09-09-2008 11:38 AM - edited 02-21-2020 03:56 PM
Need some help, please.
PIX 501 firewall getting dynamic WAN IP behind an ADSL modem.
1841 router with static WAN IP. I have attached config for both devices. What do I need to do to make the VPN tunnel come up & stay up?
Trying to create a VPN from PIX site to HQ router site, I have followed Cisco doc #66173, but I can not get the VPN tunnel to come up. I feel that I am missing something small but I have stared at to long to be objective any more.
09-09-2008 12:36 PM
You are missing NAT bypass acl on PIX .
access-list 120 permit ip 10.5.5.0 255.255.255.0 10.2.1.0 255.255.255.0
nat (inside) 0 access-list 120
Also since this dynamic-static IPsec ,only PIX side can initiate the tunnel.
HTH
Saju
Pls rate if it helps
09-09-2008 12:59 PM
I added the line you specified, then I started to see the following activity from debug I turned on:
IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 192.168.0.3, remote= 216.203.117.82,
local_proxy= 10.5.5.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4)
That's more than I had before, but still no connection when I ping a device on other side.
Maybe something else missing?
Yes, I understand the PIX must be initiating end of tunnel. Once I get it to work, then I would like to setup something, script or otherwise that will open the tunnel at a specified time in the AM and keep tunnel alive untile specified time in PM. But that;s for later.
So close......
09-09-2008 01:19 PM
what is the ip address the PIX gets on the outside interface ?
09-09-2008 01:20 PM
what is the ip address the PIX gets on the outside interface ?
09-09-2008 01:29 PM
as per the debug , you are getting private ip address as outside interface ip .
(identity) local= 192.168.0.3, remote= 216.203.117.82
So your ISP is doing dynamic NAT/PAT in between and because of this Pure IPSEC will not work.
You can try enabling nat traversal on the PIX and then see if it connects IPSec on udp 4500
enable on PIX: isakmp nat-t
09-09-2008 01:38 PM
The PIX is getting a private IP, 192.168.0.3, because the only public IP is on the outside interface of the DSL modem.
How does my config change on PIX & router if I get a block of static IPs from DSL ISP?
THANKS!
09-09-2008 01:50 PM
Here is debug output after adding isakmp nat-tra:
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (2)...
ISAKMP (0): retransmitting phase 1 (3)...
ISAKMP (0): retransmitting phase 1 (4)...
ISAKMP (0): deleting SA: src 192.168.0.3, dst 216.203.117.82IPSEC(key_engine): r
equest timer fired: count = 1,
(identity) local= 192.168.0.3, remote= 216.203.117.82,
local_proxy= 10.5.5.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4)
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
ISADB: reaper checking SA 0xb642ec, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 216.203.117.82/500 not found - peers:0
ISADB: reaper checking SA 0xb64ef4, conn_id = 0
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (2)...
09-09-2008 03:15 PM
can you remove access-list under the dynamic map on the router 1841 and then check.
crypto dynamic-map SSP 10
no match address 111
09-09-2008 08:55 PM
Still no work. Same feedback as previous debug posting. I am thinking this private IP behind the DSL modem is huge and I need to get a static IP to make it work?
09-10-2008 04:55 AM
I also suspect that private IP could be the cause.Your config looks ok .
HTH
Saju
Pls rate if it helps
09-10-2008 10:38 AM
Ordered a static IP for the PIX side of connection. Should be able to configure tomorrow when I get back to remote office. How will config on router change for the static IP (A.B.C.D) at remote location?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide