trouble with pix to pix tunnel

Discussion in 'Cisco' started by Grey Samuels, Oct 20, 2004.

  1. Grey Samuels

    Grey Samuels Guest

    I am trying to create a tunnel between two Pix's and am unable to get
    it to work. I am looking for suggestions below are the two configs
    (ip's and passwords changed for security)

    : Saved
    : Written by enable_15 at 07:44:43.331 UTC Wed Oct 20 2004
    PIX Version 6.2(1)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password dnPweDeNkExe7q5X encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pix1
    domain-name ciscopix.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names

    name 10.1.1.0 FC

    access-list inside_outbound_nat0_acl permit ip any 192.168.1.128
    255.255.255.19

    access-list inside_outbound_nat0_acl permit ip 192.168.1.0
    255.255.255.0 FC 255.255.255.0
    access-list outside_cryptomap_1 permit ip 192.168.1.0 255.255.255.0 FC
    55.255.255.0
    access-list inside_access_in permit udp any any
    access-list inside_access_in permit tcp any any
    access-list inside_access_in permit udp any object-group VOIP any
    object-group
    OIP
    pager lines 24
    interface ethernet0 10baset
    interface ethernet1 10full
    icmp permit any echo-reply inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 125.22.66.66 255.255.255.128
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPNPool 192.168.1.190-192.168.1.195

    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 125.22.66.129 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 s
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    sysopt connection permit-l2tp
    no sysopt route dnat
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto map outside_map 1 ipsec-isakmp
    crypto map outside_map 1 match address outside_cryptomap_1
    crypto map outside_map 1 set peer 216.88.18.19
    crypto map outside_map 1 set transform-set ESP-DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ***** address 216.88.18.19 netmask 255.255.255.255
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 10
    ssh timeout 5
    vpdn group VPNGroup accept dialin pptp
    vpdn group VPNGroup ppp authentication pap
    vpdn group VPNGroup ppp authentication chap
    vpdn group VPNGroup ppp authentication mschap
    vpdn group VPNGroup ppp encryption mppe 40
    vpdn group VPNGroup client configuration address local VPNPool
    vpdn group VPNGroup pptp echo 60
    vpdn group VPNGroup client authentication local
    vpdn username xx password ****

    vpdn enable outside
    dhcpd address 192.168.1.2-192.168.1.129 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    vpnclient vpngroup fadmin password ****
    vpnclient username admin password ****
    vpnclient server 216.88.18.19
    vpnclient mode network-extension-mode
    terminal width 80
    Cryptochecksum:8813dfd91632ad769e328c36222f43d1
    pix1(config)#

    pix 2/////////////////////////////////////

    Pix2# show config
    : Saved
    : Written by enable_15 at 10:42:25.014 UTC Wed Oct 20 2004
    PIX Version 6.3(1)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password r8L3gOe83RgpYidg encrypted
    passwd r8L3gOe83RgpYidg encrypted
    hostname Pix2
    domain-name pix.com
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 192.168.1.0 brl
    access-list inside_nat0_outbound permit ip 10.1.1.0 255.255.255.0 brl
    255.255.255.0
    access-list outside_cryptomap_1 permit ip 10.1.1.0 255.255.255.0 brl
    255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 216.88.18.19 255.255.248.0
    ip address inside 10.1.1.100 255.0.0.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPNPool 10.1.1.240-10.1.1.249

    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group int-in in interface outside
    route outside 0.0.0.0 0.0.0.0 216.88.18.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 10.0.0.0 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    sysopt connection permit-l2tp
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set esp-des-sha esp-des esp-sha-hmac
    crypto map outside_map 1 ipsec-isakmp
    crypto map outside_map 1 match address outside_cryptomap_1
    crypto map outside_map 1 set peer 125.22.66.66
    crypto map outside_map 1 set transform-set ESP-DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key **** address 125.22.66.66 netmask 255.255.255.255
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    telnet 10.1.1.3 255.255.255.255 inside
    telnet 10.1.1.21 255.255.255.255 inside
    telnet timeout 10
    ssh timeout 5
    console timeout 0
    dhcpd address 10.1.1.10-10.1.1.33 inside
    dhcpd dns 26.57.207.8 26.57.207.9
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain pix.com
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:eb5660d2dfe481beda498d620603eb38
    Pix2#
    Grey Samuels, Oct 20, 2004
    #1
    1. Advertising

  2. In article <>,
    Grey Samuels <> wrote:
    :I am trying to create a tunnel between two Pix's and am unable to get
    :it to work. I am looking for suggestions below are the two configs

    :pIX Version 6.2(1)

    Your PIX software version has known security holes. You should upgrade it
    for security reasons, and also to get the bug fixes that appeared in
    6.2.2 and later. As you have 6.2, you are entitled to a free upgrade
    to 6.2.4 even if you do not have a support contract; for more information
    on that, please read

    http://www.cisco.com/en/US/products/products_security_advisory09186a008021ba2f.shtml


    :name 10.1.1.0 FC

    :access-list inside_outbound_nat0_acl permit ip any 192.168.1.128 255.255.255.19

    The destination netmask of 255.255.255.19 must be a typo ?

    Your inside IP address is in 192.168.1/24, so all parts of 192.168.1.*
    are internal. In the above access-list entry, you have 192.168.1.128/25
    as a destination, implying that it is outside. You do not, however,
    have any static routes to point anything in 192.168.1.128/25 out the
    outside interface. I suspect that this line is in error and should be
    completely removed. You might perhaps have been trying to configure
    nat exemption for returning traffic, but the operation of nat 0 access-list
    automatically reverses source and destination when traffic is arriving
    from a lower security interface, so you should code the access-list
    with the source part reflecting what is in the higher security level
    and the destination reflecting what is in the lower security level.


    :access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 FC 255.255.255.0

    :access-list outside_cryptomap_1 permit ip 192.168.1.0 255.255.255.0 FC 55.255.255.0

    The netmask of 55.255.255.0 must be a typo.

    Your access-list for your crypto map does not correspond to your
    access list-for your nat 0. Your crypto map states that 10.1.1/24 is
    the only thing on the other side of the link, but your nat 0 access-list
    -implies- that 192.168.1.128/25 is on the other side of the link as well.
    As I explained earlier though, I think that other access-list was wrong
    to have that entry.

    :access-list inside_access_in permit udp any any
    :access-list inside_access_in permit tcp any any
    :access-list inside_access_in permit udp any object-group VOIP any object-group OIP

    object-group OIP is probably a typo.

    You have not defined the udp port object group VOIP.

    :ip address inside 192.168.1.1 255.255.255.0

    :ip local pool VPNPool 192.168.1.190-192.168.1.195

    :global (outside) 1 interface
    :nat (inside) 0 access-list inside_outbound_nat0_acl
    :nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    :access-group outside_access_in in interface outside

    You have not defined the access-list outside_access_in

    :access-group inside_access_in in interface inside

    :sysopt connection permit-ipsec

    :crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    :crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

    That suggests to me that you do not have a 3DES license.
    Due to changes in the US cryptography export regulations, Cisco
    now makes 3DES licenses available free to PIX owners who
    do not live in any of the countries that are specifically
    prohibitted [unless you happen to be on the State Department
    list of proscribed people!]. To obtain the license, please go to

    https://tools.cisco.com/SWIFT/Licensing/jsp/formGenerator/Pix3DesMsgDisplay.jsp


    :crypto map outside_map 1 ipsec-isakmp

    Your crypto map definition looks fine.

    :isakmp policy 20 authentication pre-share

    Your isakmp policy looks fine.


    :pix 2/////////////////////////////////////

    :pIX Version 6.3(1)

    PIX 6.3.1 has known security problems. As you have PIX 6.3, you
    are entitled to a free upgrade to PIX 6.3.4. For more information,
    please see the same link as I gave for the PIX 6.2.4 case.


    :name 192.168.1.0 brl
    :access-list inside_nat0_outbound permit ip 10.1.1.0 255.255.255.0 brl 255.255.255.0
    :access-list outside_cryptomap_1 permit ip 10.1.1.0 255.255.255.0 brl 255.255.255.0

    Good, you did not fall into the trap of trying to use the same access-list
    for two different purposes. An access-list applied to an interface
    or applied in a crypto map must not be reused for any other purpose;
    you avoided that Gotcha.

    :ip address inside 10.1.1.100 255.0.0.0

    Big mistake. Your netmask should be 255.255.255.0 to conform with
    everything else.

    :global (outside) 1 interface
    :nat (inside) 0 access-list inside_nat0_outbound
    :nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    :access-group int-in in interface outside

    It's off my page now, but I believe you did not define the access-list
    int-in .

    :sysopt connection permit-ipsec

    :crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    :crypto ipsec transform-set esp-des-sha esp-des esp-sha-hmac

    You do not use transform-set esp-des-sha .

    :crypto map outside_map 1 ipsec-isakmp

    Your crypto map outside_map looks fine.

    :isakmp policy 10 authentication pre-share

    Your isakmp policy looks fine and does match with the other side.

    --
    Warhol's Law: every Usenet user is entitled to his or her very own
    fifteen minutes of flame -- The Squoire
    Walter Roberson, Oct 21, 2004
    #2
    1. Advertising

  3. Grey Samuels

    Brad Reese Guest

    (Grey Samuels) wrote in message news:<>...
    > I am trying to create a tunnel between two Pix's and am unable to get
    > it to work. I am looking for suggestions below are the two configs
    > (ip's and passwords changed for security)
    >
    > : Saved
    > : Written by enable_15 at 07:44:43.331 UTC Wed Oct 20 2004
    > PIX Version 6.2(1)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password dnPweDeNkExe7q5X encrypted
    > passwd 2KFQnbNIdI.2KYOU encrypted
    > hostname pix1
    > domain-name ciscopix.com
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol sip 5060
    > fixup protocol skinny 2000
    > names
    >
    > name 10.1.1.0 FC
    >
    > access-list inside_outbound_nat0_acl permit ip any 192.168.1.128
    > 255.255.255.19
    >
    > access-list inside_outbound_nat0_acl permit ip 192.168.1.0
    > 255.255.255.0 FC 255.255.255.0
    > access-list outside_cryptomap_1 permit ip 192.168.1.0 255.255.255.0 FC
    > 55.255.255.0
    > access-list inside_access_in permit udp any any
    > access-list inside_access_in permit tcp any any
    > access-list inside_access_in permit udp any object-group VOIP any
    > object-group
    > OIP
    > pager lines 24
    > interface ethernet0 10baset
    > interface ethernet1 10full
    > icmp permit any echo-reply inside
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 125.22.66.66 255.255.255.128
    > ip address inside 192.168.1.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool VPNPool 192.168.1.190-192.168.1.195
    >
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >
    > access-group outside_access_in in interface outside
    > access-group inside_access_in in interface inside
    > route outside 0.0.0.0 0.0.0.0 125.22.66.129 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > 0:05:00 s
    > p 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > sysopt connection permit-l2tp
    > no sysopt route dnat
    > crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    > crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    > crypto map outside_map 1 ipsec-isakmp
    > crypto map outside_map 1 match address outside_cryptomap_1
    > crypto map outside_map 1 set peer 216.88.18.19
    > crypto map outside_map 1 set transform-set ESP-DES-MD5
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key ***** address 216.88.18.19 netmask 255.255.255.255
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet timeout 10
    > ssh timeout 5
    > vpdn group VPNGroup accept dialin pptp
    > vpdn group VPNGroup ppp authentication pap
    > vpdn group VPNGroup ppp authentication chap
    > vpdn group VPNGroup ppp authentication mschap
    > vpdn group VPNGroup ppp encryption mppe 40
    > vpdn group VPNGroup client configuration address local VPNPool
    > vpdn group VPNGroup pptp echo 60
    > vpdn group VPNGroup client authentication local
    > vpdn username xx password ****
    >
    > vpdn enable outside
    > dhcpd address 192.168.1.2-192.168.1.129 inside
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > vpnclient vpngroup fadmin password ****
    > vpnclient username admin password ****
    > vpnclient server 216.88.18.19
    > vpnclient mode network-extension-mode
    > terminal width 80
    > Cryptochecksum:8813dfd91632ad769e328c36222f43d1
    > pix1(config)#
    >
    > pix 2/////////////////////////////////////
    >
    > Pix2# show config
    > : Saved
    > : Written by enable_15 at 10:42:25.014 UTC Wed Oct 20 2004
    > PIX Version 6.3(1)
    > interface ethernet0 10baset
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password r8L3gOe83RgpYidg encrypted
    > passwd r8L3gOe83RgpYidg encrypted
    > hostname Pix2
    > domain-name pix.com
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > no fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > names
    > name 192.168.1.0 brl
    > access-list inside_nat0_outbound permit ip 10.1.1.0 255.255.255.0 brl
    > 255.255.255.0
    > access-list outside_cryptomap_1 permit ip 10.1.1.0 255.255.255.0 brl
    > 255.255.255.0
    > pager lines 24
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 216.88.18.19 255.255.248.0
    > ip address inside 10.1.1.100 255.0.0.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool VPNPool 10.1.1.240-10.1.1.249
    >
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list inside_nat0_outbound
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > access-group int-in in interface outside
    > route outside 0.0.0.0 0.0.0.0 216.88.18.1 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > http 10.0.0.0 255.0.0.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > sysopt connection permit-l2tp
    > crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    > crypto ipsec transform-set esp-des-sha esp-des esp-sha-hmac
    > crypto map outside_map 1 ipsec-isakmp
    > crypto map outside_map 1 match address outside_cryptomap_1
    > crypto map outside_map 1 set peer 125.22.66.66
    > crypto map outside_map 1 set transform-set ESP-DES-MD5
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key **** address 125.22.66.66 netmask 255.255.255.255
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > telnet 10.1.1.3 255.255.255.255 inside
    > telnet 10.1.1.21 255.255.255.255 inside
    > telnet timeout 10
    > ssh timeout 5
    > console timeout 0
    > dhcpd address 10.1.1.10-10.1.1.33 inside
    > dhcpd dns 26.57.207.8 26.57.207.9
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd domain pix.com
    > dhcpd auto_config outside
    > terminal width 80
    > Cryptochecksum:eb5660d2dfe481beda498d620603eb38
    > Pix2#


    ------------------------------------------

    Grey,

    You may want to investigate:

    Configuring a Simple PIX-to-PIX VPN Tunnel Using IPSec

    http://www.cisco.com/en/US/products...s_configuration_example09186a0080094761.shtml

    Sincerely,

    Brad Reese
    BradReese.Com Cisco Repair Worldwide
    1293 Hendersonville Road, Suite 17
    Asheville, North Carolina USA 28803
    Toll Free: 877-549-2680
    International: 828-277-7272
    Fax: 775-254-3558
    http://www.BradReese.Com
    Brad Reese, Oct 21, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Ireland
    Replies:
    1
    Views:
    1,042
    Claude LeFort
    Nov 11, 2003
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,074
  3. AM
    Replies:
    7
    Views:
    4,388
    kh_alex81
    Jul 19, 2007
  4. Replies:
    6
    Views:
    29,180
  5. Trouble
    Replies:
    0
    Views:
    571
    Trouble
    Aug 4, 2006
Loading...

Share This Page