04-08-2008 04:49 PM
Ok, basically I am wondering if it is possible to terminate a VPN connection on a Pix 506 Firewall that is located behind an IOS router. The public interface of the Pix 506 have a private ip address on a /29 going to the IOS inside interface. Network is setup as follows:
Internet as 10Base T
| (5 Public X.X.X.34-.38)
| (Into WIC-1ENET)
| (.34 assigned to interface)
Cisco 1760
| (FastE) | (WIC-4PORTSWITCH)
| | (10.0.0.1 /29 on 1760)
Private Net Pix 506
(192.168.1.0) (10.0.0.2 /29 on Pix)
Now, both internal interfaces of the 1760 are configured for PAT out the interface IP of the 1760 and all internet traffic passes perfectly. No access-lists are currently applied anywhere on the 1760 and a static translation on the 1760 is setup for .35 to 10.0.0.2 (the pix "public" ip). RDP and other services allowed in the pix access-list work perfectly fine from the outside world when accessing .35, however if I try to terminate a VPN from a pix 501 offsite to the pix 506 using the .35 IP, it doesn't work.
Is there any way to make this type of setup work.
I realize that I could put a switch external to 1760 and run the public subnet directly and individually into the the 1760 and Pix 506, however, I'd really prefer to not need to do that if it is possible to avoid it.
Solved! Go to Solution.
04-09-2008 12:04 PM
Remove the crypto map from the interface on the PIX and reapply it.
04-08-2008 04:59 PM
04-09-2008 06:29 AM
Hi,
i hope this will give you an opinion :
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094ecd.shtml
Good luck.
04-09-2008 08:41 AM
Hi Yaser,
I believe I have already gotten this when I set aside a static translation on the ios router.
IE..my gateway ip on the IOS .34, but I have:
ip nat inside source static 10.0.0.2 X.X.X.35
The problem comes in on the termination on the Pix. Crypto debug on the pix gives the following:
crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
pix506e# debug cry ips
pix506e#
crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
pix506e#
crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2980242619
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5IPSEC(validate_proposal): invalid local address 10.0.0.2
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
pix506e#
crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 4232657284
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5IPSEC(validate_proposal): invalid local address 10.0.0.2
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
04-09-2008 09:24 AM
Try enabling isakmp nat-traversal on the PIX and on the remote vpn endpoint.
04-09-2008 11:29 AM
Still Nothing, a little more debugging came up on the termination pix related to NAT-T.
Debug on Term Pix:
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match MINE hash
hash received: c2 e 4 86 19 d3 3b f1 43 1f a0 a1 76 51 4d ea
my nat hash : 6 87 79 46 58 a8 60 31 76 19 b4 1 44 73 30 f2
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match HIS hash
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:4500 dpt:4500
ISAKMP (0): processing DELETE payload. message ID = 1159754487, spi size = 16
ISAKMP (0): deleting SA: src X.X.X.158, dst 10.0.0.2
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:4500 dpt:4500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP: Locking UDP_ENC struct 0xeede04 from crypto_ikmp_udp_enc_ike_init, count 2
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 0
length : 29
ISAKMP (0): Total payload length: 33
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Peer ip:X.X.X.158/4500 Ref cnt incremented to:2 Total VPN Peers:1
crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:4500 dpt:4500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 972594028
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 61443
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5IPSEC(validate_proposal): invalid local address 10.0.0.2
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
ISADB: reaper checking SA 0xf830dc, conn_id = 0
ISADB: reaper checking SA 0xf87bc4, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:X.X.X.158/4500 Ref cnt decremented to:1 Total VPN Peers:1IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with X.X.X.158
ISAKMP: Unlocking UDP ENC struct 0xeede04 from isadb_free_isakmp_sa, count 1
ISADB: reaper checking SA 0xf830dc, conn_id = 0
crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:4500 dpt:4500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:4500 dpt:4500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:X.X.X.158, dest:10.0.0.2 spt:4500 dpt:4500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1134345080
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 61443
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5IPSEC(validate_proposal): invalid local address 10.0.0.2
04-09-2008 11:30 AM
Debug on Endpoint Pix:
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISADB: reaper checking SA 0xb14674, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:X.X.X.35/4500 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:X.X.X.35/4500 Total VPN peers:0IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with X.X.X.35
ISADB: reaper checking SA 0xb15a64, conn_id = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match MINE hash
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match HIS hash
hash received: 6 87 79 46 58 a8 60 31 76 19 b4 1 44 73 30 f2
his nat hash : c2 e 4 86 19 d3 3b f1 43 1f a0 a1 76 51 4d ea
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 0
length : 32
ISAKMP (0): Total payload length: 36
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:4500 dpt:4500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of 972594028:39f89b6cIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xa5a57166(2779083110) for SA
from X.X.X.35 to X.X.X.158 for prot 3
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:4500 dpt:4500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 3212261154
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with X.X.X.35
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:4500 dpt:4500
ISAKMP (0): processing NOTIFY payload 24576 protocol 1
spi 0, message ID = 1695733518
ISAKMP (0): processing responder lifetime
ISAKMP (0): phase 1 responder lifetime of 1000s
return status is IKMP_NO_ERR_NO_TRANS
VPN Peer: ISAKMP: Added new peer: ip:X.X.X.35/4500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:X.X.X.35/4500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:4500 dpt:4500
ISAKMP (0): processing NOTIFY payload 14 protocol 0
spi 0, message ID = 2020318343IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with X.X.X.35
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x39f89b6cIPSEC(key_engine): request timer fired: count = 2,
(identity) local= X.X.X.158, remote= X.X.X.35,
local_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4)
04-09-2008 11:30 AM
Endpoint Pix Debug Con't:
ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x39f89b6c
ISAKMP (0): beginning Quick Mode exchange, M-ID of 1134345080:439cbb78IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x28fd75c2(687699394) for SA
from X.X.X.35 to X.X.X.158 for prot 3
crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:4500 dpt:4500
ISAKMP (0): processing NOTIFY payload 14 protocol 0
spi 0, message ID = 1501316443IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with X.X.X.35
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x39f89b6c
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x439cbb78
ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x39f89b6cIPSEC(key_engine): request timer fired: count = 1,
(identity) local= X.X.X.158, remote= X.X.X.35,
local_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4)
ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x439cbb78
ISAKMP (0): beginning Quick Mode exchange, M-ID of 91092403:56df5b3IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x51f52705(1375020805) for SA
from X.X.X.35 to X.X.X.158 for prot 3
crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:4500 dpt:4500
ISAKMP (0): processing NOTIFY payload 14 protocol 0
spi 0, message ID = 1126062686IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with X.X.X.35
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x39f89b6c
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x439cbb78
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x56df5b3
ISAKMP (0): retransmitting phase 2 (5/0)... mess_id 0x39f89b6cIPSEC(key_engine): request timer fired: count = 2,
(identity) local= X.X.X.158, remote= X.X.X.35,
local_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4)
ISAKMP (0): retransmitting phase 2 (3/1)... mess_id 0x439cbb78
ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0x56df5b3
ISAKMP (0): retransmitting phase 2 (4/1)... mess_id 0x439cbb78
ISAKMP (0): retransmitting phase 2 (2/1)... mess_id 0x56df5b3
ISAKMP (0): beginning Quick Mode exchange, M-ID of 1555030973:5cafe3bdIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xb2411ad4(2990611156) for SA
from X.X.X.35 to X.X.X.158 for prot 3
crypto_isakmp_process_block:src:X.X.X.35, dest:X.X.X.158 spt:4500 dpt:4500
ISAKMP (0): processing NOTIFY payload 14 protocol 0
spi 0, message ID = 574268319IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with X.X.X.35
04-09-2008 12:04 PM
Remove the crypto map from the interface on the PIX and reapply it.
04-09-2008 12:32 PM
Such a classic...
All this trouble and headache because when I updated the IP address yesterday, I simply disabled and enabled the isakmp engine and never reapplied the map.
Since I was using a complete static translation, Nat traversal was not necessary and inf act I had everything correct except remembering to reapply the map.
Thanks Kaachary for hitting me in the head.
PS. Added that NAT-T was necessary for this setup for any potential future searches on the topic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide