Site to Site VPN problems between PIX 501 and PIX 515

Discussion in 'Cisco' started by Jeff, Dec 29, 2006.

  1. Jeff

    Jeff Guest

    Recently at work I was handed an old Cisco PIX 501 and was told to get
    a VPN working with our PIX 515 for a remote office location. The 501
    had been set up for a VPN 3 years ago with the 515 so I thought that
    this would be easy, as the config information on both ends has not
    changed. Obivously, I was mistaken and no matter what I try I cannot
    get the VPN tunnel to work. Any help would be greatly appreciated.
    I'm sorry if this is long winded but here are the configs for the 501
    and 515:

    PIX 501
    PIX Version 6.3(3)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password *** encrypted
    passwd *** encrypted
    hostname example501
    domain-name example.net
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    access-list example permit ip 10.10.20.0 255.255.255.0 10.10.10.0
    255.255.255.0
    access-list acl_out permit icmp any any
    pager lines 24
    logging on
    logging timestamp
    logging buffered warnings
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 10.10.20.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list example
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group acl_out in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server LOCAL protocol local
    http server enable
    http 10.10.10.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set exampledyn esp-3des esp-md5-hmac
    crypto map example 10 ipsec-isakmp
    crypto map example 10 match address example
    crypto map example 10 set peer #.#.#.162
    crypto map example 10 set transform-set exampledyn
    crypto map example interface outside
    isakmp enable outside
    isakmp key *** address #.#.#.162 netmask 255.255.255.255 no-xauth no-co
    nfig-mode
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    telnet 10.10.20.0 255.255.255.0 inside
    telnet 10.10.10.0 255.255.255.0 inside
    telnet timeout 5
    ssh 10.10.10.0 255.255.255.0 inside
    ssh 10.10.20.0 255.255.255.0 inside
    ssh timeout 60
    console timeout 0
    dhcpd address 10.10.20.100-10.10.20.131 inside
    dhcpd dns 10.10.10.3 10.10.10.6
    dhcpd lease 86400
    dhcpd ping_timeout 750
    dhcpd domain example.net
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:***

    -------------------------------------------

    PIX 515
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password *** encrypted
    passwd *** encrypted
    hostname example515
    domain-name example.net
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list vpn permit ip 10.10.10.0 255.255.255.0 10.10.20.0
    255.255.255.0
    access-list vpn permit ip 10.10.10.0 255.255.255.0 10.10.30.0
    255.255.255.0
    access-list vpn permit ip 10.10.10.0 255.255.255.0 10.10.40.0
    255.255.255.0
    access-list acl_out permit icmp any any
    access-list acl_out permit tcp any host #.#.#.163 eq ftp
    access-list acl_out permit tcp any host #.#.#.163 eq ftp-data
    access-list acl_out permit tcp any host #.#.#.163 eq www
    access-list acl_out permit tcp any host #.#.#.163 eq smtp
    access-list acl_out permit tcp any host #.#.#.163 eq pop3
    access-list acl_out permit tcp any host #.#.#.163 range 5500 5700
    pager lines 24
    logging on
    logging timestamp
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside #.#.#.162 255.255.255.248
    ip address inside 10.10.10.10 255.255.255.0
    ip address dmz 10.10.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 10.10.30.1-10.10.30.254
    ip local pool vpnpool1 10.10.40.1-10.10.40.254
    pdm location 10.10.10.0 255.255.255.0 inside
    pdm logging warnings 200
    pdm history enable
    arp timeout 14400
    global (outside) 1 #.#.#.164-#.#.#.165
    global (outside) 1 #.#.#.166 netmask 255.255.255.248
    global (dmz) 1 10.10.1.50-10.10.1.100 netmask 255.255.255.0
    nat (inside) 0 access-list vpn
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (dmz) 1 10.10.1.0 255.255.255.0 0 0
    static (dmz,outside) #.#.#.163 10.10.1.25 netmask 255.255.255.255 0 0
    access-group acl_out in interface outside
    route outside 0.0.0.0 0.0.0.0 #.#.#.161 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 10.10.10.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set exampledyn esp-3des esp-md5-hmac
    crypto dynamic-map cisco 1 set transform-set exampledyn
    crypto map example 10 ipsec-isakmp dynamic cisco
    crypto map example interface outside
    isakmp enable outside
    isakmp key *** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
    isakmp identity address
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption des
    isakmp policy 1 hash md5
    isakmp policy 1 group 1
    isakmp policy 1 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup examplevpn address-pool vpnpool
    vpngroup examplevpn dns-server 10.10.10.19 10.10.10.6
    vpngroup examplevpn wins-server 10.10.10.19
    vpngroup examplevpn default-domain example.net
    vpngroup examplevpn idle-time 1800
    vpngroup examplevpn password ***
    vpngroup examplenet address-pool vpnpool
    vpngroup examplenet dns-server 10.10.10.19 10.10.10.6
    vpngroup examplenet wins-server 10.10.10.19
    vpngroup examplenet default-domain example.net
    vpngroup examplenet idle-time 1800
    vpngroup examplenet password ***
    telnet 10.10.10.0 255.255.255.0 inside
    telnet timeout 5
    ssh 10.10.10.0 255.255.255.0 inside
    ssh timeout 60
    console timeout 0
    terminal width 80
    Cryptochecksum:***
    Jeff, Dec 29, 2006
    #1
    1. Advertising

  2. In article <>,
    Jeff <> wrote:
    >Recently at work I was handed an old Cisco PIX 501 and was told to get
    >a VPN working with our PIX 515 for a remote office location.



    >PIX 501
    >PIX Version 6.3(3)


    It would be better, for security and stability reasons, to
    upgrade that to 6.3(5)112 .

    >interface ethernet0 10baset


    What kind of device is the 501 connected to? You may wish to go
    to auto or 100full instead of 10baset .


    >access-list example permit ip 10.10.20.0 255.255.255.0 10.10.10.0 255.255.255.0
    >access-list acl_out permit icmp any any


    >ip address outside dhcp setroute
    >ip address inside 10.10.20.1 255.255.255.0


    >nat (inside) 0 access-list example


    >access-group acl_out in interface outside


    I do not recommend permitting -all- icmp in. For example, you do
    not want intruders sending you icmp redirects to divert user banking
    sessions to the intruder's systems.

    >sysopt connection permit-ipsec
    >crypto ipsec transform-set exampledyn esp-3des esp-md5-hmac


    You should not use 3DES with MD5; either use 3DES with SHA, or
    use DES with MD5.

    >crypto map example 10 ipsec-isakmp
    >crypto map example 10 match address example


    You should not use the same ACL for 'match address' and
    'nat 0 access-list'. Instead use two different ACLs that [in this
    configuration] happen to have the same content. You can get some
    subtle bugs when you have ACLs being used for multiple purposes.

    >crypto map example 10 set peer #.#.#.162
    >crypto map example 10 set transform-set exampledyn
    >crypto map example interface outside
    >isakmp enable outside
    >isakmp key *** address #.#.#.162 netmask 255.255.255.255 no-xauth no-config-mode
    >isakmp policy 10 authentication pre-share
    >isakmp policy 10 encryption des
    >isakmp policy 10 hash md5
    >isakmp policy 10 group 1
    >isakmp policy 10 lifetime 86400


    You have a mismatch between transforms: for phase 1 you are using
    DES MD5, but for phase 2 you are using 3DES MD5. In theory using
    different transforms for the two phases should work, but in practice
    I have seen it cause problems.

    It is usually best to specify multiple transforms for both phases, so
    that there is some room for "falling back" in case the original negotiation
    fails. For phase 2, create multiple 'transform-set' lines, and then
    on the 'set transform-set' clause, list transform set names
    with your first preference first on the line. For phase 1, create multiple
    'isakmp policy' with different policy numbers, and the lowest numbered
    policy should be the one you prefer.

    Both your 501 and 515 have PIX 6.3, and both of them have 3DES,
    and that combination implies that both of them support AES. AES is
    more secure and faster than 3DES, so I would suggest you make your
    first choice AES 128 bit SHA group 5, then second 3DES SHA group 2,
    then third DES MD5 group 1.

    >telnet 10.10.20.0 255.255.255.0 inside
    >telnet 10.10.10.0 255.255.255.0 inside


    Your 'ip address' commands tell us that 10.10.20 is inside, and
    your 'example' access-list implies that 10.10.10 is outside (at the
    PIX 515), so here and for the ssh, it does not make sense
    to permit access to the PIX for 10.10.10 from the 'inside' interface.

    >ssh 10.10.10.0 255.255.255.0 inside
    >ssh 10.10.20.0 255.255.255.0 inside



    >PIX 515


    >PIX Version 6.3(4)


    As per above, I recommend upgrading to 6.3(5)112.

    >access-list vpn permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
    >access-list vpn permit ip 10.10.10.0 255.255.255.0 10.10.30.0 255.255.255.0
    >access-list vpn permit ip 10.10.10.0 255.255.255.0 10.10.40.0 255.255.255.0


    >access-list acl_out permit icmp any any


    See above note about icmp any.

    >access-list acl_out permit tcp any host #.#.#.163 eq ftp
    >access-list acl_out permit tcp any host #.#.#.163 eq ftp-data


    You never need to permit ftp-data by itself. ftp-data will be openned
    at need by the PIX when it sees a valid ftp session taking place.

    >access-list acl_out permit tcp any host #.#.#.163 eq www
    >access-list acl_out permit tcp any host #.#.#.163 eq smtp
    >access-list acl_out permit tcp any host #.#.#.163 eq pop3
    >access-list acl_out permit tcp any host #.#.#.163 range 5500 5700


    >ip address outside #.#.#.162 255.255.255.248
    >ip address inside 10.10.10.10 255.255.255.0
    >ip address dmz 10.10.1.1 255.255.255.0


    >ip local pool vpnpool 10.10.30.1-10.10.30.254
    >ip local pool vpnpool1 10.10.40.1-10.10.40.254


    >global (outside) 1 #.#.#.164-#.#.#.165
    >global (outside) 1 #.#.#.166 netmask 255.255.255.248
    >global (dmz) 1 10.10.1.50-10.10.1.100 netmask 255.255.255.0


    >nat (inside) 0 access-list vpn


    >nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >nat (dmz) 1 10.10.1.0 255.255.255.0 0 0


    >static (dmz,outside) #.#.#.163 10.10.1.25 netmask 255.255.255.255 0 0


    >access-group acl_out in interface outside


    >route outside 0.0.0.0 0.0.0.0 #.#.#.161 1


    >sysopt connection permit-ipsec


    >crypto ipsec transform-set exampledyn esp-3des esp-md5-hmac


    See above notes about transform sets.

    >crypto dynamic-map cisco 1 set transform-set exampledyn
    >crypto map example 10 ipsec-isakmp dynamic cisco
    >crypto map example interface outside
    >isakmp enable outside
    >isakmp key *** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
    >isakmp identity address
    >isakmp policy 1 authentication pre-share
    >isakmp policy 1 encryption des
    >isakmp policy 1 hash md5
    >isakmp policy 1 group 1
    >isakmp policy 1 lifetime 86400
    >isakmp policy 20 authentication pre-share
    >isakmp policy 20 encryption 3des
    >isakmp policy 20 hash md5
    >isakmp policy 20 group 2
    >isakmp policy 20 lifetime 86400


    This indicates that your preference is DES MD5 group 1, second choice
    3DES MD5 group 2, but on the other side you only allow for DES MD5 group 1.
    A mismatch, but not a problem in itself. But see the above notes about
    preferred transform sets.
    Walter Roberson, Dec 29, 2006
    #2
    1. Advertising

  3. Jeff

    Jeff Guest

    Thanks for the suggestions Walter, I will try the new configs out this
    weekend when I can get an outside connection going for the 501.
    Jeff, Dec 29, 2006
    #3
  4. Jeff

    Darren Green Guest

    "Walter Roberson" <> wrote in message
    news:t3clh.539151$R63.53319@pd7urf1no...

    snip
    >
    > You should not use 3DES with MD5; either use 3DES with SHA, or
    > use DES with MD5.
    >

    Walter,

    Just out of interest, why should you not use 3DES & MD5.

    Regards

    Darren
    Darren Green, Dec 29, 2006
    #4
  5. Jeff

    Jeff Guest

    Well, after testing it from my cable modem at home and getting a DHCP
    lease for the outside connection on the Pix 501 I ran into another
    interesting problem. With the 501 connected to the cable modem, I
    connected a laptop to one of the additional ports (port 3) on the 501
    but still did not have a VPN light turned on. So, just for the heck of
    it, seeing as how I was theoretically connected to the Internet I
    opened up IE and instantly the VPN tunnel light came to life on the
    Pix. What I am wondering is this: Why would it take an Internet
    session for the VPN to initialize?
    Jeff, Jan 3, 2007
    #5
  6. Jeff

    none Guest

    On Wed, 03 Jan 2007 05:49:15 -0800, Jeff wrote:

    > Well, after testing it from my cable modem at home and getting a DHCP
    > lease for the outside connection on the Pix 501 I ran into another
    > interesting problem. With the 501 connected to the cable modem, I
    > connected a laptop to one of the additional ports (port 3) on the 501
    > but still did not have a VPN light turned on. So, just for the heck of
    > it, seeing as how I was theoretically connected to the Internet I
    > opened up IE and instantly the VPN tunnel light came to life on the
    > Pix. What I am wondering is this: Why would it take an Internet
    > session for the VPN to initialize?


    The SA's are built on the "interesting" traffic from the ACL's in the
    "match" statement - the VPN is not up until the "interesting" traffic is
    matched
    none, Jan 4, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lars Kraack
    Replies:
    0
    Views:
    728
    Lars Kraack
    Mar 5, 2004
  2. Robert
    Replies:
    3
    Views:
    2,052
    Robert
    Dec 14, 2005
  3. Replies:
    1
    Views:
    629
    Walter Roberson
    Nov 14, 2006
  4. Replies:
    0
    Views:
    738
  5. Dil
    Replies:
    0
    Views:
    1,007
Loading...

Share This Page