PIX 501 VPN and IP Phones

Unanswered Question
Mar 31st, 2008

Hi All... I'm having a strange problem.

We recently migrated all of our Lan to Lan VPNs from a 7206 with an ISA card over to our ASA 5520 firewalls. There are just a handful of users that are experiencing a strange issue.

We use Cisco VoIP and our employees have an IP phone that they use over the VPN. With the old setup with the VPNs connecting to the 7206, we never had any issues, it was rock solid and always worked. Ever since we migrated to the ASA, the phones spend probably 90% of the time trying to reregister with Call Manager (10.1.100.0 or 10.1.101.0). Also, some are able to make and recieve calls just fine, while a few others can hear the other people, but they can't talk to people. I wonder if somthing isn't messed up with the nat exclusion? They also have problems with SAs that time out. Example: VPN host: 10.200.218.101 has an SA with 10.220.22.0 and 10.1.1.0.... When 10.220.22.0 times out, the only way to get that SA to come back up again is to reset the VPN connection. It's weird. All of the PIXs have the same config, just the 10.200.x.0 ip is changed. Many of them are behind nat devices (home routers etc), but this was never a problem before with the 7206 setup.

Below is the config for the ASA as well as the 7206 for a sort of Before and After comparision. I will attach a PIX501 config in a seperate post.

Another issue... when we migrated to the ASAs for the VPNs, I implemented EasyVPN on as many remote PIXs as possible (about 90 or so). There are a few that will just randomly not connect to the ASA. The ASA will show the peer trying to connect, but will show a log entry similar to: Peer= <Ip>; no match found, removing peer. It will show that a few times, then all of a sudden Phase 1 will complete and all will be fine. Any ideas what could be causing that??

What a headache! I'd appreciate any help you could give. Thanks.

7206:

-----------------

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key <key> address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set tangoset esp-des esp-md5-hmac

!

crypto dynamic-map tangomap 10

set transform-set tangoset

qos pre-classify

!

crypto map tangotrans 10 ipsec-isakmp dynamic tangomap

!

!

interface FastEthernet0/0

description ...

bandwidth 100000

ip address ...

ip access-group 197 in

no ip redirects

no ip proxy-arp

rate-limit input access-group 196 128000 8000 8000 conform-action transmit exceed-action drop

rate-limit output access-group 196 128000 8000 8000 conform-action transmit exceed-action drop

ip route-cache flow

no ip mroute-cache

duplex full

speed 100

crypto map tangotrans

ASA 5520:

---------------

crypto ipsec transform-set mySET esp-3des esp-md5-hmac

crypto dynamic-map myDYN-MAP 5 set transform-set mySET

crypto dynamic-map myDYN-MAP 5 set reverse-route

crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP

crypto map myMAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rtjensen4 Mon, 03/31/2008 - 08:45

PIX 501 config:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname

domain-name ...

clock timezone CST -6

clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list nonat permit udp 10.200.218.0 255.255.255.0 10.0.0.0 255.0.0.0 range 16384 32767

access-list nonat permit ip 10.200.218.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat permit ip 10.200.218.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list nonat permit ip 10.200.218.0 255.255.255.0 10.1.100.0 255.255.255.0

access-list nonat permit ip 10.200.218.0 255.255.255.0 10.1.101.0 255.255.255.0

access-list nonat permit ip 10.200.218.0 255.255.255.0 10.4.5.0 255.255.255.0

access-list 101 permit udp 10.200.218.0 255.255.255.0 10.0.0.0 255.0.0.0 range 16384 32767

access-list 101 permit ip 10.200.218.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 101 permit ip 10.200.218.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list 101 permit ip 10.200.218.0 255.255.255.0 10.1.100.0 255.255.255.0

access-list 101 permit ip 10.200.218.0 255.255.255.0 10.1.101.0 255.255.255.0

access-list 101 permit ip 10.200.218.0 255.255.255.0 10.4.5.0 255.255.255.0

no pager

logging on

logging buffered warnings

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.200.218.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

snmp-server host inside 10.1.1.25 poll

no snmp-server location

no snmp-server contact

no snmp-server enable traps

no floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set tangoset esp-3des esp-md5-hmac

crypto map tangomap 10 ipsec-isakmp

crypto map tangomap 10 match address 101

crypto map tangomap 10 set peer <>

crypto map tangomap 10 set transform-set tangoset

crypto map tangomap interface outside

isakmp enable outside

isakmp key <..> address <..> netmask 255.255.255.0

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 5

management-access inside

console timeout 0

dhcpd address 10.200.218.101-10.200.218.111 inside

dhcpd dns 10.1.1.20 10.1.1.23

dhcpd lease 86400

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

rtjensen4 Tue, 12/23/2008 - 13:17

Yes,

TAC informed me that the ASA's dont process the access lists the same way the 7206 does and can't open up SAs based on a range of Ports. Because of this, our old config would not work.

We changed the VPN config such that all 10.0.0.0/8 (our internal network) is encrypted and then applied a filter to a group-policy that's applied to the tunnel-group. Works great. The filter ACL works just like a normal ACL. It could potentially cause a little more overhead on the central ASA, but so far that's not been an issue.

Here's an example of what it looks like on the Hub ASA:

tunnel-group DefaultL2LGroup general-attributes

default-group-policy vpn-L2LFilter

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

group-policy vpn-L2LFilter internal

group-policy vpn-L2LFilter attributes

vpn-filter value vpn-L2LFilter

access-list vpn-L2LFilter remark L2L VPN User Filter.

access-list vpn-L2LFilter extended permit ip 10.200.192.0 255.255.192.0 10.1.1.0 255.255.255.0

access-list vpn-L2LFilter extended permit udp 10.200.192.0 255.255.192.0 10.0.0.0 255.0.0.0 range 16384 32767

Actions

This Discussion