vpn tunnel probs with 1841 to pix506

Discussion in 'Cisco' started by Vincent, Apr 5, 2005.

  1. Vincent

    Vincent Guest

    We're having problems connecting our 1841 router to a suppliers network
    using vpn.

    In our network we have to machines (.40 and .41) that need to communicate
    with 4 different subnets on the suppliers network.
    To do so, we need to make a VPN tunnel to their PIX506 appliance.

    We are getting a few problems.
    1) For some reason we can only ping to the first subnet that appears in the
    1841's acl. If we change the order of the acl, we can only ping to the
    subnet that is now on top.
    2) If we start the tunnel from our .40 machine, we cannot ping the other
    side from the .41 machine. The same when we start the ping from the .41 we
    cannot ping from the .40
    3) The tunnel is very unstable. Most of the time it only connects for a few
    minutes.

    We have seen the PIX config of the other side. They make use of object
    groups. Dont know if that makes a difference or not.


    Hope somebody can help.

    Vincent



    Cisco1841 config:

    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname RT01
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    no logging buffered
    enable secret
    !
    username <name> privilege 15 secret
    clock timezone Paris 1
    clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    no aaa new-model
    ip subnet-zero
    no ip source-route
    ip cef
    !
    !
    ip tcp synwait-time 10
    !
    !
    no ip bootp server
    ip domain name cisco.com
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip ips po max-events 100
    no ftp-server write-enable
    isdn switch-type basic-net3
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 2
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key <key> address 194.78.144.208
    !
    !
    crypto ipsec transform-set FJ esp-3des esp-md5-hmac
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel to194.78.144.208
    set peer 194.78.144.208
    set security-association lifetime seconds 28800
    set transform-set FJ
    match address 100
    !
    !
    !
    !
    interface FastEthernet0/0
    description $FW_INSIDE$$ETH-LAN$$INTF-INFO-FE 0$
    ip address 128.0.99.172 255.255.0.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    !
    interface FastEthernet0/1
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    shutdown
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    !
    interface ATM0/0/0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no ip mroute-cache
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    !
    interface Dialer1
    ip address negotiated
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    no ip route-cache cef
    no ip route-cache
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname <>
    ppp chap password <>
    ppp pap sent-username <> password <>
    crypto map SDM_CMAP_1
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat pool branch 214.48.132.65 214.48.132.65 netmask 255.255.255.252
    !
    !
    logging trap debugging
    logging 128.0.100.240
    access-list 100 permit ip host 128.0.99.40 194.78.145.0 0.0.0.255
    access-list 100 permit ip host 128.0.99.40 194.78.148.0 0.0.0.255
    access-list 100 permit ip host 128.0.99.40 194.78.146.0 0.0.0.255
    access-list 100 permit ip host 128.0.99.40 172.30.13.0 0.0.0.255
    access-list 100 permit ip host 128.0.99.40 194.78.150.0 0.0.0.255
    access-list 100 permit ip host 128.0.99.41 194.78.145.0 0.0.0.255
    access-list 100 permit ip host 128.0.99.41 194.78.148.0 0.0.0.255
    access-list 100 permit ip host 128.0.99.41 194.78.146.0 0.0.0.255
    access-list 100 permit ip host 128.0.99.41 172.30.13.0 0.0.0.255
    access-list 100 permit ip host 128.0.99.41 194.78.150.0 0.0.0.255
    access-list 120 remark SDM_ACL Category=16
    access-list 120 permit ip host 128.0.99.41 172.30.13.0 0.0.0.255
    access-list 120 permit ip host 128.0.99.41 194.78.145.0 0.0.0.255
    access-list 120 permit ip host 128.0.99.41 194.78.146.0 0.0.0.255
    access-list 120 permit ip host 128.0.99.41 194.78.148.0 0.0.0.255
    access-list 120 permit ip host 128.0.99.41 194.78.150.0 0.0.0.255
    access-list 120 permit ip host 128.0.99.40 172.30.13.0 0.0.0.255
    access-list 120 permit ip host 128.0.99.40 194.78.145.0 0.0.0.255
    access-list 120 permit ip host 128.0.99.40 194.78.146.0 0.0.0.255
    access-list 120 permit ip host 128.0.99.40 194.78.148.0 0.0.0.255
    access-list 120 permit ip host 128.0.99.40 194.78.150.0 0.0.0.255
    access-list 130 remark SDM_ACL Category=18
    access-list 130 deny ip host 128.0.99.41 194.78.146.0 0.0.0.255
    access-list 130 deny ip host 128.0.99.40 194.78.146.0 0.0.0.255
    access-list 130 permit ip 128.0.0.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    route-map nonat permit 10
    match ip address 130
    !
    control-plane
    !
    banner login Authorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!
    !
    line con 0
    login local
    transport output telnet
    line aux 0
    login local
    transport output telnet
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    line vty 5 15
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler allocate 4000 1000
    end


    Syslog output:
    04-04-2005 17:13:59 Local7.Debug 128.0.99.172 5980:
    remote_proxy= 194.78.145.0/255.255.255.0/0/0 (type=4)

    04-04-2005 17:13:59 Local7.Debug 128.0.99.172 5979:
    local_proxy= 128.0.99.41/255.255.255.255/0/0 (type=1),

    04-04-2005 17:13:59 Local7.Debug 128.0.99.172 5978:
    (identity) local= 214.48.132.65, remote= 194.78.144.208,

    04-04-2005 17:13:59 Local7.Debug 128.0.99.172 5977:
    001833: *Apr 4 17:14:09.391 Paris: IPSEC(key_engine): request timer fired:
    count = 2,

    04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5976:
    001832: *Apr 4 17:13:40.075 Paris: IPSEC(validate_transform_proposal): no
    IPSEC cryptomap exists for local address 214.48.132.65

    04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5975:
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

    04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5974:
    lifedur= 0s and 0kb,

    04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5973:
    protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

    04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5972:
    remote_proxy= 194.78.145.0/255.255.255.0/0/0 (type=4),

    04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5971:
    local_proxy= 128.0.99.41/255.255.255.255/0/0 (type=1),

    04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5970:
    (key eng. msg.) INBOUND local= 214.48.132.65, remote= 194.78.144.208,

    04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5969:
    001831: *Apr 4 17:13:40.075 Paris: IPSEC(validate_proposal_request):
    proposal part #1,

    04-04-2005 17:13:29 Local7.Debug 128.0.99.172 5968:
    001830: *Apr 4 17:13:39.419 Paris: IPSEC(validate_transform_proposal): no
    IPSEC cryptomap exists for local address 214.48.132.65

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5967:
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5966:
    lifedur= 0s and 0kb,

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5965:
    protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5964:
    remote_proxy= 194.78.145.0/255.255.255.0/0/0 (type=4),

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5963:
    local_proxy= 128.0.99.41/255.255.255.255/0/0 (type=1),

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5962:
    (key eng. msg.) INBOUND local= 214.48.132.65, remote= 194.78.144.208,

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5961:
    001829: *Apr 4 17:13:39.419 Paris: IPSEC(validate_proposal_request):
    proposal part #1,

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5960:
    spi= 0x956A4F4B(2506772299), conn_id= 0, keysize= 0, flags= 0x400A

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5959:
    lifedur= 28800s and 4608000kb,

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5958:
    protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5957:
    ,

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5956:
    remote_proxy= 194.78.145.0/255.255.255.0/0/0 (type=4)

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5955:
    local_proxy= 128.0.99.41/255.255.255.255/0/0 (type=1),

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5954:
    (key eng. msg.) OUTBOUND local= 214.48.132.65, remote= 194.78.144.208,

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5953:
    001828: *Apr 4 17:13:39.391 Paris: IPSEC(sa_request): ,

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5952:
    remote_proxy= 194.78.145.0/255.255.255.0/0/0 (type=4)

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5951:
    local_proxy= 128.0.99.41/255.255.255.255/0/0 (type=1),

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5950:
    (identity) local= 214.48.132.65, remote= 194.78.144.208,

    04-04-2005 17:13:28 Local7.Debug 128.0.99.172 5949:
    001827: *Apr 4 17:13:39.391 Paris: IPSEC(key_engine): request timer fired:
    count = 1,

    04-04-2005 17:12:59 Local7.Info 128.0.99.172
    5948: 001826: *Apr 4 17:13:10.075 Paris: %CRYPTO-6-IKMP_MODE_FAILURE:
    Processing of Quick mode failed with peer at 194.78.144.208

    04-04-2005 17:12:58 Local7.Debug 128.0.99.172 5947:
    001825: *Apr 4 17:13:10.071 Paris: IPSEC(validate_transform_proposal): no
    IPSEC cryptomap exists for local address 214.48.132.65

    04-04-2005 17:12:58 Local7.Debug 128.0.99.172 5946:
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

    04-04-2005 17:12:58 Local7.Debug 128.0.99.172 5945:
    lifedur= 0s and 0kb,

    04-04-2005 17:12:58 Local7.Debug 128.0.99.172 5944:
    protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

    04-04-2005 17:12:58 Local7.Debug 128.0.99.172 5943:
    remote_proxy= 194.78.145.0/255.255.255.0/0/0 (type=4),

    04-04-2005 17:12:58 Local7.Debug 128.0.99.172 5942:
    local_proxy= 128.0.99.41/255.255.255.255/0/0 (type=1),
    Vincent, Apr 5, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,072
  2. Mephesto
    Replies:
    0
    Views:
    1,015
    Mephesto
    Jun 29, 2005
  3. Trouble
    Replies:
    0
    Views:
    567
    Trouble
    Aug 4, 2006
  4. Trouble
    Replies:
    1
    Views:
    518
  5. lokojones
    Replies:
    1
    Views:
    2,096
    adeelasher
    Jun 29, 2009
Loading...

Share This Page