09-14-2004 11:38 PM
I've C1760 and PIX501E connected crossover cable.
C1760- FE0/0 - 192.168.16.4,L0-10.30.0.1
PIX501E - outside - 192.168.16.3, inside - 10.20.26.3, PC behind PIX - 10.20.26.4
-------------------------------------
From PC i try to ping 10.30.0.1 and get Request time out
at C1760 i see -
*Mar 1 19:51:36.287: ICMP: echo reply sent, src 10.30.0.1, dst 10.20.26.4
*Mar 1 19:51:37.401: ICMP: echo reply sent, src 10.30.0.1, dst 10.20.26.4
*Mar 1 19:51:38.402: ICMP: echo reply sent, src 10.30.0.1, dst 10.20.26.4
*Mar 1 19:51:39.404: ICMP: echo reply sent, src 10.30.0.1, dst 10.20.26.4
And in PIX log -
GRE reguest discarded from 192.168.16.4 to outside:192.168.16.3
=============================
C1760#sh crypto isakmp sa
dst src state conn-id slot
192.168.16.3 192.168.16.4 QM_IDLE 1 0
=============================
C1760#sh run
....
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key TEST address 192.168.16.3 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM esp-des esp-md5-hmac
mode transport
!
crypto map VPN 1 ipsec-isakmp
set peer 192.168.16.3
set transform-set TUNNEL-TRANSFORM
match address 100
!
!
!
!
interface Tunnel0
ip address 10.30.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 192.168.16.3
crypto map VPN
!
interface FastEthernet0/0
ip address 192.168.16.4 255.255.255.0
speed auto
!
...
ip route 0.0.0.0 0.0.0.0 192.168.16.3
ip route 10.20.26.0 255.255.255.0 Tunnel0
....
!
access-list 100 permit ip any 10.20.26.0 0.0.0.255
access-list 100 permit gre any 10.20.26.0 0.0.0.255
!
===============================================
pixfirewall# sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
192.168.16.3 192.168.16.4 QM_IDLE 0 1
------------------------------------------------
pixfirewall# sh run
access-list vpn_outside permit ip 10.20.26.0 255.255.255.0 any
access-list vpn_outside permit ip 10.20.26.0 255.255.255.0 10.30.0.0 255.255.255.0
access-list outside_cryptomap_10 permit ip 10.20.26.0 255.255.255.0 any
access-list outside_cryptomap_10 permit ip 10.20.26.0 255.255.255.0 10.30.0.0 255.255.255.0
.....
ip address outside 192.168.16.3 255.255.255.0
ip address inside 10.20.26.3 255.255.255.0
........
global (outside) 1 interface
nat (inside) 0 access-list vpn_outside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
.......
sysopt connection permit-ipsec
crypto ipsec transform-set MOSCOW_BRANCH esp-des esp-md5-hmac
crypto map MOSCOW 10 ipsec-isakmp
crypto map MOSCOW 10 match address outside_cryptomap_10
crypto map MOSCOW 10 set peer 192.168.16.4
crypto map MOSCOW 10 set transform-set MOSCOW_BRANCH
crypto map MOSCOW interface outside
isakmp enable outside
isakmp key ******** address 192.168.16.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
....
=============================================
Why i recived GRE request discarded t PIX? And how to resolve it?
09-15-2004 07:41 AM
What are you trying to achieve with this configuration. You have configured a tunnel interface on the router and are trying to terminate the tunnel on the PIX. PIX does not support GRE tunnel termination. Are you trying to setup a VPN session between the 1760 and the PIX?
09-15-2004 09:04 PM
i'm trying to setup a VPN session between the 1760 and the PIX.
09-15-2004 11:04 PM
Try using a configuration similar to the one provided in the following link:
If it does not work for you then post your configurations here.
09-16-2004 04:06 AM
Same problem. Here me configs->
======================
pixfirewall# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list vpn_outside permit ip 10.20.26.0 255.255.255.0 any
access-list vpn_outside permit ip 10.20.26.0 255.255.255.0 10.30.0.0 255.255.255.0
access-list outside_cryptomap_10 permit ip 10.20.26.0 255.255.255.0 any
access-list outside_cryptomap_10 permit ip 10.20.26.0 255.255.255.0 10.30.0.0 255.255.255.0
access-list outside permit gre host 192.168.16.4 host 192.168.16.3
..
ip address outside 192.168.16.3 255.255.255.0
ip address inside 10.20.26.3 255.255.255.0
...
global (outside) 1 interface
nat (inside) 0 access-list vpn_outside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.16.4 1
....
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set MOSCOW_BRANCH esp-des esp-md5-hmac
crypto map MOSCOW 10 ipsec-isakmp
crypto map MOSCOW 10 match address outside_cryptomap_10
crypto map MOSCOW 10 set peer 192.168.16.4
crypto map MOSCOW 10 set transform-set MOSCOW_BRANCH
crypto map MOSCOW interface outside
isakmp enable outside
isakmp key ******** address 192.168.16.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 10.20.26.0 255.255.255.0 inside
telnet timeout 60
console timeout 0
terminal width 80
Cryptochecksum:1940e2a5626656be553467d585212646
: end
===========================
pixfirewall# sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
192.168.16.3 192.168.16.4 QM_IDLE 0 1
===========================
pixfirewall#sh log
710006: GRE request discarded from 192.168.16.4 to outside:192.168.16.3
710006: GRE request discarded from 192.168.16.4 to outside:192.168.16.3
710006: GRE request discarded from 192.168.16.4 to outside:192.168.16.3
++++++++++++++++++++++++++++++++++++++
router#sh run
....
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key TEST address 192.168.16.3 no-xauth
!
!
crypto ipsec transform-set TUNNEL-TRANSFORM esp-des esp-md5-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 192.168.16.3
set transform-set TUNNEL-TRANSFORM
match address 100
!
!
!
!
interface Loopback1
ip address 10.30.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.16.4 255.255.255.0
speed auto
crypto map VPN
!
interface Serial0/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.16.3
!
access-list 100 permit ip any 10.20.26.0 0.0.0.255
access-list 100 permit gre any 10.20.26.0 0.0.0.255
!
=========================
router#sh crypto isakmp sa
dst src state conn-id slot
192.168.16.3 192.168.16.4 QM_IDLE 1 0
===========================
09-16-2004 05:24 AM
Why are your permitting GRE in your access-list? Have you posted your complete configs or did you leave something out?
If you explain what you are trying to achieve and what is not working then it will be easier to help you out.
09-16-2004 05:59 AM
I posted full config ( excluded unnessesary lines like snmp community and etc). I addes access-list with permitting GRE after found messages that GRE request discarded.
----------------------------------------------
I have 1760 with one FE interface and FXO interfaces. I want that phones connected to FXO port rings to CCM in central office trough VPN channel ( FE have public address). Now i test it with out connected phones. I want ping PC which placed behind PIX ( in LAN).
-----------------------------------------------
I don't understand why i recived that GRE request discarded.I have crypto map MOSCOW interface outside which permited GRE traffic from outside peer&
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide