12-29-2010 03:42 PM
I'm kind of a Cisco rookie and need help setting up a VPN:
I replaced a Netopia R910 with a Linksys RV042. I duplicated the settings the best I could. I'm trying to re-connect the site-to-site VPN from our network (192.168.0.x private, xxx.xxx.109.202 public) to the remote network (192.168.38.x private, xxx.xxx.131.50 public).
In the Linksys, the VPN shows as connected but no traffic is coming across. I can't ping anything on the remote subnet.
It worked fine with the R910 and no settings have been changed on the PIX, other than new pre-shared keys that match.
Here is the PIX config and the RV042 config is attached as an image.
Thank you for your help!
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************ encrypted
passwd *************** encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 FirstStreet
name 192.168.38.2 Sco
name xxx.xxx.130.94 FirstWan
name 192.168.4.0 Oakurst
name 192.168.7.0 Clovis
name 192.168.3.0 Madera
name 192.168.0.0 TomJ
name xxx.xxx.131.58 FMLFirst
name xxx.xxx.131.22 Integrity
name 192.168.6.0 TJhome
name 192.168.38.10 Server2
name xxx.xxx.117.182 ClovisPublicIP
name xxx.xxx.100.239 OakurstPublicIP
name xxx.xxx.174.185 MaderaPublicIP
name 192.168.38.64 VideoS1
object-group network FMLRemoteOffices
description Public IP's and Internal Subnets for All Remote Offices
network-object OakurstPublicIP 255.255.255.255
network-object MaderaPublicIP 255.255.255.255
network-object ClovisPublicIP 255.255.255.255
network-object xxx.xxx.109.202 255.255.255.255
access-list inside_outbound_nat0_acl permit ip 192.168.38.0 255.255.255.0 Clovis 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.38.0 255.255.255.0 Oakurst 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.38.0 255.255.255.0 TJhome 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.38.0 255.255.255.0 Madera 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any host 192.168.38.248
access-list inside_outbound_nat0_acl permit ip any 192.168.38.248 255.255.255.248
access-list outside_access_in permit tcp any host xxx.xxx.131.54 eq https
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in remark Sage e-prescription service 8423
access-list outside_access_in permit tcp any host xxx.xxx.131.54 eq 8423
access-list outside_access_in permit tcp any host xxx.xxx.131.53 eq 1202
access-list outside_access_in permit tcp any host xxx.xxx.131.52 eq 7000
access-list outside_cryptomap_20 permit ip 192.168.38.0 255.255.255.0 Clovis 255.255.255.0
access-list outside_cryptomap_80 permit ip 192.168.38.0 255.255.255.0 Oakurst 255.255.255.0
access-list outside_cryptomap_120 permit ip 192.168.38.0 255.255.255.0 Madera 255.255.255.0
access-list outside_cryptomap_100 permit ip 192.168.38.0 255.255.255.0 TJhome 255.255.255.0
no pager
logging on
icmp permit any echo-reply outside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.131.50 255.255.255.248
ip address inside 192.168.38.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNDHCP 192.168.38.248-192.168.38.252
ip local pool DHCP39 192.168.39.1-192.168.39.254
pdm location Integrity 255.255.255.255 outside
pdm location 192.168.38.0 255.255.255.0 inside
pdm location FirstStreet 255.255.255.0 inside
pdm location FirstStreet 255.255.255.0 outside
pdm location Sco 255.255.255.255 inside
pdm location FirstWan 255.255.255.255 outside
pdm location Oakurst 255.255.255.0 outside
pdm location Clovis 255.255.255.0 outside
pdm location TJhome 255.255.255.0 outside
pdm location Madera 255.255.255.0 outside
pdm location TomJ 255.255.255.0 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location xxx.xxx.141.217 255.255.255.255 outside
pdm location 192.168.38.111 255.255.255.255 inside
pdm location 192.168.38.3 255.255.255.255 inside
pdm location FMLFirst 255.255.255.255 outside
pdm location xxx.xxx.130.15 255.255.255.255 outside
pdm location 128.0.0.0 128.0.0.0 outside
pdm location xxx.xxx.109.202 255.255.255.255 outside
pdm location Server2 255.255.255.255 inside
pdm location ClovisPublicIP 255.255.255.255 outside
pdm location OakurstPublicIP 255.255.255.255 outside
pdm location MaderaPublicIP 255.255.255.255 outside
pdm location 192.168.38.248 255.255.255.255 outside
pdm location TomJ 255.255.255.0 inside
pdm location VideoS1 255.255.255.255 inside
pdm location 192.168.38.21 255.255.255.255 inside
pdm group FMLRemoteOffices outside
pdm logging debugging 500
no pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.131.51
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.131.54 Server2 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.131.53 192.168.38.21 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.131.52 VideoS1 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.131.49 1
route inside FirstStreet 255.255.255.0 192.168.38.254 1
timeout xlate 3:00:00
timeout conn 4:00:00 half-closed 2:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http Integrity 255.255.255.255 outside
http xxx.xxx.141.217 255.255.255.255 outside
http xxx.xxx.109.202 255.255.255.255 outside
http 192.168.38.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 30 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 50 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer ClovisPublicIP
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 80 ipsec-isakmp
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer OakurstPublicIP
crypto map outside_map 80 set transform-set ESP-DES-MD5
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer xxx.xxx.174.234
crypto map outside_map 100 set transform-set ESP-DES-MD5
crypto map outside_map 120 ipsec-isakmp
crypto map outside_map 120 match address outside_cryptomap_120
crypto map outside_map 120 set peer MaderaPublicIP
crypto map outside_map 120 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.141.217 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address ClovisPublicIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address xxx.xxx.64.82 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address xxx.xxx.67.172 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address OakurstPublicIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address xxx.xxx.24.157 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address xxx.xxx.174.234 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address xxx.xxx.88.137 netmask 255.255.255.255
isakmp key ******** address MaderaPublicIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address xxx.xxx.109.202 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup FMLREASYVPN address-pool VPNDHCP
vpngroup FMLREASYVPN dns-server 192.168.38.3
vpngroup FMLREASYVPN idle-time 1800
vpngroup FMLREASYVPN password ********
vpngroup Brevium address-pool VPNDHCP
vpngroup Brevium dns-server 192.168.38.3
vpngroup Brevium idle-time 1800
vpngroup Brevium password ********
telnet 192.168.38.0 255.255.255.0 inside
telnet TomJ 255.255.255.0 inside
telnet timeout 5
ssh Integrity 255.255.255.255 outside
ssh 99.15.109.202 255.255.255.255 outside
ssh timeout 5
management-access inside
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local VPNDHCP
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.38.3
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username admin password *********
vpdn username tonette password *********
vpdn username rosie password *********
vpdn username cts password *********
vpdn username MaderaFMLR password *********
vpdn username ruth password *********
vpdn username fogg password *********
vpdn username lanier password *********
vpdn username lanier2 password *********
vpdn username justin password *********
vpdn username mike password *********
vpdn username heather password *********
vpdn username Brevium password *********
vpdn username jeremiah password *********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username admin password *************** encrypted privilege 15
terminal width 80
Cryptochecksum:******************************
: end
[OK]
Solved! Go to Solution.
12-29-2010 03:57 PM
For NAT exemption, you would need to add the following:
access-list inside_outbound_nat0_acl permit ip 192.168.38.0 255.255.255.0 TomJ 255.255.255.0
12-29-2010 03:56 PM
Are you using static crypto map or dynamic crypto map on the PIX for the VPN connection to the Linksys?
The configuration does not seem to match as there is not static crypto map for x.x.109.202 as well as the subnet 192.168.0.0/24, and the NAT exemption also hasn't included the 192.168.0.0/24 subnet as well.
What was the old peer ip address? as well as the old private subnet on the Netopia router?
12-29-2010 03:57 PM
For NAT exemption, you would need to add the following:
access-list inside_outbound_nat0_acl permit ip 192.168.38.0 255.255.255.0 TomJ 255.255.255.0
12-29-2010 04:03 PM
Not sure how it works before, as it couldn't possibly be working as you don't have any reference to 192.168.0.0/24 on your PIX configuration applied to the VPN configuration nor the NAT exemption statement. Can you please add the access-list advised earlier, and try to ping between sites, and share the output of :
show cry isa sa
show cry ipsec sa
from the PIX.
12-29-2010 04:13 PM
Thanks!!!
I can ping and RDP to the .38 subnet now.
It was working with the R910... weird.
Result of firewall command: "show cry isa sa"
Total : 2
Embryonic : 0
dst src state pending created
xxx.xxx.131.50 xxx.xxx.109.202 QM_IDLE 0 1
xxx.xxx.131.50 MaderaPublicIP QM_IDLE 0 1
Result of firewall command: "show cry ipsec sa"
interface: outside
Crypto map tag: outside_map, local addr. xxx.xxx.131.50
local ident (addr/mask/prot/port): (192.168.38.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (TJhome/255.255.255.0/0/0)
current_peer: xxx.xxx.174.234:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xxx.xxx.131.50, remote crypto endpt.: xxx.xxx.174.234
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.38.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Clovis/255.255.255.0/0/0)
current_peer: ClovisPublicIP:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 583402, #pkts encrypt: 583402, #pkts digest 583402
#pkts decaps: 488911, #pkts decrypt: 489259, #pkts verify 489259
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 9, #recv errors 0
local crypto endpt.: xxx.xxx.131.50, remote crypto endpt.: ClovisPublicIP
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: b6cdd596
inbound esp sas:
spi: 0x6e0a787f(1846179967)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 17, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4588983/15729)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xb6cdd596(3066942870)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 18, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4587655/15728)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.38.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Oakurst/255.255.255.0/0/0)
current_peer: OakurstPublicIP:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 484038, #pkts encrypt: 484038, #pkts digest 484038
#pkts decaps: 368994, #pkts decrypt: 369042, #pkts verify 369042
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: xxx.xxx.131.50, remote crypto endpt.: OakurstPublicIP
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 49faf47a
inbound esp sas:
spi: 0xc4f036f4(3304077044)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 6, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4599137/15741)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x49faf47a(1241183354)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4604307/15741)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.38.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Madera/255.255.255.0/0/0)
current_peer: MaderaPublicIP:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 258293, #pkts encrypt: 258293, #pkts digest 258293
#pkts decaps: 137202, #pkts decrypt: 137202, #pkts verify 137202
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: xxx.xxx.131.50, remote crypto endpt.: MaderaPublicIP
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: fccf0d4f
inbound esp sas:
spi: 0xfa9b1699(4204467865)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4605151/2356)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xfccf0d4f(4241427791)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4601504/2356)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.38.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (TomJ/255.255.255.0/0/0)
current_peer: xxx.xxx.109.202:500
PERMIT, flags={}
#pkts encaps: 241, #pkts encrypt: 241, #pkts digest 241
#pkts decaps: 227, #pkts decrypt: 227, #pkts verify 227
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xxx.xxx.131.50, remote crypto endpt.: xxx.xxx.109.202
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 9f4bbe4c
inbound esp sas:
spi: 0xd1438cf9(3510865145)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 16, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4607957/28635)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9f4bbe4c(2672541260)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 15, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4607947/28634)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
12-29-2010 03:58 PM
Im not sure about the static or dynamic crypto map. How can I tell?
The old public and private IPs on the Netopia are the same.
12-29-2010 04:15 PM
Also, the 192.168.38.x subnet does not need access to the 192.168.0.x subnet.
But 192.168.0.x needs access to 192.168.38.x.
12-29-2010 04:24 PM
Perfect, looks like it uses dynamic map then. I assume all is back to normal now.
Please kindly mark the post as answered if you have no further question. Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide