07-22-2008 03:51 AM
Hi, we are setting up an VPN from a PIX router to a Cisco 2800 router. I am following this configuration guide: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008064a06f.shtml
But I'm not sure if I have to this step:
!--- Defines the IP addresses that should not be NATed.
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list outside extended permit icmp any any
Do I have to no-nat the local net ? They are already being nated outside to reach the internet.
Thanks.
07-22-2008 05:59 AM
Xavier,
Use this link as example for your scenario.
The no nat access-list simply tells the pix that there should be not NATing performed between the two LANs through that tunnel.
Do I have to no-nat the local net ? They are already being nated outside to reach the internet.
This only pertains to the Ipsec Tunnel, it has nothing to do with inside hosts being NATed to outside for other traffic, the PIX recognizes what source is meant to nonat when you bring up the IPsec tunnel through the nat (inside) 0 access-list nonat and nonat access-list.
There are instances where you have to NAT in LAN to LAN VPNs using public IPs, or Policy NATing for overlaping nets but the simple L2L is straight forward when none of this conditions applies.
Rgds
Jorge
07-22-2008 06:44 AM
Hi, I get the following output on the pix when doing a ping from the VPN concentrator:
pixfirewall#
crypto_isakmp_process_block:src:213.192.208.242, dest:213.27.252.202 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65535 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): no offers accepted!
ISAKMP (0): SA not acceptable!
return status is IKMP_ERR_TRANS
pixfirewall#
ISAKMP (0): deleting SA: src 213.192.208.242, dst 213.27.252.202
ISADB: reaper checking SA 0xf0ccf4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 213.192.208.242/500 not found - peers:0
Any comments ? Thanks !
07-22-2008 07:14 AM
Have you tried bringing up the tunnel from a source inside LAN ( not from the firewall or concentrator) run the same debug when you do that, post output result.
07-22-2008 07:40 AM
Hi, this is what happens when I ping from a LAN server, the ping does not time out cause the PIX is trying to connect, and the debug is this repeatedly message:
pixfirewall# IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 213.27.252.202, remote= 213.192.208.242,
local_proxy= 192.169.7.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)
ISAKMP: No cert, and no keys (public or pre-shared) with remote peer 213.192.208.242
VPN Peer:ISAKMP: Peer Info for 213.192.208.242/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 213.27.252.202, remote= 213.192.208.242,
local_proxy= 192.169.7.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)
ISAKMP: No cert, and no keys (public or pre-shared) with remote peer 213.192.208.242
VPN Peer:ISAKMP: Peer Info for 213.192.208.242/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 213.27.252.202, remote= 213.192.208.242,
local_proxy= 192.169.7.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)
ISAKMP: No cert, and no keys (public or pre-shared) with remote peer 213.192.208.242
VPN Peer:ISAKMP: Peer Info for 213.192.208.242/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 213.27.252.202, remote= 213.192.208.242,
local_proxy= 192.169.7.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)
ISAKMP: No cert, and no keys (public or pre-shared) with remote peer 213.192.208.242
VPN Peer:ISAKMP: Peer Info for 213.192.208.242/500 not found - peers:0
We are not using pre-shared keys . . .
Any comments on that ?
07-22-2008 08:04 AM
As far as I know you need to use pre-share key at each end in order to authenticate the tunnel.
07-22-2008 08:21 AM
Yes, sure you can. You can do tunnels limited only by their IP. This is the case. You can do with pre-shared keys or you can do it by IP.
07-22-2008 08:25 AM
You would need to use pre-shared keys or certificates. I do not know if you have CA server setup for certificates but to bring the tunnel up you can test with pre-shared keys.
Gilbert
07-22-2008 08:27 AM
It's a on-production VPN concentrator and we are already using 4 tunnels without pre-shared keys. Thanks anyways.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: