PIX VPN tunnels - only works when traffic initiated from one side ?

Discussion in 'Cisco' started by Brian Ipsen, Feb 24, 2004.

  1. Brian Ipsen

    Brian Ipsen Guest

    Hi!

    I have 3 PIX firewalls setup in a triangular setup - so the all can see
    each other.... Let's name them PIX515, PIX506 and PIX501 (which are the
    actual model numbers).

    Traffic from PIX515 to PIX506 works like a charm in both directions - no
    problem
    Traffic from PIX506 to PIX501 - don't know (actually this link is not so
    important)
    Traffic from PIX515 to PIX501 - here's the real problem!

    When pinging from host 192.168.1.178 on the DMZ leg og the 515 towards
    192.168.23.10 on the inside interface of PIX501 there's no reply... Doing it
    the other way around; 192.168.23.10 towards 192.168.1.178 make a timeout on
    the first ping package, after this it works without problems... The funny
    part is if I go back, and do a ping from 192.168.1.178 towards 192.168.23.10
    after this - then I get a reply without any problem ?!?!?!???

    Any idea to what the problem can be ? I can post the basic vpn-config from
    all 3 pix'es - but think they would take up a lot of space here - in case
    someone already by now know what the problem could be..

    PIX515 runs software versionb 6.3(1) - the 2 other uses 6.3(3)

    Anyone ?

    Regards,

    /Brian
     
    Brian Ipsen, Feb 24, 2004
    #1
    1. Advertisements

  2. eighter NAT-0 config error on 515, or license limit exceeded error on 501.
    Try a show ipsec sa, on 515 to see interessing traffic, and show log on
    501.

    HTH
    Martin Bilgrav
     
    Martin Bilgrav, Feb 24, 2004
    #2
    1. Advertisements

  3. Brian Ipsen

    Brian Ipsen Guest

    Hmm.... pinging from 192.168.1.141 on the DMZ towards 192.168.23.10 works
    perfectly - without having to initiate the traffic from 192.168.23.10
    first...

    There are no nat (dmz) 0 entries in the PIX515 - could that be the problem ?
    I tried to add an entry with an access-list, but that didn't change
    anythinbg

    The 501 has warning level on buffered logging - nothing show up in there.
    The 501 is a 50 user with license for 10 IKE peers. The 501 indicates 2 IKE
    Tunnels in use and 2 IPSec tunnels (when checking using the PDM)

    The PIX515 is running unrestricted software. Logging on this one is more or
    less impossible, since a lot of other traffic flows through it...

    /Brian
     
    Brian Ipsen, Feb 24, 2004
    #3
  4. Brian Ipsen

    Rik Bain Guest

    I would be willing to bet that the match address access-lists are not
    exact opposites. When configured this way it is possible for traffic to
    be built one way from the most restrictive acl to the least retrictive,
    as long as the most restrictive falls inside the least restrive address
    space.

    For example, if you had:

    PIX1:
    access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
    cry map cmap1 10 match address 101

    PIX2:
    access-list 101 permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
    cry map cmap1 10 match address 101

    PIX 1 would be able to initiate tunnel to PIX 2.
    PIX 2 would not be able to initiate the tunnel, "proxy identities not
    supported" messages would be generated.
     
    Rik Bain, Feb 24, 2004
    #4
  5. Brian Ipsen

    Brian Ipsen Guest

    Config on PIX515

    access-list ipsec_501_515_vpn permit ip host 192.168.1.141 192.168.23.0
    255.255.255.0
    access-list ipsec_501_515_vpn permit ip host 192.168.1.178 192.168.23.0
    255.255.255.0
    crypto map mymap 32 ipsec-isakmp
    crypto map mymap 32 match address ipsec_501_515_vpn
    crypto map mymap 32 set peer w.x.y.z
    crypto map mymap 32 set transform-set vpnset

    On PIX501:
    access-list ipsec_501_515_vpn permit ip 192.168.23.0 255.255.255.0 host
    192.168.1.141
    access-list ipsec_501_515_vpn permit ip 192.168.23.0 255.255.255.0 host
    192.168.1.178
    crypto map mymap 31 ipsec-isakmp
    crypto map mymap 31 match address ipsec_501_515_vpn
    crypto map mymap 31 set peer a.b.c.d
    crypto map mymap 31 set transform-set vpnset

    I've been looking for typo's etc - but have not been able to locate anything
    ....

    /Brian
     
    Brian Ipsen, Feb 24, 2004
    #5
  6. It is good practice to have NAT-0 acl on VPN traffic, so yes I would add the
    NAT-0 to the dmz.
    Are both hosts on the DMZ ?

    Still check the log for "license limit exceed" entries.
    or you can do "show conn" and look in first line for any "denied"
    connections, which then indicates your limit reached.

    logging is never impossible. but you may need debugging on (in that case you
    doesnt need logging)
    Alternatively you can create a ACL and try the capture command together with
    Etherreal - I recommend it strongly as a extreemly nice tool for
    throubleshooting PIX's

    fx
    access-list cap01 permit ip host 192.168.1.141 any
    access-list cap01 permit ip any host 192.168.1.141

    Capture run01 cap01 ?
    (can remember more of the syntax)..

    Then show capture.
    when done copy the pcap file option to your tftp or via https:// and view in
    etherreal.

    kindoff kewl


    Regards
    Martin Bilgrav


    PS maybe you need to posts your cfg on the two units.
     
    Martin Bilgrav, Feb 24, 2004
    #6
  7. Brian Ipsen

    Rik Bain Guest

    hmmm, looks like i bet wrong. At this point I would wonder if the tunnel
    gets built when the traffic is initiated from the 178 host. show cry
    ipsec sa should show you. Also, can you post the relevant nat/static
    commands for 192.168.1.178 and 192.168.23.0?

    Question from left field. Do you have a dynamic crypto policy with a
    higher priority? on the pix?
     
    Rik Bain, Feb 24, 2004
    #7
  8. Brian Ipsen

    Brian Ipsen Guest

    I tried to add an access-list, but it didn't show any hits when I tried to
    generate ping traffic fra 192.168.1.178
    Both hosts are on DMZ on the 515.
    Don't think that's the problem... during evening hours there are no internal
    users, and the number of connections are rather limited...
    I'll try to take a look at it...

    /Brian
     
    Brian Ipsen, Feb 24, 2004
    #8
  9. Brian Ipsen

    Brian Ipsen Guest

    For 192.168.1.178 there are a number of static entries doing port-mapping,
    eg. external port 3000 to .1.178 port 3000 (no direct host-mapping)
    The .23.0 subnet on the pix 501 has only one port-mapping - tcp port 3389 to
    an internal server.

    Anyway - when doing

    debug crypto ipsec
    debug crypto isakmp

    on the 515, and then try to ping the 192.168.23.10 host, I get (on the 515)

    IPSEC(sa_initiate): ACL = deny; no sa created
    IPSEC(sa_initiate): ACL = deny; no sa created
    IPSEC(sa_initiate): ACL = deny; no sa created
    IPSEC(sa_initiate): ACL = deny; no sa created

    Maybe that gives a hint ?
    On the 515 I also have:

    crypto map mymap 50 ipsec-isakmp dynamic dynmap
    crypto map mymap client configuration address initiate

    /Brian
     
    Brian Ipsen, Feb 24, 2004
    #9
  10. :Config on PIX515

    :access-list ipsec_501_515_vpn permit ip host 192.168.1.141 192.168.23.0 255.255.255.0
    :access-list ipsec_501_515_vpn permit ip host 192.168.1.178 192.168.23.0 255.255.255.0
    :crypto map mymap 32 match address ipsec_501_515_vpn

    :On PIX501:

    :access-list ipsec_501_515_vpn permit ip 192.168.23.0 255.255.255.0 host 192.168.1.141
    :access-list ipsec_501_515_vpn permit ip 192.168.23.0 255.255.255.0 host 192.168.1.178
    :crypto map mymap 31 match address ipsec_501_515_vpn

    In the parallel stream, you mention that you aren't using nat 0. That
    being the case, outgoing traffic is going to be natted, and isn't going to
    show up as ip address 192.168.whatever to the other end. If you have
    'sysopt connect permit ip-sec' then the packets will get through one
    way but not the other.
     
    Walter Roberson, Feb 24, 2004
    #10
  11. Brian Ipsen

    Brian Ipsen Guest

    Okay, I just checked - both the 515 and the 501 have 'sysopt connect permit
    ip-sec' set in their configs. Nat 0 is being used on the 501 (I know for
    sure) - but no nat 0 entry is applied to the DMZ leg on the 515. I'll try to
    add a lisy to see whether that makes any difference.

    Regards,

    /Brian
     
    Brian Ipsen, Feb 25, 2004
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.