cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

322
Views
4
Helpful
38
Replies
Highlighted
Beginner

Need help, VPN between 1841 router & PIX 501

Trying to setup a VPN between an 1841 router at HQ with static IP connecting to remote office with a PIX 501 and a persistent IP (not static, but Mediacom has mapped PIX MAC this IP so I always get same public IP even on equip reboot). I have configured both sides but tunnel will not come up, must be missing something.

See attached configs.

THANK YOU!

38 REPLIES 38
Enthusiast

Re: Need help, VPN between 1841 router & PIX 501

You can safely remove following statement from router config :

no ip nat inside source list 1 interface FastEthernet0/1 overload

enable debugs on the router and PIX , "debug cry isa" and "debug cry ipsec" and initiate traffic from PIX side ,capture debugs and post them .

HTH

Saju

Beginner

Re: Need help, VPN between 1841 router & PIX 501

Removed line as instructed.

Turned on debug on both sides.

Debug output from PIX:

ISAKMP (0): beginning Main Mode exchange

ISAKMP (0): retransmitting phase 1 (0)...

ISAKMP (0): retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (2)...

ISAKMP (0): retransmitting phase 1 (3)...

ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired:

count = 1,

(identity) local= 12.206.137.5, remote= 216.203.117.82,

local_proxy= 10.5.5.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src 12.206.137.5, dst 216.203.117.82

ISADB: reaper checking SA 0xb91cac, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 216.203.117.82/500 not found - peers:0

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 12.206.137.5, remote= 216.203.117.82,

local_proxy= 10.5.5.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4)

No debug feedback appearing router when I initiate a ping from router to device on PIX side (10.5.5.241).

THANKS!

Enthusiast

Re: Need help, VPN between 1841 router & PIX 501

what is the output of :"show crypto isakmp sa" on PIX and router ?

also post result of "show crypto isakmp policy" on the router.

Beginner

Re: Need help, VPN between 1841 router & PIX 501

PIX

secondstory# sho crypt isakmp sa

Total : 0

Embryonic : 0

dst src state pending created

ROUTER

RainingRose#sho crypto isakmp policy

Global IKE policy

Protection suite of priority 10

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Enthusiast

Re: Need help, VPN between 1841 router & PIX 501

Also change following on the router . Use route-map instead of source list for bypassing Nat.When you make changes to Router you may or may not loose connectivity if you are logged on remotely.

route-map nonat permit 10

match ip address 112

no ip nat inside source list 112 interface FastEthernet0/1 overload

ip nat inside source route-map interface FastEthernet0/1 overload

Then initiate traffic from the private network of router anfd try to capture debugs.

Follow the link below to verify you configs :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

HTH

Beginner

Re: Need help, VPN between 1841 router & PIX 501

router does not like following cmd:

ip nat inside source route-map interface fa0/1 overload

Enthusiast

Re: Need help, VPN between 1841 router & PIX 501

What do you see if you try following , put a "?" after "ip nat inside source " ?

(config)#ip nat inside source ?

list Specify access list describing local addresses

route-map Specify route-map

static Specify static local->global mapping

Beginner

Re: Need help, VPN between 1841 router & PIX 501

I tried to ping from router side to device on remote side and got the following. Appears as if it is sendong out to public Internet instead of opening VPN.

C:\Documents and Settings\Administrator.RAININGROSE>ping 10.5.5.242

Pinging 10.5.5.242 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Reply from 157.130.212.1: Destination host unreachable.

Ping statistics for 10.5.5.242:

Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Documents and Settings\Administrator.RAININGROSE>tracert 10.5.5.242

Tracing route to 10.5.5.242 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.2.1.254

2 2 ms 1 ms 1 ms wuw-nbwxpkze.dybb.com [216.203.117.81]

3 3 ms 3 ms 3 ms 172.16.61.1

4 4 ms 3 ms 4 ms 10.10.19.1

5 6 ms 7 ms 5 ms 10.2.0.5

6 5 ms 4 ms 5 ms 63-254-144-42.ip.mcleodusa.net [63.254.144.42]

7 7 ms 8 ms 5 ms 63-254-144-97.ip.mcleodusa.net [63.254.144.97]

8 POS1-3.GW4.CHI2.ALTER.NET [157.130.212.1] reports: Destination host unreac

hable.

Trace complete.

Enthusiast

Re: Need help, VPN between 1841 router & PIX 501

can you clear nat translations, "clear ip nat translation * " and then check again

Beginner

Re: Need help, VPN between 1841 router & PIX 501

Incomplete cmd?

RainingRose#clear ip nat trans ?

* Delete all dynamic translations

esp Encapsulating Security Payload

forced Delete all dynamic translations (forcefully)

inside Inside addresses (and ports)

outside Outside addresses (and ports)

tcp Transmission Control Protocol

udp User Datagram Protocol

vrf Clear entries of VRF instance

Enthusiast

Re: Need help, VPN between 1841 router & PIX 501

clear ip nat trans *

Beginner

Re: Need help, VPN between 1841 router & PIX 501

Executed cmd, ping from router still not working. Attached updated router config

Enthusiast

Re: Need help, VPN between 1841 router & PIX 501

You have access-list 100 and access-list 101 bound to inside interface and outside interface on the router .

Can you remove those access-lists and check ?

interface FastEthernet0/0

no ip access-group 100 in

interface FastEthernet0/1

no ip access-group 101 in

If VPN works after removing these access-list we will modify them to allow VPN traffic .

Beginner

Re: Need help, VPN between 1841 router & PIX 501

If am outside router now, if I remove ACL 101, I will lose connectivity to remote desktop behind router from which I am telnetting to router.

Can be on-site where router is located in about 45min and then remove ACL.

Will you be around to see my post in 1hr or so?