09-12-2008 06:37 AM - edited 02-21-2020 03:56 PM
Trying to setup a VPN between an 1841 router at HQ with static IP connecting to remote office with a PIX 501 and a persistent IP (not static, but Mediacom has mapped PIX MAC this IP so I always get same public IP even on equip reboot). I have configured both sides but tunnel will not come up, must be missing something.
See attached configs.
THANK YOU!
09-12-2008 08:06 AM
Ok but removing access-list should not affect your connection in or out as we will be making the interfaces open for any traffic.
09-12-2008 08:11 AM
Removed ACL 100 and 101, tried to ping form router side device, no reply.
RainingRose#sho crypt isakmp sa
dst src state conn-id slot status
09-12-2008 08:14 AM
enable debugs on router and try to capture:
debug cry isa
debug cry ipsec
09-12-2008 08:17 AM
router shows:
RainingRose#sho crypt isakmp sa
dst src state conn-id slot status
216.203.117.82 12.206.137.5 QM_IDLE 1 0 ACTIVE
PIX shows:
secondstory# sho crypt isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
216.203.117.82 12.206.137.5 QM_IDLE 0 1
But not response to ping traffic from either direction.
09-12-2008 08:19 AM
your tunnel is UP! Check on the PIX also for
"show crypto isakmp sa" if the tunnel state is QM_idle
Now not able to ping could be a routing issue and not VPN.
Can you also paste "show crypto ipsec sa" outputs
09-12-2008 08:55 AM
Ok, I am on router side and now I can ping remote device on PIX side.
interface: FastEthernet0/1
Crypto map tag: IPSEC, local addr 216.203.117.82
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)
current_peer 12.206.137.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
#pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 216.203.117.82, remote crypto endpt.: 12.206.137.5
path mtu 1500, ip mtu 1500
current outbound spi: 0xE669710B(3865669899)
inbound esp sas:
spi: 0x57AAE66C(1470817900)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3001, flow_id: FPGA:1, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4433298/1228)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE669710B(3865669899)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3002, flow_id: FPGA:2, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4433301/1183)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
How do I fix ACL on router, because 100 & 101 are still removed?
09-12-2008 09:09 AM
Cool you got it working.
you can plug access-list 100 to private interface of router , it does not need any modification.For 101 , i have added to allow esp and udp 500 ISAKMP.
interface FastEthernet0/0
ip access-group 100 in
no access-list 101
no access-list 101
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 216.203.122.200 eq domain host 216.203.117.82
access-list 101 permit udp host 216.203.115.234 eq domain host 216.203.117.82
access-list 101 permit tcp any host 216.203.117.83 eq 1494
access-list 101 permit tcp host 66.211.4.130 host 216.203.117.84 eq 1433
access-list 101 permit tcp host 66.211.4.130 host 216.203.117.83 eq 1433
access-list 101 permit tcp host 147.202.24.152 host 216.203.117.84 eq 1433
access-list 101 permit tcp host 147.202.24.152 host 216.203.117.83 eq 1433
access-list 101 permit tcp any host 216.203.117.83 eq ftp
access-list 101 permit tcp any host 216.203.117.83 eq 5360
access-list 101 permit tcp any host 216.203.117.83 eq 5366
access-list 101 permit tcp any host 216.203.117.83 eq 3389
access-list 101 permit tcp any host 216.203.117.83 eq 5365
access-list 101 permit tcp any host 216.203.117.83 eq 5364
access-list 101 permit tcp any host 216.203.117.83 eq 5361
access-list 101 permit tcp any host 216.203.117.85 eq smtp
access-list 101 permit tcp any host 216.203.117.85 eq 389
access-list 101 permit esp any host 216.203.117.82
access-list 101 permit udp any host 216.203.117.82 eq 500
access-list 101 permit tcp any host 216.203.117.85 eq www
access-list 101 permit tcp any host 216.203.117.85 eq 5362
access-list 101 permit tcp any host 216.203.117.85 eq 443
access-list 101 permit ip 10.5.5.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 101 deny ip 10.2.1.0 0.0.0.255 any
access-list 101 permit icmp any host 216.203.117.82 echo-reply
access-list 101 permit icmp any host 216.203.117.82 time-exceeded
access-list 101 permit icmp any host 216.203.117.82 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
interface FastEthernet0/1
ip access-group 101 in
check and post results
HTH
Saju
Pls rate helpful posts
09-12-2008 10:01 AM
OK, I can ping both directions. Routing issue, 10.2.1.6 (router side) has a static NAT, I can not ping this device from remote side nor access the Exchange stuff on that box. I am guessing static NAT is the related to the issue.
Ideas?
09-12-2008 10:11 AM
Brian,
First of all do not forget to rate me :)
As for static NAT is concerned . you can create another access-list entry in crypto acl for it both sides.
since it being NAT'ed to 216.203.117.85 .
Add acl entry
access-list 111 permit ip host 216.203.117.85 10.2.1.0 0.0.0.255 10.5.5.0 0.0.0.255
and mirror image of this on the PIX .
09-12-2008 10:15 AM
DOes not like the ACL cmd, marker at the 10.5.5.0 character.
09-12-2008 10:32 AM
Corrected!try now
On Router
access-list 111 permit ip host 216.203.117.85 10.5.5.0 0.0.0.255
On Pix
access-list 111 permit ip 10.5.5.0 255.255.255.0 host 216.203.117.85
09-12-2008 11:46 AM
OK, I can ping from PIX side to 10.2.1.6, though it says reply is from 216.203.117.85.
I can ping from the 10.2.1.6 device to remote devices on PIX side.
10.2.1.6 (216.203.117.85) is my Exchange server and does DNS for my domain. I should be able to go https://shampoo/exchange & bring OWA or use https://10.2.1.6/exchange, but neither work. As you can see from config, PIX is giving off DHCP addresses to client workstation & handing out 10.2.1.6 as Pri DNS server, but I don't think that is working?
Little more help.....
09-12-2008 11:49 AM
09-12-2008 11:54 AM
Yes, that works. But how do we know that went across VPN versus across regular Internet?
Are you suggesting I change the DNS server given off by PIX DCHP, be that .85 address?
I just want to make sure that address is being reached across VPN.....
09-12-2008 11:58 AM
To check that , can you post "show crypto ipsec sa" from PIX pls.?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide