cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3813
Views
0
Helpful
18
Replies

Pix to Pix Easy VPN - Almost there.. Need help :(

rmoore.2010
Level 1
Level 1

I've spent countless hours now trying to implement a Pix to Pix VPN. I thought I would post this in hopes someone could help me.

I can get my Pix 501 to open a tunnel to the Pix 506e.  These are both on separate ISPs.

I can ping from the Pix 501 console to the Pix 506e Inside Interface IP.

I can ping from the Pix 506e console to the Pix 501 Inside Interface IP.

I cannot ping hosts on either PIX beyond the Inside interface.

With logging console 7 activated, I receive the following error when pinging the host 172.16.54.5 from the console on the Pix 501.

305005: No translation group found for icmp src outside:100.1.1.10 dst inside:172.16.54.5 (type 8, code 0)

For privacy reasons, I have changed the IP addresses and passwords.

PIX506e Outside (ISP1): 200.1.1.10
ISP1 Gateway: 200.1.1.1

PIX501 Outside (ISP): 100.1.1.10
ISP2 Gateway: 100.1.1.1

Here are my configurations:

Pix 506e (Server)
----------------------------------------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ******** encrypted
hostname vpnserver
domain-name mydomain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit icmp any any
access-list NONAT permit ip 172.16.54.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list NONAT permit ip 192.168.6.0 255.255.255.0 172.16.54.0 255.255.255.0
access-list 110 permit ip 172.16.54.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 110 permit ip 192.168.6.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list 110 permit ip host 100.1.1.10 172.16.2.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 200.1.1.10 255.255.255.128
ip address inside 172.16.54.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.54.201-172.16.54.210
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 110 in interface inside
route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
route inside 172.16.2.0 255.255.255.0 172.16.54.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool vpnpool
vpngroup mygroup dns-server 172.16.2.1
vpngroup mygroup default-domain mydomain.com
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn username myuser password *********
vpdn enable outside
username myuser password ******** encrypted privilege 2
terminal width 80
----------------------------------------------


Pix 501 (Client)
----------------------------------------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ******** encrypted
hostname vpnclient
domain-name mydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 17
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any
pager lines 24
logging on
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside 100.1.1.10 255.255.255.0
ip address inside 192.168.6.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 100.1.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.6.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
management-access inside
console timeout 0
dhcpd address 192.168.6.20-192.168.6.200 inside
dhcpd dns 172.16.2.1 172.16.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
vpnclient server 200.1.1.10
vpnclient mode network-extension-mode
vpnclient vpngroup mygroup password ********
vpnclient username myuser password ********
vpnclient enable
terminal width 80
----------------------------------------------

4 Accepted Solutions

Accepted Solutions

Yudong Wu
Level 7
Level 7

assuming you would like to send traffic between subnet 172.16.54.0/24 and 192.168.6.0/24 in the tunnel.

1. ip local pool vpnpool 172.16.54.201-172.16.54.210 <<<< please use IP in a different subnet. Current IP is in the same subnet as inside interface.

2. You dont' need "access-list NONAT permit ip 192.168.6.0 255.255.255.0 172.16.54.0 255.255.255.0"

3. don't ping from 501 directly, ping from a host behind 501 in subnet 192.168.6.0/24

View solution in original post

Ok, source ip 192.168.6.0 address was nat-ed at 501.

Add this at 501.

access-list NONAT permit ip 192.168.6.0 255.255.255.0 172.16.54.0 255.255.255.0

nat (inside) 0 access-list NONAT

View solution in original post

Ok. easy VPN should generate it automatically. Otherwise it should not be called "Easy" any more.

I am not sure why the ip still got nat-ed.

Let's not add those NAT manually and just let Easy vpn to do it.

Before you try to ping .254 from 192.168.6.20, could you please check "show xlate" on 501?

Then after ping, check "show xlate" again.

If you see IP is still NAT-ed after  "nat 0" is added by easy vpn, I would say it might be a bug.

View solution in original post

The error message you got is about NAT.

You need add the following command on 506

access-list NONAT permit ip 172.16.2.0 255.255.255.0 192.168.6.0 255.255.255.0

View solution in original post

18 Replies 18

Yudong Wu
Level 7
Level 7

assuming you would like to send traffic between subnet 172.16.54.0/24 and 192.168.6.0/24 in the tunnel.

1. ip local pool vpnpool 172.16.54.201-172.16.54.210 <<<< please use IP in a different subnet. Current IP is in the same subnet as inside interface.

2. You dont' need "access-list NONAT permit ip 192.168.6.0 255.255.255.0 172.16.54.0 255.255.255.0"

3. don't ping from 501 directly, ping from a host behind 501 in subnet 192.168.6.0/24

Ok I made the two changes.  I changed the IP pool and removed the NAT entry.

Still no change.  I hooked a laptop up on the Pix 501 side, but pinging from a host on 192.168.6.20 or pinging from the Pix 501 gave the same results.

From the client (192.168.6.20)

Ping -> 192.168.6.1 (Success)

Ping -> 200.1.1.10 (Success)

Ping -> 172.16.54.5 (Success)

Ping -> 172.16.54.1 (Fail)

Ping -> 172.16.54.254 (Fail)

In addition to this, I forgot to mention I am receiving the following error when debugging on the Pix 506e console:

crypto_isakmp_process_block:src:100.1.1.10, dest:200.1.1.10 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 847215159
ISAMKP (0): received DPD_R_U_THERE from peer 100.1.1.10
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS

This error just keeps repeating itself without pinging or generating any traffic.  This error existed before making these recent changes.

Here is the new configuration:

Pix 506e (Server)
----------------------------------------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ******** encrypted
hostname vpnserver
domain-name mydomain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit icmp any any
access-list NONAT permit ip 172.16.54.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 110 permit ip 172.16.54.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 110 permit ip 192.168.6.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list 110 permit ip host 100.1.1.10 172.16.2.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 200.1.1.10 255.255.255.128
ip address inside 172.16.54.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.1.100-192.168.1.110
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 110 in interface inside
route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
route inside 172.16.2.0 255.255.255.0 172.16.54.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool vpnpool
vpngroup mygroup dns-server 172.16.2.1
vpngroup mygroup default-domain mydomain.com
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn username myuser password *********
vpdn enable outside
username myuser password ******** encrypted privilege 2
terminal width 80
----------------------------------------------


Pix 501 (Client)
----------------------------------------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ******** encrypted
hostname vpnclient
domain-name mydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 17
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any
pager lines 24
logging on
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside 100.1.1.10 255.255.255.0
ip address inside 192.168.6.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 100.1.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.6.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
management-access inside
console timeout 0
dhcpd address 192.168.6.20-192.168.6.200 inside
dhcpd dns 172.16.2.1 172.16.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
vpnclient server 200.1.1.10
vpnclient mode network-extension-mode
vpnclient vpngroup mygroup password ********
vpnclient username myuser password ********
vpnclient enable
terminal width 80
----------------------------------------------

check the "show crypto ipsec sa" on both side to see if encrypt and decrypt count is incrementing when you ping "172.16.54.1" or "172.16.54.254" from "192.168.6.20".

check the routing on 172.16.54.254 or 172.16.54.1 to see if they know how to reach 192.168.6.20

When I ping from a host 192.168.6.20 to 172.16.54.254 it throws this error up on the Pix 506e console:

305005: No translation group found for icmp src outside:100.1.1.10 dst inside:172.16.54.254 (type 8, code 0)

I have also connected using a Windows XP VPN Client install tool from Cisco, and it gives the same error when pinging 172.16.54.254.

From the Pix 506e console, I CAN ping 172.16.54.254 without a probelm.

        172.16.54.254 response received -- 0ms
        172.16.54.254 response received -- 0ms
        172.16.54.254 response received -- 0ms

I just don't understand what I'm missing here.

Looks like the Pix 506e doesn't know how to route the traffic from 192.168.6.x OR it doesn't have the correct ACL maybe?

Maybe a NAT issue?


Ok, source ip 192.168.6.0 address was nat-ed at 501.

Add this at 501.

access-list NONAT permit ip 192.168.6.0 255.255.255.0 172.16.54.0 255.255.255.0

nat (inside) 0 access-list NONAT

It appears the Easy VPN Server / Client handles this automatically?

When the vpnclient connects, it automatically creates an ACL and NAT statement.

vpnclient# vpnclient enable

vpnclient# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)  alert-interval 300
access-list _vpnc_acl; 2 elements
access-list _vpnc_acl line 1 permit ip 192.168.6.0 255.255.255.0 any (hitcnt=3)
access-list _vpnc_acl line 2 permit ip host 100.1.1.10 any (hitcnt=3)

vpnclient# show nat

nat (inside) 0 access-list _vpnc_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

And if I disconnect the Easy VPN Server and try adding those statements, here is the output.

vpnclient(config)# no vpnclient enable

vpnclient(config)# access-list NONAT permit ip 192.168.6.0 255.255.255.0 172.16.54.0 255.255.255.0

vpnclient(config)# nat (inside) 0 access-list NONAT

vpnclient(config)# vpnclient enable

* Remove "nat (inside) 0 NONAT"

CONFIG CLASH: Configuration that would prevent successful PIX Easy VPN Remote
operation has been detected, and is listed above. Please resolve the
above configuration clashes and re-enable.


So maybe the automatically generated ACL and NAT exceptions are not sufficient?

Ok. easy VPN should generate it automatically. Otherwise it should not be called "Easy" any more.

I am not sure why the ip still got nat-ed.

Let's not add those NAT manually and just let Easy vpn to do it.

Before you try to ping .254 from 192.168.6.20, could you please check "show xlate" on 501?

Then after ping, check "show xlate" again.

If you see IP is still NAT-ed after  "nat 0" is added by easy vpn, I would say it might be a bug.

Kevin,

Thanks so much for all of your help.  You were right all the way through this fiasco.

Because I was pinging from the PIX 501 console, it wasn't using NAT.  Apparently when you ping from the PIX router, you use the outside interface.  All this time I thought there were equipment problems or configuration errors.  I guess this was an excellent learning experience.

I setup one computer on each side with these IPs: 172.16.54.10 and 192.168.6.5.  

I can successfully pass ping packets through the tunnel back and forth.

So now that the tunnel is working, but I can't hit my other vlan 172.16.2.x

I receive the following error:

305005: No translation group found for udp src outside:192.168.6.5/49401 dst inside:172.16.2.1/53

All the research I've done tells me this is probably an ACL or routing issue.

172.16.54.x and 172.16.2.x are both vlans run on a Catalyst.

As you can see, I have added this route on the PIX506e:

route inside 172.16.2.0 255.255.255.0 172.16.54.254 1

After adding this entry, it enabled me to ping 172.16.2.x from the PIX506e console.  So I know the route works there.

Any advice is much welcome.  Thanks again.

Wow I actually just figured this last part out.

So to allow the 172.16.2.x <-> 192.168.6.x, I just added another NONAT and ACL.

access-list NONAT permit ip 172.16.2.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 110 permit ip 172.16.2.0 255.255.255.0 192.168.6.0 255.255.255.0

Now my 192.168.6.x can query our DNS server on the other side in 172.16.2.x.

But now I can't route out to the web or other sites from the host 192.168.6.5.  I think it's because of my NAT.

So again here are my NAT statements on the PIX501.  These are generated automagically from Easy VPN (lol)

access-list _vpnc_acl line 1 permit ip 192.168.6.0 255.255.255.0 any (hitcnt=1315)

Shouldn't the NAT exemptions be more specific? Like this for example:

access-list _vpnc_acl line 1 permit ip 192.168.6.0 255.255.255.0 172.16.54.0 255.255.255.0 (hitcnt=1315)
access-list _vpnc_acl line 1 permit ip 192.168.6.0 255.255.255.0 172.16.2.0 255.255.255.0 (hitcnt=1315)

This way the traffic would be NAT exempt if it's headed to other networks besides 172.16.54.x and 172.16.2.x

Oh the woes of networking.  I'm almost there!


The error message you got is about NAT.

You need add the following command on 506

access-list NONAT permit ip 172.16.2.0 255.255.255.0 192.168.6.0 255.255.255.0

Sorry, You already figured it out.

For internet connection, you need enable split tunnel on 506 side.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/tz.html#wp1099471

vpngroup group_name split-tunnel access_list

So I added the following:

vpngroup mygroup split-tunnel 110

Now the tunnel still comes up fine, but I can't ping back and forth across the tunnel.

I'm not receiving any errors.  Tried running clear isakmp sa and clear ipsec, and reloading.  Still same.

Pinging from 172.16.54.10 to 192.168.6.5 fails

can you post ACL 110 here?

access-list 110 permit ip 172.16.54.0 255.255.255.0 192.168.6.0 255.255.255.0