cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
669
Views
0
Helpful
1
Replies
Highlighted
Beginner

Ipsec Spoof on Pix

Hello all,

I have two offices, the remote connects back to the main via a site to site.  There are IP phones on the remote that cannot dial out.  When I do a packet trtrace from the signaling server to the set it fails in the very end saying "(Ipsec-spoof) IPSEC Spoof Detected"  What can I do to resolve this??

1 REPLY 1
Beginner

Ipsec Spoof on Pix

Here are the Configs:

Main site:

pixvpn# show running-config

: Saved

:

PIX Version 8.0(4)

!

hostname pixvpn

domain-name floridaortho.com

enable password JD8qYFo4ATVnk0rL encrypted

passwd JD8qYFo4ATVnk0rL encrypted

names

name 172.16.7.0 DadeCity

name 172.16.100.0 Nortel100

name 172.16.101.0 Nortel101

name 172.16.8.0 Oakhill

!

interface Ethernet0

nameif outside

security-level 0

ip address x.x.x.x255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.9.200.222 255.255.252.0

!

interface Ethernet2

shutdown

no nameif

security-level 0

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name floridaortho.com

object-group network DM_INLINE_NETWORK_1

network-object Nortel100 255.255.255.0

network-object Nortel101 255.255.255.0

network-object 192.9.200.0 255.255.252.0

object-group network DM_INLINE_NETWORK_2

network-object Nortel100 255.255.255.0

network-object Nortel101 255.255.255.0

network-object 192.9.200.0 255.255.252.0

object-group network DM_INLINE_NETWORK_3

network-object Nortel100 255.255.255.0

network-object Nortel101 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object udp

service-object tcp

service-object tcp-udp eq sip

access-list applevpn_splitTunnelAcl remark Mailserver

access-list applevpn_splitTunnelAcl standard permit host 192.9.200.173

access-list inside_nat0_outbound extended permit ip 192.9.200.0 255.255.252.0 an                                                                                                                 y

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO                                                                                                                 RK_1 DadeCity 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO                                                                                                                 RK_2 Oakhill 255.255.255.0

access-list FOI_splitTunnelAcl standard permit 192.9.200.0 255.255.252.0

access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWOR                                                                                                                 K_1 DadeCity 255.255.255.0

access-list eigrpACL_DI standard permit 192.9.200.0 255.255.255.0

access-list eigrpACL_DI standard permit Nortel100 255.255.255.0

access-list eigrpACL_DI standard permit Nortel101 255.255.255.0

access-list eigrpACL_DI standard deny any

access-list eigrpACL_FR standard permit 192.9.200.0 255.255.255.0

access-list eigrpACL_FR standard permit 172.16.0.0 255.255.0.0

access-list outside_2_cryptomap extended permit object-group DM_INLINE_SERVICE_1                                                                                                                  object-group DM_INLINE_NETWORK_2 Oakhill 255.255.255.0

access-list eigrpACL_FR_1 standard deny DadeCity 255.255.255.0

access-list eigrpACL_FR_1 standard deny Oakhill 255.255.255.0

access-list eigrpACL_FR_1 standard permit any

access-list eigrpACL_FR_3 standard deny DadeCity 255.255.255.0

access-list eigrpACL_FR_3 standard deny Oakhill 255.255.255.0

access-list eigrpACL_FR_3 standard permit any

access-list outside_mpc extended permit ip object-group DM_INLINE_NETWORK_3 any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool VPNPool 172.16.51.100-172.16.51.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm522.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

!

router eigrp 100

distribute-list eigrpACL_FR_3 in interface inside

eigrp router-id 192.9.200.222

eigrp stub receive-only

network 192.9.200.0 255.255.252.0

passive-interface outside

!

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server ActiveDirectory protocol nt

aaa-server ActiveDirectory (inside) host 192.9.200.176

nt-auth-domain-controller FOIADDB

http server enable

http 192.9.200.0 255.255.255.0 inside

snmp-server host inside 192.9.200.187 community foi_snmp version 2c

no snmp-server location

no snmp-server contact

snmp-server community foi_snmp

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 0

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer x.x.x.x

crypto map outside_map 2 set transform-set ESP-3DES-MD5

crypto map outside_map 2 set security-association lifetime seconds 28800

crypto map outside_map 2 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 192.9.200.251 255.255.255.255 inside

telnet timeout 5

ssh 192.9.200.251 255.255.255.255 inside

ssh timeout 5

console timeout 0

management-access inside

priority-queue outside

tx-ring-limit 100

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy applevpn internal

group-policy applevpn attributes

vpn-tunnel-protocol IPSec

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value applevpn_splitTunnelAcl

group-policy FOI internal

group-policy FOI attributes

dns-server value 192.9.200.176 192.9.200.3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value FOI_splitTunnelAcl

default-domain value floridaortho.com

username pixadmin password ksnhxxBAYStu/P.X encrypted privilege 15

tunnel-group applevpn type remote-access

tunnel-group applevpn general-attributes

address-pool VPNPool

authentication-server-group ActiveDirectory

default-group-policy applevpn

tunnel-group applevpn ipsec-attributes

pre-shared-key *

tunnel-group FOI type remote-access

tunnel-group FOI general-attributes

address-pool VPNPool

authentication-server-group ActiveDirectory

default-group-policy FOI

tunnel-group FOI ipsec-attributes

pre-shared-key *

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

tunnel-group x.x.x.xtype ipsec-l2l

tunnel-group x.x.x.xipsec-attributes

pre-shared-key *

tunnel-group x.x.x.x (VerizonT1) type ipsec-l2l

tunnel-group x.x.x.x (VerizonT1) ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

class-map outside-class

match access-list outside_mpc

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map VoIP_Priority

class outside-class

priority

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

service-policy VoIP_Priority interface outside

prompt hostname context

Cryptochecksum:be176651ccc70c4005826237682f66ff

: end

Remote Site:

OakhillPix# show running-config

: Saved

:

PIX Version 8.0(4)

!

hostname OakhillPix

domain-name floridaortho.com

enable password JD8qYFo4ATVnk0rL encrypted

passwd JD8qYFo4ATVnk0rL encrypted

names

name 172.16.100.0 Nortel100

name 172.16.101.0 Nortel101

name 192.9.200.0 Telecom200

!

interface Ethernet0

nameif Outside

security-level 0

ip address x.x.x.x255.255.255.252

!

interface Ethernet1

nameif inside

security-level 100

ip address 172.16.8.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif  

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name floridaortho.com

object-group network DM_INLINE_NETWORK_2

network-object Nortel100 255.255.255.0

network-object Nortel101 255.255.255.0

network-object Telecom200 255.255.252.0

object-group network DM_INLINE_NETWORK_3

network-object Nortel100 255.255.255.0

network-object Nortel101 255.255.255.0

network-object Telecom200 255.255.252.0

object-group network DM_INLINE_NETWORK_1

network-object Nortel100 255.255.255.0

network-object Nortel101 255.255.255.0

object-group service NortelVoip

service-object tcp-udp range 5200 5247

object-group network DM_INLINE_NETWORK_4

network-object Nortel100 255.255.255.0

network-object Nortel101 255.255.255.0

network-object Telecom200 255.255.252.0

object-group network DM_INLINE_NETWORK_5

network-object Nortel100 255.255.255.0

network-object Nortel101 255.255.255.0

network-object Telecom200 255.255.252.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

protocol-object udp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

protocol-object udp

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object icmp

service-object udp

service-object tcp-udp eq sip

access-list Outside_1_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 172.16.8.0 255.255.255.0 object-group DM_INLINE_NETWORK_2

access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 object-group DM_INLINE_NETWORK_3

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_5 any

access-list VOIP extended permit ip 172.16.8.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_4 any

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

access-group Outside_access_in in interface Outside

access-group inside_access_in in interface inside control-plane

route Outside 0.0.0.0 0.0.0.0 24.129.153.165 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 172.16.8.0 255.255.255.0 inside

http Telecom200 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set pfs

crypto map Outside_map 1 set peer x.x.x.x

crypto map Outside_map 1 set transform-set ESP-3DES-MD5

crypto map Outside_map 1 set security-association lifetime seconds 28800

crypto map Outside_map 1 set security-association lifetime kilobytes 4608000

crypto map Outside_map interface Outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

fqdn OakhillPix

subject-name CN=OakhillPix

crl configure

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 192.9.200.251 255.255.255.255 inside

telnet timeout 5

ssh Telecom200 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 172.16.8.110-172.16.8.254 inside

dhcpd dns 192.9.200.3 192.9.200.176 interface inside

dhcpd domain floridaortho.com interface inside

dhcpd enable inside

!

priority-queue Outside

tx-ring-limit 100

priority-queue inside

tx-ring-limit 100

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username pixadmin password ksnhxxBAYStu/P.X encrypted privilege 15

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

!

class-map VOIP

match access-list VOIP

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map VOIP-CALLS

class VOIP

priority

class class-default

!

service-policy VOIP-CALLS interface Outside

service-policy VOIP-CALLS interface inside

prompt hostname context

Cryptochecksum:42e4e4f93a3938e6f149b43459ae37d5

: end