11-04-2003 10:39 AM - edited 02-21-2020 12:51 PM
Greetings,
I'm stuck right now. Wonder if anyone can help me figure out what I'm doing
wrong. Here is my setup:
A B C
3640 w/VPN Accelerator <----> 520 Pix running 6.2(2) <-----> Internet <----> 501 Pix running 6.2(2)
with Internal IP
IOS 12.2(13a)
Here is my problem... I can not establish a successful IPSec tunnel when the 3640 is pulled behind the
520 Pix into the internal network. It works fine in front but my boss would like to have it stay
behind for extra security. I've looked at various Cisco links and forums to find an answer to this
problem but no luck. I have "punched" a hole into the 520 to allow IPsec traffic but to no avail.
I have the debug info which I can post later if needed but think that this may be a config issue
with Device B. Hope someone can help, thanks.
Here are the configs (Please excuse the sloppiness of the configs. I've added various commands out of
desperation):
DEVICE A
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname "3640VPN"
!
logging buffered 10000 debugging
enable password 7
!
ip subnet-zero
!
!
no ip domain-lookup
!
!
crypto isakmp policy 21
encr 3des
hash md5
authentication pre-share
crypto isakmp key blah address 1.1.1.1
!
!
crypto ipsec transform-set tset esp-3des esp-md5-hmac
!
crypto map map1 local-address Ethernet0/0
crypto map map1 11 ipsec-isakmp
set peer 1.1.1.1
set transform-set tset
match address 101
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.200.254 255.255.255.0
no ip route-cache
no ip mroute-cache
half-duplex
crypto map map1
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/1
no ip address
shutdown
!
interface Ethernet1/0
ip address 10.20.0.65 255.255.255.0
half-duplex
!
interface Ethernet1/1
no ip address
shutdown
half-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.200.1
no ip http server
!
access-list 101 permit ip 10.20.0.0 0.0.0.255 10.20.33.0 0.0.0.255
access-list 101 permit ip 10.20.0.0 0.0.255.255 10.20.33.0 0.0.0.255
no cdp run
!
dial-peer cor custom
!
!
!
!
!
!
end
------------------------------------------
DEVICE B
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security80
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password encrypted
passwd encrypted
hostname 520pix
domain-name dummy.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 155 deny tcp any any range 6661 6669
access-list 155 deny udp any any range 6661 6669
access-list 155 deny ip any host x.x.x.x
access-list 155 deny ip any host x.x.x.x
access-list 155 permit ip any any
access-list acl_out deny tcp host x.x.x.x host x.x.x.x eq smtp
access-list acl_out deny tcp host x.x.x.x host x.x.x.x eq pop3
access-list acl_out permit tcp any host x.x.x.x eq smtp
access-list acl_out permit tcp any host x.x.x.x eq pop3
access-list acl_out permit tcp any host x.x.x.x eq www
access-list acl_out permit tcp any host x.x.x.x eq www
access-list acl_out permit tcp any host x.x.x.x eq ftp
access-list acl_out permit tcp any host x.x.x.x eq telnet
access-list acl_out permit tcp any host x.x.x.x eq www
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit tcp any host x.x.x.x eq telnet
access-list acl_out permit icmp any any
access-list acl_out deny tcp any any eq 135
access-list acl_out deny udp any any eq 135
access-list acl_out deny udp any any eq 8998
access-list acl_out permit esp host 1.1.1.1 host 2.2.2.2
access-list acl_out permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp
access-list acl_out permit tcp host 1.1.1.1 host 2.2.2.2 eq 500
access-list acl_dmz permit icmp any any
pager lines 24
logging on
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside x.x.x.3 255.255.255.0 ip address inside 10.20.0.4 255.255.255.0
ip address dmz 192.168.200.1 255.255.255.0
ip address intf3 192.168.70.1 255.255.255.0
ip address intf4 192.168.90.1 255.255.255.0
ip address intf5 x.x.x.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool garbagepool 10.20.0.150-10.20.0.155
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 2.2.2.4 netmask 255.255.255.0
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x 10.20.0.3 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 10.20.0.53 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 10.20.0.54 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0
static (inside,dmz) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0
static (inside,intf3) 10.20.0.0 10.20.0.0 netmask 255.255.0.0 0 0
static (inside,dmz) 10.20.0.0 10.20.0.0 netmask 255.255.0.0 0 0
static (dmz,outside) x.x.x.x 192.168.200.10 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.x 192.168.200.254 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
conduit permit esp host 1.1.1.1 host 2.2.2.2
conduit permit udp host 1.1.1.1 eq isakmp host 2.2.2.2
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
route inside 10.1.1.0 255.255.255.0 10.20.0.3 1
route inside 10.2.0.0 255.255.0.0 10.20.0.3 1
route inside 10.5.0.0 255.255.0.0 10.20.0.3 1
route inside 10.20.0.0 255.255.0.0 10.20.0.3 1
route inside 10.20.1.0 255.255.255.0 10.20.0.1 1
route inside 10.20.2.0 255.255.255.0 10.20.0.1 1
route inside 192.168.0.0 255.255.0.0 10.20.0.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
Cryptochecksum:xxxx
: end
-----------------------------------------------------------------------
DEVICE C
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix501
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list ipsec permit ip 10.20.33.0 255.255.255.0 10.20.0.0 255.255.0.0
access-list nonat permit ip 10.20.33.0 255.255.255.0 10.20.0.0 255.255.0.0
pager lines 24
logging on
logging timestamp
logging console debugging
logging monitor debugging
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.1 255.255.255.0
ip address inside 10.20.33.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 1.1.1.2
nat (inside) 0 access-list nonat
nat (inside) 1 10.20.33.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 1.1.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partner protocol tacacs+
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set tset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map map1 21 ipsec-isakmp
crypto map map1 21 match address ipsec
crypto map map1 21 set peer 2.2.2.2
crypto map map1 21 set transform-set tset
crypto map isgmap interface outside
isakmp enable outside
isakmp key blah address 2.2.2.2 netmask 255.255.255.0
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:xxxxx
: end
11-04-2003 01:00 PM
On device B you using both access-lists and conduits, get rid of the conduit-statementsm, esp and isakmp are already included in the access-list.
You don't need the following statement:
access-list acl_out permit tcp host 1.1.1.1 host 2.2.2.2 eq 500
In this case you don't need the following statement, because you're not terminating IPSec traffic on this device:
sysopt connection permit-ipsec
Take at the log to see what's happening.
Do the crypto map access-lists match traffic, use 'sh access-list' and look at the counters
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide