VPN tunnel seems fine but no traffic is passing through it.

Discussion in 'Cisco' started by Paul, Jan 12, 2005.

  1. Paul

    Paul Guest

    I posted this initially on comp.dcom.vpn but google or firefox
    conspired to screw up the posting so I'll try again here. Apologies to
    those of you that might see this twice.

    I'm trying to configure a simple VPN between two PIX 501s - one with a
    static IP and one on a cable modem.

    I've been informed that the remote (dynamic) PIX can initiate the VPN
    tunnel (by attempting to send traffic to an IP on the internal
    interface of the local PIX) but can't do anything else like map drives
    or ping hosts on the other side.

    The VPN light comes on and I can look back in the local (static) PIX's
    log to see an active IPSec/IKE tunnel at the same time.

    I know it's something remarkably simple but I can't see it. Can anyone
    help?

    Configs are below:

    REMOTE PIX
    PIX Version 6.3(4)
    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 ou
    nameif ethernet1 inside security100
    enable password *** encrypted
    passwd *** encrypted
    hostname remotepix1
    domain-name ***
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 101 permit ip 192.168.100.0 255.255.255.0 10.10.10.0
    255.255.255.0
    pager lines 24
    logging on
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.100.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    conduit permit icmp any any
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.100.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server cont
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address 101
    crypto map newmap 10 set peer (LOCAL PIX external IP)
    crypto map newmap 10 set transform-set myset
    crypto map newmap interface outside
    isakmp enable outside
    isakmp key ******** address (LOCAL PIX external IP) netmask
    255.255.255.255
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.100.10-192.168.100.40 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80




    LOCAL PIX
    PIX Version 6.3(4)
    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password *** encrypted
    passwd *** encrypted
    hostname gamipix1
    domain-name ***
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.100.0
    255.255.255.0
    access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.11.0
    255.255.255.0
    pager lines 24
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside (LOCAL PIX External IP) 255.255.255.0
    ip address inside (LOCAL PIX Internal IP) 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool clientpool 192.168.11.1-192.168.11.50
    pdm location 192.168.11.0 255.255.255.0 outside
    pdm location 192.168.100.0 255.255.255.0 outside
    pdm location 10.10.10.0 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    conduit permit icmp any any
    route outside 0.0.0.0 0.0.0.0 (LOCAL PIX External T1 Gateway IP) 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    http server enable
    http 10.10.10.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map cisco 1 set transform-set myset
    crypto map dyn-map 20 ipsec-isakmp dynamic cisco
    crypto map dyn-map interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup unityclient address-pool clientpool
    vpngroup unityclient dns-server 10.10.10.163
    vpngroup unityclient wins-server 10.10.10.163
    vpngroup unityclient default-domain ***
    vpngroup unityclient idle-time 1800
    vpngroup unityclient password ********
    telnet timeout 5
    ssh 10.10.10.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    username *** password *** encrypted privilege 15
    terminal width 80
     
    Paul, Jan 12, 2005
    #1
    1. Advertising

  2. In article <>,
    Paul <> wrote:
    :I'm trying to configure a simple VPN between two PIX 501s - one with a
    :static IP and one on a cable modem.

    :I've been informed that the remote (dynamic) PIX can initiate the VPN
    :tunnel (by attempting to send traffic to an IP on the internal
    :interface of the local PIX) but can't do anything else like map drives
    :eek:r ping hosts on the other side.

    :REMOTE PIX
    :pIX Version 6.3(4)
    :access-list 101 permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0
    :ip address outside dhcp setroute
    :ip address inside 192.168.100.1 255.255.255.0
    :global (outside) 1 interface
    :nat (inside) 0 access-list 101
    :nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    :conduit permit icmp any any

    Get rid of the conduit. conduits will not be supported in the
    next PIX release (7.0) which is overdue now. It is plausible
    that there will be a PIX 6.3(5) before 7.0 arrives, but don't
    expect a PIX 6.3(6) or PIX 6.4(*).

    The conduit isn't affecting your VPN tunnel at all because
    of your 'sysopt connection permit-ipsec': it is only affecting
    traffic from other locations. You do *not* want other people
    to be able to send you arbitrary icmp: they can send icmp host
    redirections and if your inside hosts pay attention to those
    then the attackers could silently redirect your favorite banking
    site to their own clone of the site that records your banking details...

    I would suggest

    object-group icmp-type safe_icmp
    description icmp types that are safe to allow from outside to inside
    icmp-object echo-reply
    icmp-object time-exceeded
    icmp-object unreachable

    access-list acl-outside permit icmp any any object-group safe_icmp

    access-group acl-outside in interface outside

    :sysopt connection permit-ipsec

    :crypto map newmap 10 match address 101
    :crypto map newmap 10 set peer (LOCAL PIX external IP)
    :crypto map newmap interface outside
    :isakmp enable outside
    :isakmp key ******** address (LOCAL PIX external IP) netmask 255.255.255.255


    :LOCAL PIX
    :pIX Version 6.3(4)

    :access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0
    :access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.11.0 255.255.255.0

    :global (outside) 1 interface
    :nat (inside) 0 access-list 100
    :nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    :conduit permit icmp any any

    See above note about conduit.

    :sysopt connection permit-ipsec

    :crypto dynamic-map cisco 1 set transform-set myset
    :crypto map dyn-map 20 ipsec-isakmp dynamic cisco
    :crypto map dyn-map interface outside

    :isakmp enable outside
    :isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

    That line is the problem, I believe.

    isakmp key ****** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

    If I recall correctly, when you do not have the no-config-mode
    in there, the 'local' pix (the one that has the crypto dynamic map)
    is going to allocate an IP for it out of the IP pool. That IP
    is not going to happen to be in the inside address space,
    so the traffic is not going to match the ACL you have applied
    to the crypto map on the remote PIX, so the remote pix is going
    to drop the traffic.

    You then have the problem that you -do- want xauth and config-mode
    for your VPN clients. I seem to recall that you can effectively
    override the isakmp key statement for those by appropriate clauses in the
    vpngroup you have created.
    --
    Cottleston, Cottleston, Cottleston pie.
    A bird can't whistle and neither can I. -- Pooh
     
    Walter Roberson, Jan 12, 2005
    #2
    1. Advertising

  3. Paul

    Paul Guest

    Thank you for the help, Walter.

    I've added the icmp acl to both and have changed "isakmp key ********
    address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode" on the local
    pix.

    Now the remote pix isn't displaying the "vpn active" light and there
    are no logged tunnels on the local pdm during attempted connects.

    I haven't done anything regarding your last paragraph - I assumed it
    was to do with connections between the local pix and Cisco's software
    VPN client which I'm not worried about at the moment. If it is
    relevant to the pix-pix connection, can I ask you to elaborate please.

    Many thanks.

    Paul

    My current configs are below:

    REMOTE PIX

    PIX Version 6.3(4)
    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password *** encrypted
    passwd *** encrypted
    hostname remotepix1
    domain-name ***
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group icmp-type safe_icmp
    description icmp types that are safe to allow from outside to inside

    icmp-object echo-reply
    icmp-object time-exceeded
    icmp-object unreachable
    access-list 101 permit ip 192.168.100.0 255.255.255.0 10.10.10.0
    255.255.255.0

    access-list acl-outside permit icmp any any object-group safe_icmp

    pager lines 24
    logging on
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.100.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group acl-outside in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.100.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address 101
    crypto map newmap 10 set peer [LOCAL PIX OUTSIDE IP]
    crypto map newmap 10 set transform-set myset
    crypto map newmap interface outside
    isakmp enable outside
    isakmp key ******** address [LOCAL PIX OUTSIDE IP] netmask
    255.255.255.255
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.100.10-192.168.100.40 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80



    LOCAL PIX

    PIX Version 6.3(4)
    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password *** encrypted
    passwd *** encrypted
    hostname gamipix1
    domain-name ***
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group icmp-type safe_icmp
    description icmp types that are safe to allow from outside to inside
    icmp-object echo-reply
    icmp-object time-exceeded
    icmp-object unreachable
    access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.100.0
    255.255.255.0
    access-list 100 permit ip 10.10.10.0 255.255.255.0 192.168.11.0
    255.255.255.0
    access-list acl-outside permit icmp any any object-group safe_icmp
    pager lines 24
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside [LOCAL PIX OUTSIDE IP] 255.255.255.224
    ip address inside 10.10.10.177 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool clientpool 192.168.11.1-192.168.11.50
    pdm location 192.168.11.0 255.255.255.0 outside
    pdm location 192.168.100.0 255.255.255.0 outside
    pdm location 10.10.10.0 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group acl-outside in interface outside
    route outside 0.0.0.0 0.0.0.0 [T1 GATEWAY IP] 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    http server enable
    http 10.10.10.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map cisco 1 set transform-set myset
    crypto map dyn-map 20 ipsec-isakmp dynamic cisco
    crypto map dyn-map interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
    no-config-mode
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup unityclient address-pool clientpool
    vpngroup unityclient dns-server 10.10.10.163
    vpngroup unityclient wins-server 10.10.10.163
    vpngroup unityclient default-domain ***
    vpngroup unityclient idle-time 1800
    vpngroup unityclient password ********
    telnet timeout 5
    ssh 10.10.10.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    username administrator password *** encrypted privilege 15
    terminal width 80
     
    Paul, Jan 13, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page