cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1643
Views
4
Helpful
38
Replies

Need help, VPN between 1841 router & PIX 501

bsallison
Level 1
Level 1

Trying to setup a VPN between an 1841 router at HQ with static IP connecting to remote office with a PIX 501 and a persistent IP (not static, but Mediacom has mapped PIX MAC this IP so I always get same public IP even on equip reboot). I have configured both sides but tunnel will not come up, must be missing something.

See attached configs.

THANK YOU!

38 Replies 38

singhsaju
Level 4
Level 4

You can safely remove following statement from router config :

no ip nat inside source list 1 interface FastEthernet0/1 overload

enable debugs on the router and PIX , "debug cry isa" and "debug cry ipsec" and initiate traffic from PIX side ,capture debugs and post them .

HTH

Saju

Removed line as instructed.

Turned on debug on both sides.

Debug output from PIX:

ISAKMP (0): beginning Main Mode exchange

ISAKMP (0): retransmitting phase 1 (0)...

ISAKMP (0): retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (2)...

ISAKMP (0): retransmitting phase 1 (3)...

ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired:

count = 1,

(identity) local= 12.206.137.5, remote= 216.203.117.82,

local_proxy= 10.5.5.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src 12.206.137.5, dst 216.203.117.82

ISADB: reaper checking SA 0xb91cac, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 216.203.117.82/500 not found - peers:0

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 12.206.137.5, remote= 216.203.117.82,

local_proxy= 10.5.5.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4)

No debug feedback appearing router when I initiate a ping from router to device on PIX side (10.5.5.241).

THANKS!

what is the output of :"show crypto isakmp sa" on PIX and router ?

also post result of "show crypto isakmp policy" on the router.

PIX

secondstory# sho crypt isakmp sa

Total : 0

Embryonic : 0

dst src state pending created

ROUTER

RainingRose#sho crypto isakmp policy

Global IKE policy

Protection suite of priority 10

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Also change following on the router . Use route-map instead of source list for bypassing Nat.When you make changes to Router you may or may not loose connectivity if you are logged on remotely.

route-map nonat permit 10

match ip address 112

no ip nat inside source list 112 interface FastEthernet0/1 overload

ip nat inside source route-map interface FastEthernet0/1 overload

Then initiate traffic from the private network of router anfd try to capture debugs.

Follow the link below to verify you configs :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

HTH

router does not like following cmd:

ip nat inside source route-map interface fa0/1 overload

What do you see if you try following , put a "?" after "ip nat inside source " ?

(config)#ip nat inside source ?

list Specify access list describing local addresses

route-map Specify route-map

static Specify static local->global mapping

I tried to ping from router side to device on remote side and got the following. Appears as if it is sendong out to public Internet instead of opening VPN.

C:\Documents and Settings\Administrator.RAININGROSE>ping 10.5.5.242

Pinging 10.5.5.242 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Reply from 157.130.212.1: Destination host unreachable.

Ping statistics for 10.5.5.242:

Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Documents and Settings\Administrator.RAININGROSE>tracert 10.5.5.242

Tracing route to 10.5.5.242 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.2.1.254

2 2 ms 1 ms 1 ms wuw-nbwxpkze.dybb.com [216.203.117.81]

3 3 ms 3 ms 3 ms 172.16.61.1

4 4 ms 3 ms 4 ms 10.10.19.1

5 6 ms 7 ms 5 ms 10.2.0.5

6 5 ms 4 ms 5 ms 63-254-144-42.ip.mcleodusa.net [63.254.144.42]

7 7 ms 8 ms 5 ms 63-254-144-97.ip.mcleodusa.net [63.254.144.97]

8 POS1-3.GW4.CHI2.ALTER.NET [157.130.212.1] reports: Destination host unreac

hable.

Trace complete.

can you clear nat translations, "clear ip nat translation * " and then check again

Incomplete cmd?

RainingRose#clear ip nat trans ?

* Delete all dynamic translations

esp Encapsulating Security Payload

forced Delete all dynamic translations (forcefully)

inside Inside addresses (and ports)

outside Outside addresses (and ports)

tcp Transmission Control Protocol

udp User Datagram Protocol

vrf Clear entries of VRF instance

clear ip nat trans *

Executed cmd, ping from router still not working. Attached updated router config

You have access-list 100 and access-list 101 bound to inside interface and outside interface on the router .

Can you remove those access-lists and check ?

interface FastEthernet0/0

no ip access-group 100 in

interface FastEthernet0/1

no ip access-group 101 in

If VPN works after removing these access-list we will modify them to allow VPN traffic .

If am outside router now, if I remove ACL 101, I will lose connectivity to remote desktop behind router from which I am telnetting to router.

Can be on-site where router is located in about 45min and then remove ACL.

Will you be around to see my post in 1hr or so?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: