Solved: Re: Site-Site VPN PIX501 and CISCO Router

mactej6228 · ‎04-26-2013

Hello Experts,

I'm having a test lab at home, I configure a site-to-site vpn using Cisco PIX501 and CISCO2691 router, for the configurations i just some links on the internet because my background on VPN configuration is not too well, for the routers configuration i follow this link:

www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

and for the pIX configuration I just use the VPN wizard of pix. Done all the confgurations but ping is unsuccessful. Hope you can help me with this, don't know what needs to be done here (Troubleshooting).

Attached here is my router's configuration, topology as well as the pix configuration. Hope you can help me w/ this. Thanks in advance.

rkumar5 · ‎05-02-2013

Hi Mark,

I went through the Config of the ASA

I can see that the Nat exempt is stil missing there

please add the following

access-list nonat permit ip 192.168.1.0 255.255.255.0 172.21.1.0 255.255.255.0

nat nside) 0 access-list nonat

Then try it should work

Thanks

Raj

View solution in original post

rkumar5 · ‎05-02-2013

Hi Mark,

Now the config seems to be fine.

Let me know if the ping is working or not.

If it is not working then try to take the capture on the Pix

please follow the link to apply the capture

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Thanks

Raj

View solution in original post

Ramraj Sivagnanam Sivajanam · ‎05-04-2013

Hi bro

Your config is not correct at all. Please make the changes as shown below and paste here the lastest output;

Router Config Change
====================
crypto isakmp policy 1
hash sha
lifetime 86400
!
no ip route 172.21.1.0 255.255.255.0 2.2.2.1

ip route 0.0.0.0 0.0.0.0 2.2.2.1

!
crypto isakmp identity address

FW Config Change
====================
!
no route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1 //You do not point to your own self
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.XXXX // Point to your next hop IP
!
no crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
no crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA

Regards,

Ram

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

Ramraj Sivagnanam Sivajanam · ‎04-28-2013

Hi Bro

Your site-to-site VPN isn't working because you've some configuration error. Please do the changes as shown below and let me know if it does work or not. If doesn't paste here the latest Router and FW config.

FW Config Changes
=================

route OUTSIDE 0.0.0.0 0.0.0.0 222.127.244.53
access-list inside permit ip any any
access-group inside in interface inside
access-list INSIDE_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
access-list OUTSIDE_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
sysopt connection permit-vpn
crypto isakmp identity auto
no nat (INSIDE) 0 192.168.1.0 255.255.255.0
no access-list 50 standard permit 192.168.1.0 255.255.255.0
no access-list 90 extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
!
no crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto isakmp keepalive 10
!

Router Config Changes
=====================

!
crypto isakmp policy 1
hash sha
!
ip route 0.0.0.0 0.0.0.0 121.97.12.1
!
interface FastEthernet0/0
no ip access-group 120 in
!
no ip nat inside source list 10 interface FastEthernet0/0 overload
ip nat inside source list 100 interface FastEthernet0/0 overload
!
no access-list 10 permit 172.21.1.0 0.0.0.255
no access-list 110 permit ip 192.168.1.0 0.0.0.255 172.21.1.0 0.0.0.255
no access-list 120 permit ip host 222.127.244.52 172.21.1.0 0.0.0.255
access-list 100 permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255

Warm regards,
Ramraj Sivagnanam Sivajanam

mactej6228 · ‎05-01-2013

Hello bro,

Thanks for your reply, it ain't gonna work still when I ping from the router to PIX, it gave me this output "U.U.U.U". By the way bro, below are the steps that I consider in configuring this ipsec site-to-site vpn,

please correct if where i got wrong on the configuration, my knowledge on vpn is still minimal, this will help me understand more. Response are highly appreciated.

For Simplicity sake we'll consider this Topology:

PIX501 --------- Internet ---------- C2691(R1)

ip behind pix: 192.168.1.0 /24 ip behind R1: 172.21.1.0 /24

internet facing ip: 1.1.1.1 /30 Internet facing ip: 2.2.2.2 /30

Ipsec S2S vpn tunnel config:

@PIX

Step 1. Configure nat.

PIX(Config)# nat (INSIDE) 1 192.168.1.0 255.255.255.0

PIX(Config)# nat (OUTSIDE) 1 1.1.1.1 255.255.255.252

Step 2. Default route.

PIX(Config)# route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.2 1

Step 3. IKE Phase 1. [main mode]

PIX(Config)# isakmp enable outside

PIX(Config)# crypto isakmp policy 1

PIX(config-crypto-policy)# authentication pre-share

PIX(config-crypto-policy)# hash sha

PIX(config-crypto-policy)# group 2

PIX(config-crypto-policy)# encryption 3des

PIX(config-crypto-policy)# exit

PIX(config)# crypto isakmp key cisco address 2.2.2.2 netmask 255.255.255.252

PIX(config)#

Step 4. IKE Phase2, IPsec Policy to use in IPsec TUnnel. [Quick Mode]

PIX(config)# crypto ipsec transform-set MYSET esp-sha-hmac esp-3des

Step 5. Mapping the policy above.

PIX(config)# crypto map MYMAP 10 ipsec-isakmp

PIX(config)# crypto map MYMAP 10 set transform-set MYSET

PIX(config)# crypto map MYMAP 10 set peer 2.2.2.2

PIX(config)# access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 172.21.1.0 255.255.255.0

PIX(config)# crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC

PIX(config)#

Step 6. Apply To interface

PIX(config)# crypto map MYMAP interface OUTSIDE

Note: THe same configuration on R1

Ramraj Sivagnanam Sivajanam · ‎05-01-2013

Hi Bro

Both sides of the LAN have the same segment 192.168.1.0/24???? If yes, then this is called overlapping network, which Cisco has a solution for this.

By the way, some of the steps you've listed above is wrong.

Please paste here the latest show run for both router and FW.

Warm regards,
Ramraj Sivagnanam Sivajanam

mactej6228 · ‎05-02-2013

oh! it's a typo error.. okay here's the updated config file:

FW

PIX Version 7.2(2)

!

hostname PIX

domain-name aida.com

enable password 2KFQnbNIdI.2KYOU encrypted

names

name 172.21.1.0 network2 description n2

!

interface Ethernet0

speed 100

duplex full

nameif OUTSIDE

security-level 0

ip address 1.1.1.1 255.255.255.252

!

interface Ethernet1

nameif INSIDE

security-level 100

ip address 192.168.1.1 255.255.255.0

!

access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0

global (OUTSIDE) 1 interface

nat (INSIDE) 1 192.168.1.0 255.255.255.0

!

route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA

crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC

crypto map MYMAP 10 set peer 2.2.2.2

crypto map MYMAP 10 set transform-set MYSET

crypto map MYMAP interface OUTSIDE

crypto isakmp enable OUTSIDE

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key *

!

: end

ROUTER

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R9

!

crypto pki certificate chain TP-self-signed-998521732

certificate self-signed 01 nvram:IOS-Self-Sig#3201.cer

username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 1.1.1.1 255.255.255.252

!

crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

!

crypto map MYMAP 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set MYSET

match address TO_ENCRYPT_TRAFFIC

!

interface FastEthernet0/0

ip address 2.2.2.2 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map MYMAP

!

interface FastEthernet0/1

ip address 172.21.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip route 172.21.1.0 255.255.255.0 2.2.2.1

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source list NAT_IP interface FastEthernet0/0 overload

!

ip access-list extended NAT_IP

deny ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 172.21.1.0 0.0.0.255 any

ip access-list extended TO_ENCRYPT_TRAFFIC

permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

transport input ssh

!

end

rkumar5 · ‎05-01-2013

Hi Mark,

I went through the configuration and found that there is some misconfigration on the router as well as on the pix

Changes that are required on the Pix

no nat (INSIDE) 0 192.168.1.0 255.255.255.0

You dont need the access-lsit 50

You dont need access-list 90 as well

no access-list OUTSIDE_access_in extended permit ip network2 255.255.255.0 192.168.1.0 255.255.255.0

so you need to remove this as well as the access-group from the outside interface

make sure that the sysopt connection permit-vpn is there .

you can caheck it using the command

show run all sysopt

and the rest of the configs are fine on the pix

Changes that are required on the router

no ip nat inside source list 10 interface FastEthernet0/0 overload

ip access-list extended 113

5 deny ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255

10 permit ip 172.21.1.0 0.0.0.255 any

ip nat inside source list 113 interface fa0/0 overload.

Try this it should work.

If That doesn't wrk then upload the new the config after making the changes

Thanks Raj

mactej6228 · ‎05-02-2013

Hello Kumar,

Still can't go through, Unsuccesful pings. See my configs:

Mark

rkumar5 · ‎05-02-2013

Hi Mark,

I went through the Config of the ASA

I can see that the Nat exempt is stil missing there

please add the following

access-list nonat permit ip 192.168.1.0 255.255.255.0 172.21.1.0 255.255.255.0

nat nside) 0 access-list nonat

Then try it should work

Thanks

Raj

mactej6228 · ‎05-02-2013

Hello Kumar,

Thanks for your reply ok Here's the updated config:

FW

PIX Version 7.2(2)

!

hostname PIX

domain-name aida.com

enable password 2KFQnbNIdI.2KYOU encrypted

names

name 172.21.1.0 network2 description n2

!

interface Ethernet0

speed 100

duplex full

nameif OUTSIDE

security-level 0

ip address 1.1.1.1 255.255.255.252

!

interface Ethernet1

nameif INSIDE

security-level 100

ip address 192.168.1.1 255.255.255.0

!

access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0

global (OUTSIDE) 1 interface

nat (INSIDE) 0 access-list nonat

nat (INSIDE) 1 192.168.1.0 255.255.255.0

!

route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA

crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC

crypto map MYMAP 10 set peer 2.2.2.2

crypto map MYMAP 10 set transform-set MYSET

crypto map MYMAP interface OUTSIDE

crypto isakmp enable OUTSIDE

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key *

!

: end

ROUTER

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R9

!

crypto pki certificate chain TP-self-signed-998521732

certificate self-signed 01 nvram:IOS-Self-Sig#3201.cer

username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 1.1.1.1 255.255.255.252

!

crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

!

crypto map MYMAP 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set MYSET

match address TO_ENCRYPT_TRAFFIC

!

interface FastEthernet0/0

ip address 2.2.2.2 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map MYMAP

!

interface FastEthernet0/1

ip address 172.21.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip route 172.21.1.0 255.255.255.0 2.2.2.1

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source list NAT_IP interface FastEthernet0/0 overload

!

ip access-list extended NAT_IP

deny ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 172.21.1.0 0.0.0.255 any

ip access-list extended TO_ENCRYPT_TRAFFIC

permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

transport input ssh

!

end

Additional info

PIX# sh crypto isakmp sa

There are no isakmp sas

R9#sh crypto isakmp sa

dst src state conn-id slot status

DEBUG COMMANDS:

debug crypto isakmp (router)

debug crypto isakmp 10 (pix)

NO activities happened on the two

rkumar5 · ‎05-02-2013

Hi Mark,

Now the config seems to be fine.

Let me know if the ping is working or not.

If it is not working then try to take the capture on the Pix

please follow the link to apply the capture

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Thanks

Raj

Ramraj Sivagnanam Sivajanam · ‎05-04-2013

Hi bro

Your config is not correct at all. Please make the changes as shown below and paste here the lastest output;

Router Config Change
====================
crypto isakmp policy 1
hash sha
lifetime 86400
!
no ip route 172.21.1.0 255.255.255.0 2.2.2.1

ip route 0.0.0.0 0.0.0.0 2.2.2.1

!
crypto isakmp identity address

FW Config Change
====================
!
no route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1 //You do not point to your own self
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.XXXX // Point to your next hop IP
!
no crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
no crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA

Regards,

Ram

Warm regards,
Ramraj Sivagnanam Sivajanam

rkumar5 · ‎05-04-2013

Hi Mark/Ram,

Thanks for pointing the route.

I overlooked that part.

However the phase 1 policy on the router is correct as SHA is the default and that's the reason it is not showing in the config

However in the ASA config we actually dont need to remove this as it is not in use.

no crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

no crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA

the crypto map that is bind is not the OUTSIDE_map

So actually only need to remove the Route

The only changes that we need is

On Router

no ip route 172.21.1.0 255.255.255.0 2.2.2.1

ip route 0.0.0.0 0.0.0.0 2.2.2.1

Config change that is required on the ASA

no route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1

route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.XXXX

Regards

Raj

mactej6228 · ‎05-08-2013

YES! IT FINALLY WORKS NOW! Here's the updated running-config

: Saved

:

PIX Version 7.2(2)

!

hostname PIX

domain-name aida.com

enable password 2KFQnbNIdI.2KYOU encrypted

names

name 172.21.1.0 network2 description n2

!

interface Ethernet0

speed 100

duplex full

nameif OUTSIDE

security-level 0

ip address 1.1.1.1 255.255.255.252

!

interface Ethernet1

nameif INSIDE

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name aida.com

access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0

pager lines 24

mtu OUTSIDE 1500

mtu INSIDE 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (OUTSIDE) 1 interface

nat (INSIDE) 0 access-list nonat

nat (INSIDE) 1 192.168.1.0 255.255.255.0

route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username mark password MwHKvxGV7kdXuSQG encrypted

http server enable

http 192.168.1.3 255.255.255.255 INSIDE

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC

crypto map MYMAP 10 set peer 2.2.2.2

crypto map MYMAP 10 set transform-set MYSET

crypto map MYMAP interface OUTSIDE

crypto isakmp enable OUTSIDE

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

!

prompt hostname context

Cryptochecksum:8491323562e3f1a86ccd4334cd1d37f6

: end

ROUTER:

R9#sh run

Building configuration...

Current configuration : 3313 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R9

!

boot-start-marker

boot-end-marker

!

aaa new-model

!

aaa authentication login default local

aaa authorization config-commands

aaa authorization exec default local

!

aaa session-id common

!

resource policy

!

memory-size iomem 5

ip cef

!

no ip domain lookup

ip domain name aida.com

ip ssh version 2

!

crypto pki trustpoint TP-self-signed-998521732

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-998521732

revocation-check none

rsakeypair TP-self-signed-998521732

!

crypto pki certificate chain TP-self-signed-998521732

A75B9F04 E17B5692 35947CAC 0783AD36 A3894A64 FB6CE1AB 1E3069D3

A818A71C 00D968FE 3AA7463D BA3B4DE8 035033D5 0CA458F3 635005C3 FB543661

9EE305FF 63

quit

username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 1.1.1.1 255.255.255.252

!

crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

!

crypto map MYMAP 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set MYSET

match address TO_ENCRYPT_TRAFFIC

!

interface FastEthernet0/0

ip address 2.2.2.2 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map MYMAP

!

interface FastEthernet0/1

ip address 172.21.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 2.2.2.1

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source list NAT_IP interface FastEthernet0/0 overload

!

ip access-list extended NAT_IP

deny ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 172.21.1.0 0.0.0.255 any

ip access-list extended TO_ENCRYPT_TRAFFIC

permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

transport input ssh

!

end

Ramraj Sivagnanam Sivajanam · ‎05-09-2013

Hi Bro

Please do help to rate all those replies that were helpful :-)

Warm regards,
Ramraj Sivagnanam Sivajanam