Re: IPsec thru Pix not Working

mjreupenny · ‎11-04-2003

Greetings,

I'm stuck right now. Wonder if anyone can help me figure out what I'm doing

wrong. Here is my setup:

A B C

3640 w/VPN Accelerator <----> 520 Pix running 6.2(2) <-----> Internet <----> 501 Pix running 6.2(2)

with Internal IP

IOS 12.2(13a)

Here is my problem... I can not establish a successful IPSec tunnel when the 3640 is pulled behind the

520 Pix into the internal network. It works fine in front but my boss would like to have it stay

behind for extra security. I've looked at various Cisco links and forums to find an answer to this

problem but no luck. I have "punched" a hole into the 520 to allow IPsec traffic but to no avail.

I have the debug info which I can post later if needed but think that this may be a config issue

with Device B. Hope someone can help, thanks.

Here are the configs (Please excuse the sloppiness of the configs. I've added various commands out of

desperation):

DEVICE A

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname "3640VPN"

!

logging buffered 10000 debugging

enable password 7

!

ip subnet-zero

!

no ip domain-lookup

!

crypto isakmp policy 21

encr 3des

hash md5

authentication pre-share

crypto isakmp key blah address 1.1.1.1

!

crypto ipsec transform-set tset esp-3des esp-md5-hmac

!

crypto map map1 local-address Ethernet0/0

crypto map map1 11 ipsec-isakmp

set peer 1.1.1.1

set transform-set tset

match address 101

call rsvp-sync

!

interface Ethernet0/0

ip address 192.168.200.254 255.255.255.0

no ip route-cache

no ip mroute-cache

half-duplex

crypto map map1

!

interface Serial0/0

no ip address

shutdown

no fair-queue

!

interface Serial0/1

no ip address

shutdown

!

interface Ethernet1/0

ip address 10.20.0.65 255.255.255.0

half-duplex

!

interface Ethernet1/1

no ip address

shutdown

half-duplex

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.200.1

no ip http server

!

access-list 101 permit ip 10.20.0.0 0.0.0.255 10.20.33.0 0.0.0.255

access-list 101 permit ip 10.20.0.0 0.0.255.255 10.20.33.0 0.0.0.255

no cdp run

!

dial-peer cor custom

!

end

------------------------------------------

DEVICE B

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security80

nameif ethernet3 intf3 security15

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

enable password encrypted

passwd encrypted

hostname 520pix

domain-name dummy.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

names

access-list 155 deny tcp any any range 6661 6669

access-list 155 deny udp any any range 6661 6669

access-list 155 deny ip any host x.x.x.x

access-list 155 permit ip any any

access-list acl_out deny tcp host x.x.x.x host x.x.x.x eq smtp

access-list acl_out deny tcp host x.x.x.x host x.x.x.x eq pop3

access-list acl_out permit tcp any host x.x.x.x eq smtp

access-list acl_out permit tcp any host x.x.x.x eq pop3

access-list acl_out permit tcp any host x.x.x.x eq www

access-list acl_out permit tcp any host x.x.x.x eq ftp

access-list acl_out permit tcp any host x.x.x.x eq telnet

access-list acl_out permit tcp any host x.x.x.x eq www

access-list acl_out permit icmp any any echo-reply

access-list acl_out permit tcp any host x.x.x.x eq telnet

access-list acl_out permit icmp any any

access-list acl_out deny tcp any any eq 135

access-list acl_out deny udp any any eq 135

access-list acl_out deny udp any any eq 8998

access-list acl_out permit esp host 1.1.1.1 host 2.2.2.2

access-list acl_out permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp

access-list acl_out permit tcp host 1.1.1.1 host 2.2.2.2 eq 500

access-list acl_dmz permit icmp any any

pager lines 24

logging on

logging buffered debugging

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 auto

interface ethernet5 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside x.x.x.3 255.255.255.0 ip address inside 10.20.0.4 255.255.255.0

ip address dmz 192.168.200.1 255.255.255.0

ip address intf3 192.168.70.1 255.255.255.0

ip address intf4 192.168.90.1 255.255.255.0

ip address intf5 x.x.x.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

ip local pool garbagepool 10.20.0.150-10.20.0.155

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

failover ip address intf3 0.0.0.0

failover ip address intf4 0.0.0.0

failover ip address intf5 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 2.2.2.4 netmask 255.255.255.0

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.x 10.20.0.3 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.x 10.20.0.53 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.x 10.20.0.54 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0

static (inside,dmz) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0

static (inside,intf3) 10.20.0.0 10.20.0.0 netmask 255.255.0.0 0 0

static (inside,dmz) 10.20.0.0 10.20.0.0 netmask 255.255.0.0 0 0

static (dmz,outside) x.x.x.x 192.168.200.10 netmask 255.255.255.255 0 0

static (dmz,outside) x.x.x.x 192.168.200.254 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_dmz in interface dmz

conduit permit esp host 1.1.1.1 host 2.2.2.2

conduit permit udp host 1.1.1.1 eq isakmp host 2.2.2.2

route outside 0.0.0.0 0.0.0.0 2.2.2.1 1

route inside 10.1.1.0 255.255.255.0 10.20.0.3 1

route inside 10.2.0.0 255.255.0.0 10.20.0.3 1

route inside 10.5.0.0 255.255.0.0 10.20.0.3 1

route inside 10.20.0.0 255.255.0.0 10.20.0.3 1

route inside 10.20.1.0 255.255.255.0 10.20.0.1 1

route inside 10.20.2.0 255.255.255.0 10.20.0.1 1

route inside 192.168.0.0 255.255.0.0 10.20.0.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

Cryptochecksum:xxxx

: end

-----------------------------------------------------------------------

DEVICE C

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pix501

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list ipsec permit ip 10.20.33.0 255.255.255.0 10.20.0.0 255.255.0.0

access-list nonat permit ip 10.20.33.0 255.255.255.0 10.20.0.0 255.255.0.0

pager lines 24

logging on

logging timestamp

logging console debugging

logging monitor debugging

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.1 255.255.255.0

ip address inside 10.20.33.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 1.1.1.2

nat (inside) 0 access-list nonat

nat (inside) 1 10.20.33.0 255.255.255.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 1.1.1.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server partner protocol tacacs+

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set tset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map map1 21 ipsec-isakmp

crypto map map1 21 match address ipsec

crypto map map1 21 set peer 2.2.2.2

crypto map map1 21 set transform-set tset

crypto map isgmap interface outside

isakmp enable outside

isakmp key blah address 2.2.2.2 netmask 255.255.255.0

isakmp identity address

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption 3des

isakmp policy 21 hash md5

isakmp policy 21 group 1

isakmp policy 21 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxx

: end

rvdoever · ‎11-04-2003

On device B you using both access-lists and conduits, get rid of the conduit-statementsm, esp and isakmp are already included in the access-list.

You don't need the following statement:

access-list acl_out permit tcp host 1.1.1.1 host 2.2.2.2 eq 500

In this case you don't need the following statement, because you're not terminating IPSec traffic on this device:

sysopt connection permit-ipsec

Take at the log to see what's happening.

Do the crypto map access-lists match traffic, use 'sh access-list' and look at the counters