03-22-2003 06:46 AM - edited 02-21-2020 12:25 PM
I have a 515 and 3 501's. I currently have 2 VPN's running fine. I am having a bit of a time getting the 3rd VPN up. I did verify that the same key is being used for both configs. I know I'm missing something simple here, but I cant seem to see it...
515:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
...
hostname YRPCI
domain-name xxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol http 8080
fixup protocol ftp 22
names
name x.x.71.8 ConstOffice
name x.x.81.11 BftOffice
name x.x.71.7 MainOffice (this is the local device)
name x.x.152.238 Savannah
access-list acl_outbound permit ip host 192.168.50.10 any
access-list acl_outbound permit ip host 192.168.50.75 any
access-list acl_outbound permit ip host 192.168.50.201 any
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3
access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.51.0
access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.52.0
access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.53.0
access-list acl_outbound permit tcp host 192.168.50.11 any
access-list acl_inbound permit tcp any host MainOffice eq 3389
access-list acl_inbound permit icmp any any echo-reply
access-list acl_inbound permit icmp any any time-exceeded
access-list acl_inbound permit icmp any any unreachable
access-list acl_inbound permit ip host MainOffice any
access-list acl_inbound permit tcp any any eq ssh
access-list acl_inbound permit tcp any host MainOffice eq pop3
access-list acl_inbound permit tcp any host MainOffice eq smtp
access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 103 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
icmp permit any echo outside
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside pppoe setroute
ip address inside 192.168.50.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no pdm history enable
arp timeout 14400
global (outside) 2 interface
nat (inside) 0 access-list 100
nat (inside) 2 192.168.50.0 255.255.255.0 0 0
static (inside,outside) tcp MainOffice 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp MainOffice pop3 192.168.50.11 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp MainOffice smtp 192.168.50.11 smtp netmask 255.255.255.255 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
...
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address 102
crypto map vpn1 10 set pfs group2
crypto map vpn1 10 set peer ConstOffice
crypto map vpn1 10 set transform-set myset
crypto map vpn1 20 ipsec-isakmp
crypto map vpn1 20 match address 101
crypto map vpn1 20 set pfs group2
crypto map vpn1 20 set peer BftOffice
crypto map vpn1 20 set transform-set myset
crypto map vpn1 30 ipsec-isakmp
crypto map vpn1 30 match address 103
crypto map vpn1 30 set pfs group2
crypto map vpn1 30 set peer Savannah
crypto map vpn1 30 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address ConstOffice netmask 255.255.255.255
isakmp key ******** address BftOffice netmask 255.255.255.255
isakmp key ******** address Savannah netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 20
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname yearround1
vpdn group pppoex ppp authentication pap
vpdn username yearround1 password *********
terminal width 80
Cryptochecksum:849d6fdb066c58cf7cfe868b6109145c
: end
501: (VPN that isnt working)
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 7RD3DIuHCed/Bft9 encrypted
passwd 7RD3DIuHCed/Bft9 encrypted
hostname Savannah
domain-name yrpci.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name x.x.152.238 Savannah
name x.x.71.7 MainOffice
access-list acl_outbound permit ip 192.168.53.0 255.255.255.0 any
access-list acl_outbound permit ip host MainOffice 192.168.53.0 255.255.255.0
access-list acl_inbound permit icmp any any echo-reply
access-list acl_inbound permit icmp any any time-exceeded
access-list acl_inbound permit icmp any any unreachable
access-list acl_inbound permit ip x.x.152.0 255.255.252.0 192.168.50.0 255.255.255.0
access-list 101 permit ip 192.168.53.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 101 permit ip host Savannah 192.168.50.0 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.53.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 192.168.53.0 255.255.255.0 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 x.x.152.1 1
...
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 30 ipsec-isakmp
crypto map vpn1 30 match address 101
crypto map vpn1 30 set pfs group2
crypto map vpn1 30 set peer MainOffice
crypto map vpn1 30 set transform-set myset
isakmp enable outside
isakmp key ******** address MainOffice netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 192.168.53.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
dhcpd address 192.168.53.55-192.168.53.60 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:57589b8bf8636b0a7f8a2d5a5e582649
: end
Thanks for your help in advance guys.
Dave
Solved! Go to Solution.
03-28-2003 11:40 AM
I think the following command needs to be added to the 501's config
crypto map vpn1 interface outside
03-24-2003 09:19 AM
Hi Dave,
look at both of your crypto access-lists:
acl 103 at your 515 contains of one entry
acl 101 at your 501 contains of two entries.
Crypto access-lists MUST be exactly the same on either side.
Regards Norbert
03-24-2003 10:40 AM
Ok, I removed the extra line there, did a write mem, then rebooted the 501. I still havent gotten anything...
I have a silly question to ask... I cant seem to stop a debug I started a while back. I am pretty sure I did a 'debug access-list all' (it displays lines like,
Mar 24 2003 01:31:20: %PIX-4-106023: Deny tcp src inside:192.168.50.97/2054 dst outside:165.166.139.87/80 by access-group "acl_outbound")
But now when I do a 'no debug access-li all' it goes to the next line prompt, but the debug keeps running.
I wanted to run debug on the crypto lines to see whats happening with the VPN connections, but there's so much existing debug info rolling I cant see squat.
But I am guessing my next move should be to get more info on the vpn status to see where its failing and the best way for that is debug....
Anyway, thanks for your time, if you know if I'm putting in the wrong 'no debug...' line , please let me know. :)
Thanks,
Dave
03-27-2003 09:52 AM
Does anyone else have any ideas? I'm still stumped here.... Please help,
Thanks,
Dave
03-27-2003 10:26 AM
try this:
in the savannah config specific to the acls and commands that utilize them, you are using the same acl for the nat 0 command as in the crypto map commands...acl 101. look at your yrpci config, you are using separate acls for the nat 0 commands and the crypto map commands. on your savannah config insert another acl same parameters as acl 101 and add it to the crypto map command instead of acl 101. not sure if this is your issue, but i have a feeling.
so your config will look something like this:
501: (VPN that isnt working)
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 7RD3DIuHCed/Bft9 encrypted
passwd 7RD3DIuHCed/Bft9 encrypted
hostname Savannah
domain-name yrpci.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name x.x.152.238 Savannah
name x.x.71.7 MainOffice
access-list acl_outbound permit ip 192.168.53.0 255.255.255.0 any
access-list acl_outbound permit ip host MainOffice 192.168.53.0 255.255.255.0
access-list acl_inbound permit icmp any any echo-reply
access-list acl_inbound permit icmp any any time-exceeded
access-list acl_inbound permit icmp any any unreachable
access-list acl_inbound permit ip x.x.152.0 255.255.252.0 192.168.50.0 255.255.255.0
access-list 101 permit ip 192.168.53.0 255.255.255.0 192.168.50.0 255.255.255.0
*****************newacl************************************
access-list 102 permit ip 192.168.53.0 255.255.255.0 192.168.50.0 255.255.255.0
***********************************************************
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.53.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 192.168.53.0 255.255.255.0 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 x.x.152.1 1
...
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 30 ipsec-isakmp
************new acl command**************************************
crypto map vpn1 30 match address 102
***************************************************************
crypto map vpn1 30 set pfs group2
crypto map vpn1 30 set peer MainOffice
crypto map vpn1 30 set transform-set myset
isakmp enable outside
isakmp key ******** address MainOffice netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 192.168.53.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
dhcpd address 192.168.53.55-192.168.53.60 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:57589b8bf8636b0a7f8a2d5a5e582649
: end
03-27-2003 11:50 AM
It was a good thought, but didnt fix it. I'm definitely bumfuzzled here, I have looked over these configs so many times now that I'm wondering if I'll ever see whats wrong...
I ran debug on both firewalls and got a lot of stuff, but the important lines I think are these:
515: MainOffice
crypto_isakmp_process_block: src Savannah, dest MainOffice
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
501: Savannah
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block: src MainOffice, dest Savannah
Ive reentered the isakmp key on both boxes at least 3 times now just to make sure they match. What else would cause the SA to not be acceptable on one but would be on the other?
03-27-2003 01:04 PM
that really doesn't mean much unfortunately. it only really means that those particular attributes at that time didn't match on both ends to build the SA. i believe we are going to need the entire debugs to show all the steps. but before you do that, go to this site, and maybe it will have some click while you are looking at the debugs yourself. if you can't figure it out, by all means paste them in and we will figure this out.
regards.
03-27-2003 01:42 PM
Thats a great link, i learned a good bit just reading through that, but ... alas....:)
Ok, here's the deal, on that debug link, it says according to my debug,
>>>>
"The message below appears if the Phase II (IPSec) doesn't match on both sides. This most commonly occurs if there is a mismatch in the transform-set.
1d00h: IPSec (validate_proposal): transform proposal (port 3, trans 2, hmac_alg 2) not supported
1d00h: ISAKMP (0:2) : atts not acceptable. Next payload is 0
1d00h: ISAKMP (0:2) SA not acceptable
"
>>>>>>>>
Here's my debug info...
515e: MainOffice
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src Savannah, dest MainOffice
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of 162460060:9aef19c
return status is IKMP_NO_ERROR
>>>>>>>>>>>>>>>>>>>>>>>
501e: Savannah
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
>>>>>>>>>>>>>
(I think that's all the pertinent debug info, there's a lot of gibberish there otherwise)
I tried removing and reentering the transform-set on the Sav, I cant quite do that to the MainOffice one since two other VPN's are running and its best if I dont take them down in the day.
I even added a new transform-set line in the Savannah one with a diff name and no luck.
Thanks for your time as always!
Dave
03-27-2003 02:16 PM
with this being the case, and them looking the same i would do some clear crypto ipsec sa stuff.
i suspect you will find how to do everything you need to fix this from this site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/c.htm#1026972 ....good reading.
good luck and i will check back tomorrow....hope this helps.
03-27-2003 02:34 PM
Does it make a difference if you have "Set pfs group2" and "Isakmp policy 10 group1" ?
03-28-2003 06:57 AM
so....where are we at today??? any luck with that site that talked about all the pix commands that i believe would help??
and about the question above, i am not 100% sure, but i don't believe they have anything to do with each other. separate phases of ipsec, one is in phase one, and the other is in phase two. like i said not 100% sure though.
03-28-2003 11:40 AM
I think the following command needs to be added to the 501's config
crypto map vpn1 interface outside
03-31-2003 06:25 AM
This did the number, ha, it always seems I forget something like this! Thanks bud, I owe you one!
All of you, thanks for your time.
Dave :)
03-31-2003 06:59 AM
excellent...i overlooked this as well, at any rate i am glad you got it fixed!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide