VPN termination on Pix behind IOS Router with Private Subnet

Answered Question
Apr 8th, 2008
User Badges:

Ok, basically I am wondering if it is possible to terminate a VPN connection on a Pix 506 Firewall that is located behind an IOS router. The public interface of the Pix 506 have a private ip address on a /29 going to the IOS inside interface. Network is setup as follows:



Internet as 10Base T

| (5 Public X.X.X.34-.38)

| (Into WIC-1ENET)

| (.34 assigned to interface)

Cisco 1760

| (FastE) | (WIC-4PORTSWITCH)

| | (10.0.0.1 /29 on 1760)

Private Net Pix 506

(192.168.1.0) (10.0.0.2 /29 on Pix)


Now, both internal interfaces of the 1760 are configured for PAT out the interface IP of the 1760 and all internet traffic passes perfectly. No access-lists are currently applied anywhere on the 1760 and a static translation on the 1760 is setup for .35 to 10.0.0.2 (the pix "public" ip). RDP and other services allowed in the pix access-list work perfectly fine from the outside world when accessing .35, however if I try to terminate a VPN from a pix 501 offsite to the pix 506 using the .35 IP, it doesn't work.


Is there any way to make this type of setup work.


I realize that I could put a switch external to 1760 and run the public subnet directly and individually into the the 1760 and Pix 506, however, I'd really prefer to not need to do that if it is possible to avoid it.

Correct Answer by kaachary about 9 years 3 months ago

Remove the crypto map from the interface on the PIX and reapply it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
caplinktech Wed, 04/09/2008 - 08:41
User Badges:

Hi Yaser,


I believe I have already gotten this when I set aside a static translation on the ios router.


IE..my gateway ip on the IOS .34, but I have:


ip nat inside source static 10.0.0.2 X.X.X.35


The problem comes in on the termination on the Pix. Crypto debug on the pix gives the following:


crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payload

crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payload

crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payload

pix506e# debug cry ips

pix506e#

crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payload

pix506e#

crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 2980242619


ISAKMP : Checking IPSec proposal 1


ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5IPSEC(validate_proposal): invalid local address 10.0.0.2


ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 0


return status is IKMP_ERR_NO_RETRANS

pix506e#

crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payload

crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payload

crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 4232657284


ISAKMP : Checking IPSec proposal 1


ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5IPSEC(validate_proposal): invalid local address 10.0.0.2


ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 0



kaachary Wed, 04/09/2008 - 09:24
User Badges:
  • Cisco Employee,

Try enabling isakmp nat-traversal on the PIX and on the remote vpn endpoint.

caplinktech Wed, 04/09/2008 - 11:29
User Badges:

Still Nothing, a little more debugging came up on the termination pix related to NAT-T.


Debug on Term Pix:


ISAKMP (0): processing vendor id payload


ISAKMP (0): remote peer supports dead peer detection


ISAKMP (0): processing vendor id payload


ISAKMP (0): processing vendor id payload


ISAKMP (0): speaking to another IOS box!


ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT does not match MINE hash

hash received: c2 e 4 86 19 d3 3b f1 43 1f a0 a1 76 51 4d ea

my nat hash : 6 87 79 46 58 a8 60 31 76 19 b4 1 44 73 30 f2

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT match HIS hash

ISAKMP (0:0): constructed HIS NAT-D

ISAKMP (0:0): constructed MINE NAT-D

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:4500 dpt:4500

ISAKMP (0): processing DELETE payload. message ID = 1159754487, spi size = 16

ISAKMP (0): deleting SA: src X.X.X.158, dst 10.0.0.2

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:4500 dpt:4500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated


ISAKMP: Locking UDP_ENC struct 0xeede04 from crypto_ikmp_udp_enc_ike_init, count 2

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 0

length : 29

ISAKMP (0): Total payload length: 33

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

VPN Peer: ISAKMP: Peer ip:X.X.X.158/4500 Ref cnt incremented to:2 Total VPN Peers:1

crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:4500 dpt:4500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 972594028


ISAKMP : Checking IPSec proposal 1


ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 61443

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5IPSEC(validate_proposal): invalid local address 10.0.0.2


ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 0

return status is IKMP_ERR_NO_RETRANS

ISADB: reaper checking SA 0xf830dc, conn_id = 0

ISADB: reaper checking SA 0xf87bc4, conn_id = 0 DELETE IT!


VPN Peer: ISAKMP: Peer ip:X.X.X.158/4500 Ref cnt decremented to:1 Total VPN Peers:1IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with X.X.X.158


ISAKMP: Unlocking UDP ENC struct 0xeede04 from isadb_free_isakmp_sa, count 1

ISADB: reaper checking SA 0xf830dc, conn_id = 0

crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:4500 dpt:4500

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payload

crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:4500 dpt:4500

ISAKMP: reserved not zero on payload 8!

ISAKMP: malformed payload

crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:4500 dpt:4500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 1134345080


ISAKMP : Checking IPSec proposal 1


ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 61443

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5IPSEC(validate_proposal): invalid local address 10.0.0.2

caplinktech Wed, 04/09/2008 - 11:30
User Badges:

Debug on Endpoint Pix:


ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload


ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): processing vendor id payload


ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

ISAKMP (0:0): constructed HIS NAT-D

ISAKMP (0:0): constructed MINE NAT-D

ISAKMP (0:0): Detected port floating

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0


ISADB: reaper checking SA 0xb14674, conn_id = 0 DELETE IT!


VPN Peer: ISAKMP: Peer ip:X.X.X.35/4500 Ref cnt decremented to:0 Total VPN Peers:1

VPN Peer: ISAKMP: Deleted peer: ip:X.X.X.35/4500 Total VPN peers:0IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with X.X.X.35


ISADB: reaper checking SA 0xb15a64, conn_id = 0

ISAKMP (0): processing NONCE payload. message ID = 0


ISAKMP (0): processing vendor id payload


ISAKMP (0): received xauth v6 vendor id


ISAKMP (0): processing vendor id payload


ISAKMP (0): remote peer supports dead peer detection


ISAKMP (0): processing vendor id payload


ISAKMP (0): processing vendor id payload


ISAKMP (0): speaking to another IOS box!


ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT match MINE hash

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT does not match HIS hash

hash received: 6 87 79 46 58 a8 60 31 76 19 b4 1 44 73 30 f2

his nat hash : c2 e 4 86 19 d3 3b f1 43 1f a0 a1 76 51 4d ea

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 0

length : 32

ISAKMP (0): Total payload length: 36

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:4500 dpt:4500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated


ISAKMP (0): beginning Quick Mode exchange, M-ID of 972594028:39f89b6cIPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xa5a57166(2779083110) for SA

from X.X.X.35 to X.X.X.158 for prot 3


return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:4500 dpt:4500

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 3212261154

ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with X.X.X.35


return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:4500 dpt:4500

ISAKMP (0): processing NOTIFY payload 24576 protocol 1

spi 0, message ID = 1695733518

ISAKMP (0): processing responder lifetime

ISAKMP (0): phase 1 responder lifetime of 1000s

return status is IKMP_NO_ERR_NO_TRANS

VPN Peer: ISAKMP: Added new peer: ip:X.X.X.35/4500 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:X.X.X.35/4500 Ref cnt incremented to:1 Total VPN Peers:1

crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:4500 dpt:4500

ISAKMP (0): processing NOTIFY payload 14 protocol 0

spi 0, message ID = 2020318343IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with X.X.X.35


return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x39f89b6cIPSEC(key_engine): request timer fired: count = 2,

(identity) local= X.X.X.158, remote= X.X.X.35,

local_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4)



caplinktech Wed, 04/09/2008 - 11:30
User Badges:

Endpoint Pix Debug Con't:


ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x39f89b6c

ISAKMP (0): beginning Quick Mode exchange, M-ID of 1134345080:439cbb78IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x28fd75c2(687699394) for SA

from X.X.X.35 to X.X.X.158 for prot 3


crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:4500 dpt:4500

ISAKMP (0): processing NOTIFY payload 14 protocol 0

spi 0, message ID = 1501316443IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with X.X.X.35


return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x39f89b6c

ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x439cbb78

ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x39f89b6cIPSEC(key_engine): request timer fired: count = 1,

(identity) local= X.X.X.158, remote= X.X.X.35,

local_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4)


ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x439cbb78

ISAKMP (0): beginning Quick Mode exchange, M-ID of 91092403:56df5b3IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x51f52705(1375020805) for SA

from X.X.X.35 to X.X.X.158 for prot 3


crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:4500 dpt:4500

ISAKMP (0): processing NOTIFY payload 14 protocol 0

spi 0, message ID = 1126062686IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with X.X.X.35


return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x39f89b6c

ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x439cbb78

ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x56df5b3

ISAKMP (0): retransmitting phase 2 (5/0)... mess_id 0x39f89b6cIPSEC(key_engine): request timer fired: count = 2,

(identity) local= X.X.X.158, remote= X.X.X.35,

local_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4)


ISAKMP (0): retransmitting phase 2 (3/1)... mess_id 0x439cbb78

ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0x56df5b3

ISAKMP (0): retransmitting phase 2 (4/1)... mess_id 0x439cbb78

ISAKMP (0): retransmitting phase 2 (2/1)... mess_id 0x56df5b3

ISAKMP (0): beginning Quick Mode exchange, M-ID of 1555030973:5cafe3bdIPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xb2411ad4(2990611156) for SA

from X.X.X.35 to X.X.X.158 for prot 3


crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:4500 dpt:4500

ISAKMP (0): processing NOTIFY payload 14 protocol 0

spi 0, message ID = 574268319IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with X.X.X.35

Correct Answer
kaachary Wed, 04/09/2008 - 12:04
User Badges:
  • Cisco Employee,

Remove the crypto map from the interface on the PIX and reapply it.

caplinktech Wed, 04/09/2008 - 12:32
User Badges:

Such a classic...


All this trouble and headache because when I updated the IP address yesterday, I simply disabled and enabled the isakmp engine and never reapplied the map.


Since I was using a complete static translation, Nat traversal was not necessary and inf act I had everything correct except remembering to reapply the map.


Thanks Kaachary for hitting me in the head.


PS. Added that NAT-T was necessary for this setup for any potential future searches on the topic.

Actions

This Discussion