11-29-2004 10:15 AM
We are trying to setup a site-to-site vpn between our PIX 515 and a SonicWALL. Currently our PIX has vpn configuration for IPSEC clients and whenever I enter the commands for the site-to-site the cisco client vpn stops working. Is it possible to have both? I thought as long as there were different policy numbers there should be no conflicts?
Here is my current config. I've omitted the access-lists, passwords, names and what not, but all the current vpn config stuff is there.
*******************************************
: Saved
: Written by enable_15 at 09:48:20.445 UTC Mon Nov 29 2004
PIX Version 6.3(3)
names
access-list vpn permit ip 172.16.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list dmz permit ip 10.0.0.0 255.255.255.0 172.17.0.0 255.255.0.0
ip local pool vpnpool 172.17.1.1-172.17.1.60
ip local pool ipsec 172.17.1.100-172.17.1.200
arp timeout 14400
global (outside) 1 x.x.x.x-x.x.x.x
global (outside) 1 x.x.x.x
global (outside) 2 x.x.x.x
global (dmz) 1 10.0.0.100-10.0.0.150
nat (inside) 0 access-list vpn
nat (inside) 0 access-list vpn outside
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
nat (dmz) 0 access-list dmz
nat (dmz) 2 10.0.0.10 255.255.255.255 0 0
access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.1.0 255.255.255.0 172.16.222.222 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 172.16.1.251 x timeout 30
aaa-server AuthInbound (inside) host Vanpdc01 x timeout 30
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp inside
sysopt noproxyarp dmz
crypto ipsec transform-set impac esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set impac
crypto map impacmap 10 ipsec-isakmp dynamic dynmap
crypto map impacmap client authentication AuthInbound
crypto map impacmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup ciscovpn address-pool ipsec
vpngroup ciscovpn dns-server Vanpdc01
vpngroup ciscovpn wins-server 172.16.1.251
vpngroup ciscovpn default-domain impacservices.com
vpngroup ciscovpn split-tunnel vpn
vpngroup ciscovpn idle-time 1800
vpngroup ciscovpn password ********
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local vpnpool
vpdn group 1 client configuration dns Vanpdc01
vpdn group 1 client configuration wins 172.16.1.251
vpdn group 1 client authentication aaa AuthInbound
vpdn group 1 pptp echo 60
vpdn enable outside
************************************************
What I'm trying to add is the following lines -
access-list pixtosw permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0
nat (inside) 0 access-list pixtosw
crypto ipsec transform-set tosonicwall esp-3des esp-sha-hmac
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosw
crypto map tosonicwall 20 set peer x.x.x.x
crypto map tosonicwall 20 set transform-set tosonicwall
crypto map tosonicwall interface outside
isakmp key xxx address x.x.x.x netamsk 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
Thanks for any help.
~rick
11-29-2004 08:53 PM
You can onl have one crypto map assigned to an interface at one time. Yes that crypto map can have multiple peers by using a different instance number, but the crypto map name also has to be the same.
You currently have a crypto map called impacmap on the outside interface. When you do the:
crypto map tosonicwall interface outside
command you remove the impacmap crypto map from the outside int (and hence kill all your vpn clients), and replace it with the tosonicwall crypto map. what you need to do is just add another instance to the impacmap crypto map with the following:
crypto map impacmap 5 ipsec-isakmp
crypto map impacmap 5 match address pixtosw
crypto map impacmap 5 set peer x.x.x.x
crypto map impacmap 5 set transform-set tosonicwall
I've used an instance number of 5 so that this static peer will be inserted BEFORE your vpn client section. You always want static peers before vpn clients because you have specific matches for static peers, whereas vpn clients are just a "match-all" kind of thing. If you used 20 as your instance number, this static map would be AFTER your vpn clients, and the sonicwall would match on the vpn client instance rather than the instance you want it to.
Also, assuming that you have the 172.16.0.0/16 net on th einside of your PIX, your ACL should be:
access-list pixtosw permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
And finally, you can also only have one "nat 0 access-list" command per interface, so you need to add this pixtosw traffic into the current nat 0 ACL with:
access-list vpn permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
rather than replace it with a new ACL as you were currently trying.
11-30-2004 08:49 AM
Thank you very much, I'll give this a try.
Rick
11-30-2004 11:40 AM
Hello,
Would you kindly make a post if the reults are successful? I am very interested to know as I have allmost the same scenario, I 'd like to create a fixed link between a PIX 515 (main 10.1.1.0) and 506(remote 192.168.1.0 - 50) + a small PPTP pool for dial-up clients. I got it to work well, except that when connecting with a PPTP dial-up client, I could not "see" any of the hosts on the inside network. I suspect it was either because od the one nat 0 command, or because the PPTP vpn required a transport instead of a tunnel. And I wasn't sure which address pool to assign to the dial-ups, in the same network as the 506 or different?
12-09-2004 06:21 AM
Verify that "Enable NetBIOS over TCP/IP" is selected in the TCP/IP Properties > Advance settings (under WINS).
12-08-2004 11:13 AM
Okay, have it configured per above, but still something is not right. Here is the output from the sonic wall -
SENDING>>>> ISAKMP OAK QM (InitCookie 0x3503bc16621ef42d, MsgID: 0xD0009213) *(HASH, SA, NON, ID, ID)
Just hangs there. From debug mode on pix I get this output -
crypto_isakmp_process_block:src:208.X.X.X, dest:65.X.X.X spt:500 dpt:5
00
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 5 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): ID payload
next-payload : 10
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:208.X.X.X, dest:65.X.X.X spt:500 dpt:5
00
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for 208.X.X.X, peer port 62465
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:208.X.X.X/500 Total VPN Peers:3
VPN Peer: ISAKMP: Peer ip:208.X.X.X/500 Ref cnt incremented to:1 Total VPN
Peers:3
crypto_isakmp_process_block:src:208.X.X.X, dest:65.X.X.X spt:500 dpt:5
00
OAK_QM exchange
ISAKMP (0:0): Need XAUTH
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
ISAKMP (0:0): initiating peer config to 208.X.X.X. ID = 1543323393 (0x5bfd3
f01)
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:208.X.X.X, dest:65.X.X.X spt:500 dpt:5
00
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:208.X.X.X, dest:65.X.X.X spt:500 dpt:5
00
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): retransmitting Config Mode Request...
ISAKMP (0): retransmitting Config Mode Request...
ISAKMP (0): retransmitting Config Mode Request...
crypto_isakmp_process_block:src:208.X.X.X, dest:65.X.X.X spt:500 dpt:5
00
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): retransmitting Config Mode Request...
Any ideas?
Thanks,
Rick
12-09-2004 06:27 AM
Use this example:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094cea.shtml
It talks about a PIX-to-PIX and a VPN client. However, the remote PIX can be "substituted" for your SonicWall.
Also, in the isakmp key command, include the following at the end - "no-xauth no-config-mode".
Further, make sure that PFS is not enabled on the Sonicwall.
If it does not work, then if you want, I can SSH into your PIX and fix it.
12-09-2004 08:40 AM
Okay, appreciate all the help. Turned out that it was the xauth trying to get a username and password from the sonicwall. So with that turned off on the isakmp key command all is working perfectly.
Thanks!!!
Rick
12-09-2004 09:52 AM
Glad to note that the issue was resolved with that recommendation.
FYI, when configuring IPSec with non-Cisco devices, always (almost) turn of xauth and config-mode.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide