09-12-2008 06:37 AM - edited 02-21-2020 03:56 PM
Trying to setup a VPN between an 1841 router at HQ with static IP connecting to remote office with a PIX 501 and a persistent IP (not static, but Mediacom has mapped PIX MAC this IP so I always get same public IP even on equip reboot). I have configured both sides but tunnel will not come up, must be missing something.
See attached configs.
THANK YOU!
09-12-2008 07:04 AM
You can safely remove following statement from router config :
no ip nat inside source list 1 interface FastEthernet0/1 overload
enable debugs on the router and PIX , "debug cry isa" and "debug cry ipsec" and initiate traffic from PIX side ,capture debugs and post them .
HTH
Saju
09-12-2008 07:10 AM
Removed line as instructed.
Turned on debug on both sides.
Debug output from PIX:
ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (2)...
ISAKMP (0): retransmitting phase 1 (3)...
ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired:
count = 1,
(identity) local= 12.206.137.5, remote= 216.203.117.82,
local_proxy= 10.5.5.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): deleting SA: src 12.206.137.5, dst 216.203.117.82
ISADB: reaper checking SA 0xb91cac, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 216.203.117.82/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 12.206.137.5, remote= 216.203.117.82,
local_proxy= 10.5.5.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4)
No debug feedback appearing router when I initiate a ping from router to device on PIX side (10.5.5.241).
THANKS!
09-12-2008 07:19 AM
what is the output of :"show crypto isakmp sa" on PIX and router ?
also post result of "show crypto isakmp policy" on the router.
09-12-2008 07:27 AM
PIX
secondstory# sho crypt isakmp sa
Total : 0
Embryonic : 0
dst src state pending created
ROUTER
RainingRose#sho crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
09-12-2008 07:28 AM
Also change following on the router . Use route-map instead of source list for bypassing Nat.When you make changes to Router you may or may not loose connectivity if you are logged on remotely.
route-map nonat permit 10
match ip address 112
no ip nat inside source list 112 interface FastEthernet0/1 overload
ip nat inside source route-map interface FastEthernet0/1 overload
Then initiate traffic from the private network of router anfd try to capture debugs.
Follow the link below to verify you configs :
HTH
09-12-2008 07:34 AM
router does not like following cmd:
ip nat inside source route-map interface fa0/1 overload
09-12-2008 07:40 AM
What do you see if you try following , put a "?" after "ip nat inside source " ?
(config)#ip nat inside source ?
list Specify access list describing local addresses
route-map Specify route-map
static Specify static local->global mapping
09-12-2008 07:40 AM
I tried to ping from router side to device on remote side and got the following. Appears as if it is sendong out to public Internet instead of opening VPN.
C:\Documents and Settings\Administrator.RAININGROSE>ping 10.5.5.242
Pinging 10.5.5.242 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Reply from 157.130.212.1: Destination host unreachable.
Ping statistics for 10.5.5.242:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Documents and Settings\Administrator.RAININGROSE>tracert 10.5.5.242
Tracing route to 10.5.5.242 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.2.1.254
2 2 ms 1 ms 1 ms wuw-nbwxpkze.dybb.com [216.203.117.81]
3 3 ms 3 ms 3 ms 172.16.61.1
4 4 ms 3 ms 4 ms 10.10.19.1
5 6 ms 7 ms 5 ms 10.2.0.5
6 5 ms 4 ms 5 ms 63-254-144-42.ip.mcleodusa.net [63.254.144.42]
7 7 ms 8 ms 5 ms 63-254-144-97.ip.mcleodusa.net [63.254.144.97]
8 POS1-3.GW4.CHI2.ALTER.NET [157.130.212.1] reports: Destination host unreac
hable.
Trace complete.
09-12-2008 07:43 AM
can you clear nat translations, "clear ip nat translation * " and then check again
09-12-2008 07:47 AM
Incomplete cmd?
RainingRose#clear ip nat trans ?
* Delete all dynamic translations
esp Encapsulating Security Payload
forced Delete all dynamic translations (forcefully)
inside Inside addresses (and ports)
outside Outside addresses (and ports)
tcp Transmission Control Protocol
udp User Datagram Protocol
vrf Clear entries of VRF instance
09-12-2008 07:48 AM
clear ip nat trans *
09-12-2008 07:51 AM
09-12-2008 07:55 AM
You have access-list 100 and access-list 101 bound to inside interface and outside interface on the router .
Can you remove those access-lists and check ?
interface FastEthernet0/0
no ip access-group 100 in
interface FastEthernet0/1
no ip access-group 101 in
If VPN works after removing these access-list we will modify them to allow VPN traffic .
09-12-2008 08:00 AM
If am outside router now, if I remove ACL 101, I will lose connectivity to remote desktop behind router from which I am telnetting to router.
Can be on-site where router is located in about 45min and then remove ACL.
Will you be around to see my post in 1hr or so?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide