09-12-2008 06:37 AM - edited 02-21-2020 03:56 PM
Trying to setup a VPN between an 1841 router at HQ with static IP connecting to remote office with a PIX 501 and a persistent IP (not static, but Mediacom has mapped PIX MAC this IP so I always get same public IP even on equip reboot). I have configured both sides but tunnel will not come up, must be missing something.
See attached configs.
THANK YOU!
09-12-2008 12:00 PM
secondstory# sho crypt isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
12.206.137.5 216.203.117.82 QM_IDLE 0 2
I changed the DNS given off by PIX, and that did not work, still could not access by name or internal IP number.
09-12-2008 12:04 PM
i need output of "show crypto ipsec sa" pls
09-12-2008 12:09 PM
Sorry.
interface: outside
Crypto map tag: IPSEC, local addr. 12.206.137.5
local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
current_peer: 216.203.117.82:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 659, #pkts encrypt: 659, #pkts digest 659
#pkts decaps: 462, #pkts decrypt: 462, #pkts verify 462
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 124, #recv errors 0
local crypto endpt.: 12.206.137.5, remote crypto endpt.: 216.203.117.82
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 793ff99e
inbound esp sas:
spi: 0xcbd5b096(3419779222)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: IPSEC
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x793ff99e(2034235806)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4607996/1929)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (216.203.117.85/255.255.255.255/0/0)
current_peer: 216.203.117.82:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2691, #pkts encrypt: 2691, #pkts digest 2691
#pkts decaps: 2601, #pkts decrypt: 2601, #pkts verify 2601
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.206.137.5, remote crypto endpt.: 216.203.117.82
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: c6d3ea5c
inbound esp sas:
spi: 0x55d659c5(1440111045)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4607097/1917)
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xc6d3ea5c(3335776860)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4607743/1890)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
09-12-2008 12:12 PM
If you see encrypts and decrypts these counters are incrementing so i would assume traffic to 216.203.117.85 is going through .
local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (216.203.117.85/255.255.255.255/0/0)
current_peer: 216.203.117.82:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2691, #pkts encrypt: 2691, #pkts digest 2691
#pkts decaps: 2601, #pkts decrypt: 2601, #pkts verify 2601
09-12-2008 12:17 PM
DNS traffic is not going through.
I can ping a device by name & it fails as unresolved name. I can ping same device by IP address & it works fine. Devices on the PIX side do not see 216.203.117.85 as being the 10.2.1.6 that they are requesting from.
SO close, but since 10.2.1.6 is such a key server in my environment I have to get this last piece working, please.
09-12-2008 12:19 PM
As for DNS is concerned we will have to enable DNS traffic for .85 on acl 101 on router
access-list 101 permit ip 10.5.5.0 0.0.0.255 host 216.203.117.85
To add this command remove the complete access list 101 :
First remove it from interface:
interface FastEthernet0/1
no ip access-group 101 in
no access-list 101
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 216.203.122.200 eq domain host 216.203.117.82
access-list 101 permit udp host 216.203.115.234 eq domain host 216.203.117.82
access-list 101 permit tcp any host 216.203.117.83 eq 1494
access-list 101 permit tcp host 66.211.4.130 host 216.203.117.84 eq 1433
access-list 101 permit tcp host 66.211.4.130 host 216.203.117.83 eq 1433
access-list 101 permit tcp host 147.202.24.152 host 216.203.117.84 eq 1433
access-list 101 permit tcp host 147.202.24.152 host 216.203.117.83 eq 1433
access-list 101 permit tcp any host 216.203.117.83 eq ftp
access-list 101 permit tcp any host 216.203.117.83 eq 5360
access-list 101 permit tcp any host 216.203.117.83 eq 5366
access-list 101 permit tcp any host 216.203.117.83 eq 3389
access-list 101 permit tcp any host 216.203.117.83 eq 5365
access-list 101 permit tcp any host 216.203.117.83 eq 5364
access-list 101 permit tcp any host 216.203.117.83 eq 5361
access-list 101 permit ip 10.5.5.0 0.0.0.255 host 216.203.117.85
access-list 101 permit tcp any host 216.203.117.85 eq smtp
access-list 101 permit tcp any host 216.203.117.85 eq 389
access-list 101 permit esp any host 216.203.117.82
access-list 101 permit udp any host 216.203.117.82 eq 500
access-list 101 permit tcp any host 216.203.117.85 eq www
access-list 101 permit tcp any host 216.203.117.85 eq 5362
access-list 101 permit tcp any host 216.203.117.85 eq 443
access-list 101 permit ip 10.5.5.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 101 deny ip 10.2.1.0 0.0.0.255 any
access-list 101 permit icmp any host 216.203.117.82 echo-reply
access-list 101 permit icmp any host 216.203.117.82 time-exceeded
access-list 101 permit icmp any host 216.203.117.82 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
interface FastEthernet0/1
ip access-group 101 in
09-12-2008 12:26 PM
No difference, still can not ping by name from remote PIX side device.
09-12-2008 12:35 PM
Hey, can you create a new post with only this DNS problem?
09-12-2008 11:04 AM
Corrected!try now
access-list 111 permit ip host 216.203.117.85 10.5.5.0 0.0.0.255
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: