    12:18:53: outbound SA from cisco to netscreen (f/i) 0/ 0 (proxy
    192.168.23.0 to 192.168.22.0 )
    12:18:53: has spi 1276321566 and conn_id 2001 and flags A
    12:18:53: lifetime of 3600 seconds
    12:18:53: has client flags 0x0
    12:18:53: ISAKMP (0:1): sending packet to netscreen my_port 500
    peer_port 500 (I) QM_IDLE
    12:18:53: ISAKMP (0:1): Node -928160302, Input = IKE_MESG_FROM_IPSEC,
    IKE_SPI_REPLY
    12:18:53: ISAKMP (0:1): Old State = IKE_QM_SPI_STARVE New State =
    IKE_QM_R_QM2
    12:18:53: IPSEC(key_engine): got a queue event...
    12:18:53: IPSEC(initialize_sas): ,
    (key eng. msg.) INBOUND local= cisco, remote= netscreen,
    local_proxy= 192.168.23.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
    lifedur= 3600s and 0kb,
    spi= 0x5FC5539E(1606767518), conn_id= 2000, keysize= 0, flags= 0x2
    12:18:53: IPSEC(initialize_sas): ,
    (key eng. msg.) OUTBOUND local= cisco, remote= netscreen,
    local_proxy= 192.168.23.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
    lifedur= 3600s and 0kb,
    spi= 0x4C131F1E(1276321566), conn_id= 2001, keysize= 0, flags= 0xA
    12:18:53: IPSEC(kei_proxy): head = netscreen-net, map->ivrf = ,
    kei->ivrf =
    12:18:53: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the
    same proxies and netscreen
    12:18:53: IPSEC(add mtree): src 192.168.23.0, dest 192.168.22.0,
    dest_port 0

    12:18:53: IPSEC(create_sa): sa created,
    (sa) sa_dest= cisco, sa_prot= 50,
    sa_spi= 0x5FC5539E(1606767518),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2000
    12:18:53: IPSEC(create_sa): sa created,
    (sa) sa_dest= netscreen, sa_prot= 50,
    sa_spi= 0x4C131F1E(1276321566),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2001
    12:18:53: ISAKMP (0:1): received packet from netscreen dport 500 sport
    500 Global (I) QM_IDLE
    12:18:53: ISAKMP (0:1): deleting node -928160302 error FALSE reason
    "quick mode done (await)"
    12:18:53: ISAKMP (0:1): Node -928160302, Input = IKE_MESG_FROM_PEER,
    IKE_QM_EXCH
    12:18:53: ISAKMP (0:1): Old State = IKE_QM_R_QM2 New State =
    IKE_QM_PHASE2_COMPLETE
    12:18:53: IPSEC(key_engine): got a queue event...
    12:18:53: IPSEC(key_engine_enable_outbound): rec'd enable notify from
    ISAKMP
    12:18:53: IPSEC(key_engine_enable_outbound): enable SA with spi
    1276321566/50 for netscreen
    12:19:43: ISAKMP (0:1): purging node -928160302
    , Jan 21, 2006
    #1
    1. Advertising

  2. scubabri Guest

    turns out it was my nat configuration that was horking it up :)

    b
    scubabri, Jan 22, 2006
    #2
    1. Advertising

  3. slimordium

    Joined:
    Jan 29, 2008
    Messages:
    1
    nat?

    Which was what? I am having the same problem.
    slimordium, Jan 29, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Road Rage
    Replies:
    0
    Views:
    1,630
    Road Rage
    May 11, 2005
  2. yukijocelyn
    Replies:
    0
    Views:
    450
    yukijocelyn
    Jul 25, 2007
  3. Andreas Heinzelmann

    Netscreen vs. Cisco ASA

    Andreas Heinzelmann, Aug 30, 2007, in forum: Cisco
    Replies:
    3
    Views:
    2,511
    Doug McIntyre
    Sep 4, 2007
  4. Dil
    Replies:
    0
    Views:
    1,015
  5. Scooty
    Replies:
    0
    Views:
    683
    Scooty
    Mar 25, 2008
Loading...

Share This Page