Need help, VPN between 1841 router & PIX 501 - Page 2

bsallison · ‎09-12-2008

Trying to setup a VPN between an 1841 router at HQ with static IP connecting to remote office with a PIX 501 and a persistent IP (not static, but Mediacom has mapped PIX MAC this IP so I always get same public IP even on equip reboot). I have configured both sides but tunnel will not come up, must be missing something.

See attached configs.

THANK YOU!

singhsaju · ‎09-12-2008

Ok but removing access-list should not affect your connection in or out as we will be making the interfaces open for any traffic.

bsallison · ‎09-12-2008

Removed ACL 100 and 101, tried to ping form router side device, no reply.

RainingRose#sho crypt isakmp sa

dst src state conn-id slot status

singhsaju · ‎09-12-2008

enable debugs on router and try to capture:

debug cry isa

debug cry ipsec

bsallison · ‎09-12-2008

router shows:

RainingRose#sho crypt isakmp sa

dst src state conn-id slot status

216.203.117.82 12.206.137.5 QM_IDLE 1 0 ACTIVE

PIX shows:

secondstory# sho crypt isakmp sa

Total : 1

Embryonic : 0

dst src state pending created

216.203.117.82 12.206.137.5 QM_IDLE 0 1

But not response to ping traffic from either direction.

singhsaju · ‎09-12-2008

your tunnel is UP! Check on the PIX also for

"show crypto isakmp sa" if the tunnel state is QM_idle

Now not able to ping could be a routing issue and not VPN.

Can you also paste "show crypto ipsec sa" outputs

bsallison · ‎09-12-2008

Ok, I am on router side and now I can ping remote device on PIX side.

interface: FastEthernet0/1

Crypto map tag: IPSEC, local addr 216.203.117.82

protected vrf: (none)

local ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)

current_peer 12.206.137.5 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12

#pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 216.203.117.82, remote crypto endpt.: 12.206.137.5

path mtu 1500, ip mtu 1500

current outbound spi: 0xE669710B(3865669899)

inbound esp sas:

spi: 0x57AAE66C(1470817900)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 3001, flow_id: FPGA:1, crypto map: IPSEC

sa timing: remaining key lifetime (k/sec): (4433298/1228)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xE669710B(3865669899)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 3002, flow_id: FPGA:2, crypto map: IPSEC

sa timing: remaining key lifetime (k/sec): (4433301/1183)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

How do I fix ACL on router, because 100 & 101 are still removed?

singhsaju · ‎09-12-2008

Cool you got it working.

you can plug access-list 100 to private interface of router , it does not need any modification.For 101 , i have added to allow esp and udp 500 ISAKMP.

interface FastEthernet0/0

ip access-group 100 in

no access-list 101

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp host 216.203.122.200 eq domain host 216.203.117.82

access-list 101 permit udp host 216.203.115.234 eq domain host 216.203.117.82

access-list 101 permit tcp any host 216.203.117.83 eq 1494

access-list 101 permit tcp host 66.211.4.130 host 216.203.117.84 eq 1433

access-list 101 permit tcp host 66.211.4.130 host 216.203.117.83 eq 1433

access-list 101 permit tcp host 147.202.24.152 host 216.203.117.84 eq 1433

access-list 101 permit tcp host 147.202.24.152 host 216.203.117.83 eq 1433

access-list 101 permit tcp any host 216.203.117.83 eq ftp

access-list 101 permit tcp any host 216.203.117.83 eq 5360

access-list 101 permit tcp any host 216.203.117.83 eq 5366

access-list 101 permit tcp any host 216.203.117.83 eq 3389

access-list 101 permit tcp any host 216.203.117.83 eq 5365

access-list 101 permit tcp any host 216.203.117.83 eq 5364

access-list 101 permit tcp any host 216.203.117.83 eq 5361

access-list 101 permit tcp any host 216.203.117.85 eq smtp

access-list 101 permit tcp any host 216.203.117.85 eq 389

access-list 101 permit esp any host 216.203.117.82

access-list 101 permit udp any host 216.203.117.82 eq 500

access-list 101 permit tcp any host 216.203.117.85 eq www

access-list 101 permit tcp any host 216.203.117.85 eq 5362

access-list 101 permit tcp any host 216.203.117.85 eq 443

access-list 101 permit ip 10.5.5.0 0.0.0.255 10.2.1.0 0.0.0.255

access-list 101 deny ip 10.2.1.0 0.0.0.255 any

access-list 101 permit icmp any host 216.203.117.82 echo-reply

access-list 101 permit icmp any host 216.203.117.82 time-exceeded

access-list 101 permit icmp any host 216.203.117.82 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any

interface FastEthernet0/1

ip access-group 101 in

check and post results

HTH

Saju

Pls rate helpful posts

bsallison · ‎09-12-2008

OK, I can ping both directions. Routing issue, 10.2.1.6 (router side) has a static NAT, I can not ping this device from remote side nor access the Exchange stuff on that box. I am guessing static NAT is the related to the issue.

Ideas?

singhsaju · ‎09-12-2008

Brian,

First of all do not forget to rate me :)

As for static NAT is concerned . you can create another access-list entry in crypto acl for it both sides.

since it being NAT'ed to 216.203.117.85 .

Add acl entry

access-list 111 permit ip host 216.203.117.85 10.2.1.0 0.0.0.255 10.5.5.0 0.0.0.255

and mirror image of this on the PIX .

bsallison · ‎09-12-2008

DOes not like the ACL cmd, marker at the 10.5.5.0 character.

singhsaju · ‎09-12-2008

Corrected!try now

On Router

access-list 111 permit ip host 216.203.117.85 10.5.5.0 0.0.0.255

On Pix

access-list 111 permit ip 10.5.5.0 255.255.255.0 host 216.203.117.85

bsallison · ‎09-12-2008

OK, I can ping from PIX side to 10.2.1.6, though it says reply is from 216.203.117.85.

I can ping from the 10.2.1.6 device to remote devices on PIX side.

10.2.1.6 (216.203.117.85) is my Exchange server and does DNS for my domain. I should be able to go https://shampoo/exchange & bring OWA or use https://10.2.1.6/exchange, but neither work. As you can see from config, PIX is giving off DHCP addresses to client workstation & handing out 10.2.1.6 as Pri DNS server, but I don't think that is working?

Little more help.....

singhsaju · ‎09-12-2008

how about

https://216.203.117.85/exchange

Does this work?

bsallison · ‎09-12-2008

Yes, that works. But how do we know that went across VPN versus across regular Internet?

Are you suggesting I change the DNS server given off by PIX DCHP, be that .85 address?

I just want to make sure that address is being reached across VPN.....

singhsaju · ‎09-12-2008

To check that , can you post "show crypto ipsec sa" from PIX pls.?