Site to Site VPN - PIX 506e

Discussion in 'Cisco' started by buttino@gmail.com, Jun 4, 2005.

  1. Guest

    Hi,

    I've got a site to site VPN created with two Pix 506e firewalls. The
    remote site has 7 users over a 512k ADSL line. The VPN is used for MS
    Outlook, occaisional file access and the use of a Terminal emulator
    connected to a UNIX box at the central site.

    Users in the remote site will loose connectivity to the unix box a few
    times during the day but the VPN appears to be still running as it
    doesn't kick all users off.

    I created the VPN by using PDM and have checked them on the Cisco
    website, below are the configs, the first one being the central site.
    I've also copied the entries from the syslog when the users get kicked.

    Any help is greatly appreciated

    Thanks in advance

    Trevor

    CENTRAL SITE CONFIG

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxx encrypted
    passwd xxx encrypted
    hostname pixfirewall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.1.0 flg
    access-list inside_access_in permit tcp any any
    access-list inside_access_in permit ip any any
    access-list inside_outbound_nat0_acl permit ip 192.168.184.0
    255.255.255.0 flg 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.184.0 255.255.255.0
    flg 255.255.255.0
    access-list smtp permit tcp any host 1.2.3.35 eq smtp
    access-list smtp remark TS
    access-list smtp permit tcp any host 1.2.3.35 eq 3389
    access-list smtp remark Security DVR
    access-list smtp permit tcp any host 1.2.3.50 eq www
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 1.2.3.61 255.255.255.224
    ip address inside 192.168.184.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location flg 255.255.255.0 inside
    pdm location 192.168.184.1 255.255.255.255 inside
    pdm location 0.0.0.0 255.255.255.255 outside
    pdm location 0.0.0.0 255.255.255.224 outside
    pdm location 0.0.0.0 255.255.255.0 outside
    pdm location 0.0.0.0 255.255.255.224 inside
    pdm location 192.168.184.0 255.255.255.255 inside
    pdm location flg 255.255.255.0 outside
    pdm location 4.5.6.222 255.255.255.255 outside
    pdm location 192.168.184.3 255.255.255.255 inside
    pdm location 192.168.184.100 255.255.255.255 inside
    pdm location 192.168.184.128 255.255.255.128 outside
    pdm location flg 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 1.2.3.35 192.168.184.1 netmask 255.255.255.255
    0 0
    static (inside,outside) 1.2.3.50 192.168.184.3 netmask 255.255.255.255
    0 0
    access-group smtp in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 1.2.3.33 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server RADIUS (inside) host 192.168.184.1 xxx timeout 5
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.184.1 255.255.255.255 inside
    http 192.168.184.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection timewait
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 4.5.6.222
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map client authentication RADIUS
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 4.5.6.222 netmask 255.255.255.255
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 192.168.184.0 255.255.255.0 inside
    telnet timeout 5
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcprelay server 192.168.184.1 inside
    username admin password xxx encrypted privilege 15
    terminal width 80


    REMOTE SITE VPN

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxx encrypted
    passwd xxx encrypted
    hostname flgfw
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.184.0 NW
    access-list inside_access_in permit ip any any
    access-list inside_access_in permit tcp any any
    access-list inside_outbound_nat0_acl permit ip 192.168.1.0
    255.255.255.0 NW 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 NW
    255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 4.5.6.222 255.255.255.224
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location NW 255.255.255.0 outside
    pdm location NW 255.255.255.0 inside
    pdm location NW 255.255.255.255 outside
    pdm location NW 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 4.5.6.209 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 1.2.3.61
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 1.2.3.61 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 inside
    dhcpd dns 192.168.184.1 217.169.20.20
    dhcpd wins 192.168.184.1
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain xxx.local
    dhcpd auto_config outside
    dhcpd enable inside
    username admin password x encrypted privilege 15
    terminal width 80


    **** SYSLOG ****

    2005-06-03 15:25:15 Local4.Info 192.168.184.254 Jun 03 2005 15:20:55:
    %PIX-6-302014: Teardown TCP connection 42314 for
    outside:192.168.1.5/1354 to inside:192.168.184.2/23 duration 0:00:26
    bytes 1415 TCP FINs
    ^^^^^User gets kicked ^^^^^^

    The only entry from the same terminal is this one which occurred 14
    mins previously

    2005-06-03 15:11:30 Local4.Info 192.168.184.254 Jun 03 2005 15:07:10:
    %PIX-6-302014: Teardown TCP connection 39426 for
    outside:192.168.1.5/1179 to inside:192.168.184.2/23 duration 3:38:18
    bytes 1189161 Conn-timeout



    Details for 192.168.184.0/255.255.255.0/0/0 flg/255.255.255.0/0/0 at
    Fri Jun 03 15:34:38 BST 2005

    local ident (addr/mask/prot/port):
    (192.168.184.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (flg/255.255.255.0/0/0)
    current_peer: 4.5.6.222:500
    dynamic allocated peer ip: 0.0.0.0
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 51208, #pkts encrypt: 51208, #pkts digest 51208
    #pkts decaps: 51474, #pkts decrypt: 51582, #pkts verify 51582
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
    failed: 0
    #pkts no sa (send) 519, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0
    local crypto endpt.: 1.2.3.61, remote crypto endpt.: 4.5.6.222
    path mtu 1500, ipsec overhead 56, media mtu 1500
    current outbound spi: b63f0607
    inbound esp sas:
    spi: 0xaf013b09(2936093449)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 2, crypto map: outside_map
    sa timing: remaining key lifetime (k/sec): (4607734/27782)
    IV size: 8 bytes
    replay detection support: Y
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    spi: 0xb63f0607(3057583623)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 1, crypto map: outside_map
    sa timing: remaining key lifetime (k/sec): (4607663/27782)
    IV size: 8 bytes
    replay detection support: Y
    outbound ah sas:
    outbound pcp sas:
     
    , Jun 4, 2005
    #1
    1. Advertising

  2. <> wrote:

    > Users in the remote site will loose connectivity to the unix
    > box a few times during the day but the VPN appears to be still
    > running as it doesn't kick all users off.
    >
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    >
    > %PIX-6-302014: Teardown TCP connection 39426 for outside:192.168.1.5/1179
    > to inside:192.168.184.2/23 duration 3:38:18 bytes 1189161 Conn-timeout


    This log entry indicates a standard connection timeout.
    A one hour idle time after which a connection closes.
    I suggest that you increase the timeout value because
    otherwise possible problems with the VPN tunnel will
    get mixed with the inactivity timeouts and you don't
    know which is which.
     
    Jyri Korhonen, Jun 4, 2005
    #2
    1. Advertising

  3. Guest

    Jyri,

    Thanks for the response, what is the command that I need to use so the
    timeout will be increased?
     
    , Jun 5, 2005
    #3
  4. Jyri Korhonen, Jun 5, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    2
    Views:
    2,711
  2. Lou Chorich

    Site-to-Site VPN with PIX 506E

    Lou Chorich, Dec 27, 2003, in forum: Cisco
    Replies:
    1
    Views:
    657
    Rik Bain
    Dec 27, 2003
  3. t_oldham
    Replies:
    4
    Views:
    3,398
    security_123@
    Aug 12, 2005
  4. wtpandar

    PIX 506e Site to site VPN

    wtpandar, Sep 8, 2006, in forum: Cisco
    Replies:
    1
    Views:
    582
    wtpandar
    Sep 8, 2006
  5. cisco
    Replies:
    3
    Views:
    608
    cisco
    Feb 17, 2007
Loading...

Share This Page