09-12-2008 06:37 AM - edited 02-21-2020 03:56 PM
Trying to setup a VPN between an 1841 router at HQ with static IP connecting to remote office with a PIX 501 and a persistent IP (not static, but Mediacom has mapped PIX MAC this IP so I always get same public IP even on equip reboot). I have configured both sides but tunnel will not come up, must be missing something.
See attached configs.
THANK YOU!
09-12-2008 12:00 PM
secondstory# sho crypt isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
12.206.137.5 216.203.117.82 QM_IDLE 0 2
I changed the DNS given off by PIX, and that did not work, still could not access by name or internal IP number.
09-12-2008 12:04 PM
i need output of "show crypto ipsec sa" pls
09-12-2008 12:09 PM
Sorry.
interface: outside
Crypto map tag: IPSEC, local addr. 12.206.137.5
local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
current_peer: 216.203.117.82:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 659, #pkts encrypt: 659, #pkts digest 659
#pkts decaps: 462, #pkts decrypt: 462, #pkts verify 462
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 124, #recv errors 0
local crypto endpt.: 12.206.137.5, remote crypto endpt.: 216.203.117.82
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 793ff99e
inbound esp sas:
spi: 0xcbd5b096(3419779222)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: IPSEC
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x793ff99e(2034235806)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4607996/1929)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (216.203.117.85/255.255.255.255/0/0)
current_peer: 216.203.117.82:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2691, #pkts encrypt: 2691, #pkts digest 2691
#pkts decaps: 2601, #pkts decrypt: 2601, #pkts verify 2601
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.206.137.5, remote crypto endpt.: 216.203.117.82
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: c6d3ea5c
inbound esp sas:
spi: 0x55d659c5(1440111045)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4607097/1917)
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xc6d3ea5c(3335776860)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4607743/1890)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
09-12-2008 12:12 PM
If you see encrypts and decrypts these counters are incrementing so i would assume traffic to 216.203.117.85 is going through .
local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (216.203.117.85/255.255.255.255/0/0)
current_peer: 216.203.117.82:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2691, #pkts encrypt: 2691, #pkts digest 2691
#pkts decaps: 2601, #pkts decrypt: 2601, #pkts verify 2601
09-12-2008 12:17 PM
DNS traffic is not going through.
I can ping a device by name & it fails as unresolved name. I can ping same device by IP address & it works fine. Devices on the PIX side do not see 216.203.117.85 as being the 10.2.1.6 that they are requesting from.
SO close, but since 10.2.1.6 is such a key server in my environment I have to get this last piece working, please.
09-12-2008 12:19 PM
As for DNS is concerned we will have to enable DNS traffic for .85 on acl 101 on router
access-list 101 permit ip 10.5.5.0 0.0.0.255 host 216.203.117.85
To add this command remove the complete access list 101 :
First remove it from interface:
interface FastEthernet0/1
no ip access-group 101 in
no access-list 101
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 216.203.122.200 eq domain host 216.203.117.82
access-list 101 permit udp host 216.203.115.234 eq domain host 216.203.117.82
access-list 101 permit tcp any host 216.203.117.83 eq 1494
access-list 101 permit tcp host 66.211.4.130 host 216.203.117.84 eq 1433
access-list 101 permit tcp host 66.211.4.130 host 216.203.117.83 eq 1433
access-list 101 permit tcp host 147.202.24.152 host 216.203.117.84 eq 1433
access-list 101 permit tcp host 147.202.24.152 host 216.203.117.83 eq 1433
access-list 101 permit tcp any host 216.203.117.83 eq ftp
access-list 101 permit tcp any host 216.203.117.83 eq 5360
access-list 101 permit tcp any host 216.203.117.83 eq 5366
access-list 101 permit tcp any host 216.203.117.83 eq 3389
access-list 101 permit tcp any host 216.203.117.83 eq 5365
access-list 101 permit tcp any host 216.203.117.83 eq 5364
access-list 101 permit tcp any host 216.203.117.83 eq 5361
access-list 101 permit ip 10.5.5.0 0.0.0.255 host 216.203.117.85
access-list 101 permit tcp any host 216.203.117.85 eq smtp
access-list 101 permit tcp any host 216.203.117.85 eq 389
access-list 101 permit esp any host 216.203.117.82
access-list 101 permit udp any host 216.203.117.82 eq 500
access-list 101 permit tcp any host 216.203.117.85 eq www
access-list 101 permit tcp any host 216.203.117.85 eq 5362
access-list 101 permit tcp any host 216.203.117.85 eq 443
access-list 101 permit ip 10.5.5.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 101 deny ip 10.2.1.0 0.0.0.255 any
access-list 101 permit icmp any host 216.203.117.82 echo-reply
access-list 101 permit icmp any host 216.203.117.82 time-exceeded
access-list 101 permit icmp any host 216.203.117.82 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
interface FastEthernet0/1
ip access-group 101 in
09-12-2008 12:26 PM
No difference, still can not ping by name from remote PIX side device.
09-12-2008 12:35 PM
Hey, can you create a new post with only this DNS problem?
09-12-2008 11:04 AM
Corrected!try now
access-list 111 permit ip host 216.203.117.85 10.5.5.0 0.0.0.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide