cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
424
Views
4
Helpful
4
Replies

851 VPN to Firebox

ctd_77801
Level 1
Level 1

We are trying to configure an 851 to work with a Firebox and are not able to bring the tunnel up.

We don't have access to the firebox, but the vendor gave us the following information to configure our 851:

___________________________________

Phase 1, Main Mode, falls back to Aggressive

3DES/SHA1, DH Group 1, SA Life 8 hours.

Phase 2, ESP, 3DES, SHA1, NO PFS

local LAN (192.168.27.0/24)

We're passing ALL traffic between the two networks (all TCP/UDP).

YOUR SIDE - CISC0

LAN 10.10.10.0/24

___________________________________

When I go through the VPN setup wizard on my router I get the following for "Generate Mirror config"

*******************************

crypto isakmp policy 1

authentication pre-share

encr 3des

hash sha

group 1

lifetime 28800

exit

crypto isakmp key (preshare key) address (public ip address of my 851)

crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des

mode tunnel

exit

ip access-list extended SDM_1

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 192.168.27.0 0.0.0.255 10.10.10.0 0.0.0.255

exit

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Apply the crypto map on the peer router's interface having IP address (public ip address of the remote firewall) that connects to this router.

set transform-set ESP-3DES-SHA

set peer (public ip address of my 851)

match address SDM_1

exit

******************************************************************

I am attaching the 851 config.

The only issue which might impact this is that I can't ping the private side of the Firebox interface, but I didn't think that would cause the tunnel not to come up.

I have also set this same config up locally using an 871 as the remote and a 3825 as the central interface, working fine.

Thanks,

4 Replies 4

ajagadee
Cisco Employee
Cisco Employee

Can you post the outputs of "deb cry is" and "deb cry ips" when you try to bring up the tunnel.

Regards,

Arul

I have included the attachment.

55.55.55.55. is the side with the 851

77.77.77.77. is the side with the firebox.

This debug was captured while I was doing the test tunnel interface in SDM.

The SDM message showed

Failure Reason

The peer 55.55.55.55 is responding but the VPN tunnel in not established. IPSec policies of this router are not matching with the IPSec policies of the peer device.

Recommended Action

If the IPSec policy parameters of the peer device is known then go to 'Configure->VPN->VPN Components->IPSec->IPSec Policies', select this IPSec policy, click on 'Edit' and ensure that policy parameters are correct. 2) Generate the mirror configuration from 'Configure->VPN->Site to site VPN->Edit Site to Site VPN' and match it with the peer device's IPSec policy.

Failure Reason:

Based on the debugs, there are couple of things I would check on the remote site:

1. Transform set

2. IPSEC ACLs

Also, make sure that your routing is configured correctly. Meaning, there is 130.177.117.56 address as local and your default gateway is pointing to 208.180.11.1.

Regards,

Arul

** Please rate all helpful posts **

Okay I had not noticed that address and have no idea where it would be coming from.

10.10.10.x is my remote LAN and 192.168.27.x is my central lan. It is not one of my public networks either. Maybe coming from the firebox?

----------------------------------------

If I did need to put a route statement for this network, wouldn't I need to add it to the access list and not make an actual route statement? Please correct me if I'm wrong.

Thanks,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: