cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1458
Views
9
Helpful
21
Replies

starting site to site vpn between pix 501's

techsitc10
Level 1
Level 1

Hi

Another newbie question. I'm trying to add a site to site vpn between two pix 501's as well as the basic software access vpn to site 1. At present however I can't get the 2nd site to connect. This may be because they both go through separate routers to get to the internet. Although I'm not sure this makes a difference as they map straight through the external routers.

My set-up is like this:

pix 1: internal network 192.168.10.x

between pix and router 192.168.111.x

external ip: 83.166.180.99

to which I can connect software vpn clients no problem.

pix 2: internal ip: 192.168.20.x

between pix and router 192.168.120.x

external ip: 83.166.180.100

I've attached the results from the show crypto map command and the show ipsec command from pix 2.

I've attached the config from pix2 as well, which mirrors the info at pix 1 apart from the ip's being different.

any help would be appreciated

thanks

Suzanne

21 Replies 21

jwalker
Level 3
Level 3

Suzanne -

Can you post the other firewall's config? Also, can you do a show crypto isakmp sa and sho crypto ipsec sa on both?

Thanks.

Jay

Hi Jay,

Here is the first pix config and the results of the show commands.

The others were included in the original post.

THanks

Suzanne

HI Jay,

You may want to ignore the above output from the show commands. I've run the clear commands on both and here is the new output.

I hope this helps.

Thanks

Suzanne

The command has been sent to the firewall

Result of firewall command: "show crypto isakmp sa"

Total : 0

Embryonic : 0

dst src state pending created

Result of firewall command: "show crypto ipsec sa"

interface: outside

Crypto map tag: outside_map, local addr. 192.168.111.2

local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)

current_peer: 83.166.180.101:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.111.2, remote crypto endpt.: 83.166.180.101

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Suzanne -

You need to make the following changes to the vitg config...

access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

no access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.0

no access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

no access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

I don't know what the 192.168.20.0/24 subnet is for that is why I marked it for deletion. You may want to keep it, though.

***Please rate all useful posts.***

Cheers.

Jay

Hi Jay,

Thanks for that. You're right I was connecting to the wrong subnet. I am still concerned that I am getting a connection to an unknown ip though..

The results of the show commands on pix 1 show connection to an unknown ip address. When I look it up, it belongs to zen an isp that is not providing the current internet connection. That is the 82.71.70.70 address..

Any ideas? Or should that be another post ?

Thanks very much.

Suzanne

Result of firewall command: "show crypto ipsec sa"

interface: outside

Crypto map tag: outside_map, local addr. 192.168.111.2

local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 83.166.180.101:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 12, #recv errors 0

local crypto endpt.: 192.168.111.2, remote crypto endpt.: 83.166.180.101

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)

current_peer: 83.166.180.101:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 17, #recv errors 0

local crypto endpt.: 192.168.111.2, remote crypto endpt.: 83.166.180.101

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.10.204/255.255.255.255/0/0)

current_peer: 82.71.70.70:1036

dynamic allocated peer ip: 192.168.10.204

PERMIT, flags={transport_parent,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.111.2, remote crypto endpt.: 82.71.70.70

path mtu 1500, ipsec overhead 64, media mtu 1500

current outbound spi: 37b526e7

inbound esp sas:

spi: 0xa007cd31(2684865841)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 7, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4608000/27993)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x37b526e7(934618855)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 8, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4608000/27993)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Result of firewall command: "show crypto isakmp sa"

Total : 1

Embryonic : 0

dst src state pending created

192.168.111.2 82.71.70.70 QM_IDLE 0 1

Also, you need to set the ip addresses on the outside interfaces of both firewalls like below...

Pix6.35

ip address outside 83.166.180.101 255.255.255.X

vitg

ip address outside 83.166.180.99 255.255.255.X

Jay

Hi Jay,

If I set my outside ip like that then I lose all connection to the external internet.

Its' currently set as

ip address outside dhcp setroute

as the pix gets it's ip via dhcp from the outer router.

Is there some way round this ?

THanks

Suzanne

You need to have a static IP address for a site-to-site VPN to work well. The problem is you might end up having to change your config constantly unless you hard set the outside IP. Currently, your VPN settings require that the Pix6.35 have its IP set to .101 and the vitg4 set to .99. I am guessing that you didn't intend for the VPN to use the addresses, so you might have to change the VPN settings to the current outside IPs (if you must use DHCP).

Basically, I would HIGHLY recommend using static IPs if at all possible. You will save yourself lots of trouble later.

Jay

Hi Jay,

Actually the set up is as follows and this is what I was trying to ask initially.

I have a router with the external ip

.101

it has an internal subnetwork

of x.x.111.x

the pix is then given the ip

x.x.111.2

although everything else in that subnet is allocated by dhcp the pix is automatically allocated the .2 address, so this never changes.

However as soon as I hard set the outside ip in the pix config I lose connection to the external world.

I'm happy to take your advice but I can't get it to work.

Suzanne

I think your problem is an arp cache issue on the router. Basically, when you are hardsetting the IP on the firewall it is confusing the router. The router's ARP table is wrong, so it cannot resolve your IP to MAC any more. To clear the router's ARP cache, you can reboot the router or clear the arp cache on the router (the command differs based on brand).

*** Please rate all useful posts.***

Cheers.

Jay

Hi Jay,

You've been wonderfully helpful. Although I'm not sure I'm any further on and will have to call it a day.

OK I've reset the router.

The firewall will still not allow external access if I hardset it.

I no longer appear to be creating ipsec tunnels, alhtough the ike ones register. This was actually the case after i changed the access list not anything to do with the recent router reboot.

Thanks

Suzanne

will try again tomorrow...

Hi Jay,

If I set my outside ip like that then I lose all connection to the external internet.

Its' currently set as

ip address outside dhcp setroute

as the pix gets it's ip via dhcp from the outer router.

Is there some way round this ?

THanks

Suzanne

Suzanne,

Yes there is. You'll need to create a dynamic crypto map and associated isakmp configuration. The config is basically identical to a remote access VPN setup, except that you need to tell the PIX not to NAT tunnelled networks. You can do that using a policy NAT 0 access-list.

Hope this helps.

Mark.

Hi Mark,

I think I've got that sorted.

I now get a

MM_KEY_EXCH

state when i do a show crypto isakmp ...

so i guess its not authenticating properly or the tunnel isn't being set up..

have i missed something ?

do i need to declare access lists specifically for the tunnel for each protocol, as basically I would want all traffic to that ip range to go automatically ?

Thanks

Suzanne

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: