04-23-2006 05:43 AM - edited 02-21-2020 02:22 PM
The PIX now has three VPN's on it. The third (current) VPN doesn't seem to work. I've included the some of the config from the PIX 501 on our end. On the other end of the VPN is a PIX 515. The VPN that doesn't work should allow 192.168.2.0 and 192.168.4.2 to connect in.
name 192.168.2.0 THREE
name 192.168.4.2 THREEWEB1
object-group service BRANCHOFFICETCP tcp
description Service Group for Branch Office VPN Policies
port-object range 137 netbios-ssn
port-object eq lpd
port-object eq ftp-data
port-object eq ftp
port-object eq lotusnotes
port-object eq www
port-object eq login
port-object eq cmd
port-object eq 449
port-object eq pcanywhere-data
port-object eq 446
port-object eq https
port-object range 8470 8476
port-object eq telnet
port-object eq 135
port-object eq smtp
port-object eq 1433
port-object eq 8080
access-list NAT4ONE permit ip 192.168.40.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 150 permit ip 10.150.176.232 255.255.255.248 172.16.1.0 255.255.255.0
access-list inside_access_out remark Incoming from THREE
access-list inside_access_out permit tcp 192.168.2.0 255.255.255.0 object-group BRANCHOFFICETCP host 192.168.40.10 object-group BRANCHOFFICETCP
access-list inside_access_out remark Incoming from THREEWEBSERVER
access-list inside_outbound_nat0_acl permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_140 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0
access-list outside_cryptomap_140 permit ip host 192.168.40.10 host 192.168.4.2
access-list 101 permit ip 192.168.40.0 255.255.255.0 192.168.10.0 255.255.255.0
ip address outside wanip 255.255.255.248
ip address inside 192.168.40.1 255.255.255.0
global (outside) 1 10.150.176.233
global (outside) 2 interface
nat (inside) 0 access-list 101
nat (inside) 1 access-list NAT4ONE 0 0
nat (inside) 3 access-list outside_cryptomap_140 0 0
nat (inside) 4 access-list inside_outbound_nat0_acl 0 0
nat (inside) 2 192.168.40.0 255.255.255.0 0 0
static (inside,outside) 10.150.176.234 192.168.40.17 netmask 255.255.255.255 0 0
access-group INTERNET_TO_INSIDE in interface outside
sysopt connection permit-ipsec
crypto ipsec transform-set one esp-aes-256 esp-sha-hmac
crypto ipsec transform-set two esp-aes-256 esp-sha-hmac
crypto ipsec transform-set three esp-3des esp-sha-hmac
crypto map VPN 10 ipsec-isakmp
crypto map VPN 10 match address 150
crypto map VPN 10 set peer oneip
crypto map VPN 10 set transform-set one
crypto map VPN 20 ipsec-isakmp
crypto map VPN 20 match address 101
crypto map VPN 20 set peer twoip
crypto map VPN 20 set transform-set two
crypto map VPN 30 ipsec-isakmp
crypto map VPN 30 match address outside_cryptomap_140
crypto map VPN 30 set peer threeip
crypto map VPN 30 set transform-set three
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address oneip netmask 255.255.255.255
isakmp key ******** address twoip netmask 255.255.255.255
isakmp key ******** address threeip netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 1000
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash sha
isakmp policy 50 group 1
isakmp policy 50 lifetime 86400
Phusion
04-23-2006 05:45 AM
Here is what I see from logging.
crypto_isakmp_process_block:src:threeip, dest:wanip spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 1000
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 30 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 1000
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:threeip, dest:wanip spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:threeip, dest:wanip spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
VPN Peer: ISAKMP: Peer ip:threeip/500 Ref cnt incremented to:4 Total VPN Peers:3
ISAKMP (0): deleting SA: src threeip, dst wanip
ISADB: reaper checking SA 0xa187d4, conn_id = 0
ISADB: reaper checking SA 0xa17fbc, conn_id = 0
ISADB: reaper checking SA 0xa1b0b4, conn_id = 0 DELETE IT!
Let me know what you think.
Phusion
04-23-2006 05:40 PM
Try adding these lines
access-list 101 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0
and
access-list 101 permit ip host 192.168.40.10 host 192.168.4.2
Because you are passing private ip addresses you have to exempt them from the public nat translation. You should have an access-list similar on the other end to get it to work.
04-26-2006 01:18 PM
I entered these commands, then did a write mem. After entering these commands it worked. For a test, I restarted. After restarting, I checked the config file and these two commands were still in there, but the VPN didn't work anymore.
Phusion
05-04-2006 07:17 AM
I figured out what the problem was. Thanks for your help.
Phusion
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide