03-20-2007 09:31 AM
Hi to all,
I have a PIX 506e (6.3.1), it works fine with site2site VPN from 3 years.
Last week ask me to make a new VPN with a brach office (I don't admin anything of the branch office), I create a classic VPN on my PIX (preshared key 3des sha), but it not works.
With command "sh crypto isakmp sa" I see the tunnel in QM_IDLE status like other VPNs, but traffic doesn't pass and the other adminstrator say me that it's firewall doesn't complete the authentications (is it possible?).
If I do command "sh crypto ipsec sa" I see the "send errors" what it's mean?
this the show
current_peer: 80.16.55.186:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 115, #recv errors 0
local crypto endpt.: 82.119.200.18, remote crypto endpt.: 80.16.55.186
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.17.1.232/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
thnak a lot
Augusto.
03-20-2007 09:44 AM
Augusto,
Can you please look into your NAT exemption ACL and also your ACL should match with what the remote peer has configured. It should be mirror image.
Seems like you have an ACL as follows
access-list
Please make sure that they have the proper NAT exemption for that.
Thanks
Gilbert
Rate this post, if it helps.
03-20-2007 09:58 AM
Hi,
I check the NAT execmption ACL and thare are this rules (I try also to create the VPN with PDM) so I think the ACL rules is right!
access-list inside_access_in permit ip any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit ip 217.22.252.120 255.255.255.248 any
access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 172.17.1.0 255.255.255.0
access-list outside_access_in permit ip 172.16.0.0 255.255.0.0 82.119.200.0 255.255.255.0
access-list outside_access_in permit ip 192.168.245.0 255.255.255.0 172.17.1.0 255.255.255.0
access-list outside_access_in permit tcp object-group cantel_external_fino host 82.119.200.20 object-group as400
access-list outside_access_in permit tcp host 82.119.198.154 host 82.119.200.19 object-group as400
access-list outside_access_in permit tcp host 82.119.198.154 host 82.119.200.19 eq ftp
access-list outside_access_in permit tcp object-group cantel_external_fino host 82.119.200.22 object-group cantel2
access-list outside_access_in permit tcp object-group cantel_external_fino host 82.119.200.21 object-group cantel1
access-list outside_access_in permit tcp object-group Easynet_server host 82.119.200.21 eq smtp
access-list outside_access_in remark da eliminare tra un po'
access-list inside_outbound_nat0_acl permit ip 172.17.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 172.17.1.232 172.16.0.0 255.255.0.0
access-list inside_outbound_nat0_acl permit ip 172.17.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.17.1.0 255.255.255.0 10.39.0.0 255.255.240.0
access-list inside_outbound_nat0_acl permit ip 172.17.1.0 255.255.255.0 192.168.245.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.17.1.0 255.255.255.0 172.17.1.192 255.255.255.192
access-list outside_cryptomap_20 permit ip 172.17.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_40_1 permit ip host 172.17.1.232 172.16.0.0 255.255.0.0
access-list outside_cryptomap_60 permit ip 172.17.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_80 permit ip 172.17.1.0 255.255.255.0 10.39.0.0 255.255.240.0
access-list outside_cryptomap_80 permit ip 172.17.1.0 255.255.255.0 192.168.245.0 255.255.255.0
In my first post I send the wrong sh crypto isakmp sa the right is it.
local ident (addr/mask/prot/port): (172.17.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.245.0/255.255.255.0/0/0)
current_peer: 80.16.55.186:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 16, #recv errors 0
local crypto endpt.: 82.119.200.18, remote crypto endpt.: 80.16.55.186
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
thank a lot
Augusto
03-20-2007 10:17 AM
Augusto,
Seems like there is a problem with the IPSec SA creation.
Can you please clear the tunnel for the peer and can you turn on the following debugs
deb cry isa sa
deb cry ipsec sa
Try to pass traffic and get me the outputs.
Output of
sh run | in nat
03-21-2007 04:13 AM
Hi,
I discover which is my problem, the other firewall (Cyberguard) use as "endpoint" the IP address, instead in the pix as default endpoint is the "hostname", so if I force to send IP address it works!
Thank a lot for your help.
Augusto.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide