06-09-2008 01:42 AM - edited 02-21-2020 02:02 AM
Hi, my problem is to get running the attached config between a cisco pix 501 and a cisco 836, both over adsl and static IP from the ISP.
Please help.
06-09-2008 06:05 AM
Can you be more specific as to exactly what is not working?
If possible provide the following from both:
show crypto isakmp sa
show crypto ipsec sa
Also debug outputs:
debug crypto isakmp
debug crypto ipsec
Regards
Farrukh
06-09-2008 07:40 AM
Hi Farrukh,
here are the outputs:
router#sh crypto isa sa
dst src state conn-id slot status
router#sh crypto ipsec sa
interface: Dialer0
Crypto map tag: vpnmap, local addr 9.23.111.155
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.7.10/255.255.255.255/0/0)
current_peer 8.24.131.96 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 9.23.111.155, remote crypto endpt.: 8.24.131.96
path mtu 1452, ip mtu 1452
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access1
Crypto map tag: vpnmap, local addr 9.23.111.155
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.7.10/255.255.255.255/0/0)
current_peer 8.24.131.96 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 9.23.111.155, remote crypto endpt.: 8.24.131.96
path mtu 1452, ip mtu 1452
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
____________________________________________
Firewall# sh crypto ipsec trans
Transform set myset: { esp-3des esp-md5-hmac }
will negotiate = { Tunnel, },
Firewall# sh crypto isakmp
isakmp enable outside
isakmp key ******** address 9.23.111.155 netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
Firewall# sh crypto isakmp sa
Total : 0
Embryonic : 0
dst src state pending created
Firewall#
Carsten
06-09-2008 06:40 AM
In the router config as following :
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
lifetime 1000
what is the group value ? It should be 1 matching to the pix isakmp policy.
06-09-2008 06:59 AM
The group is 1:
836 router#sh crypto isakmp pol
Global IKE policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 1000 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
06-09-2008 08:48 AM
Hello
Thank you for providing the show output. But assuming you captured these commands after generating interesting traffic, it seems nothing is happening. Please check your crypto ACLs and then generate some interesting traffic for VPN. Then attach the debug output requested earlier.
debug outputs:
debug crypto isakmp
debug crypto ipsec
debug crypto engine
Thanks
Farrukh
06-09-2008 09:41 AM
here is an output from the pix:
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
Carsten
06-09-2008 11:01 AM
Firstly, on the router, you have this ACL:
access-list 102 deny ip 192.168.8.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 102 permit ip 192.168.8.0 0.0.0.255 any
access-list 102 deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
change this to:
access-list 102 deny ip 192.168.8.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 102 deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 102 permit ip 192.168.8.0 0.0.0.255 any
Else the VPN traffic will never match line three (it will always match the second line) and therefore will not be exempted from NAT.
Secondly, what are you using to 'Generate' Interesting traffic for the VPN? From your ACL applied to the inside interface on the Firewall, it seems only UDP and TCP traffic is allowed. I hope you are not testing using ICMP?
Regards
Farrukh
06-10-2008 11:55 AM
Hello, did you manage to get this working?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide