multiple VPN issue, cant get second vpn up.

Unanswered Question
Jan 21st, 2003
User Badges:

I have 3 firewalls in 3 locations. the 515e is the main one that all the other locations need to connect to via VPN. I have one VPN working between a 501 and the 515e, and need to get the next one running as well.


so here's my current VPN config, the complication is this is my first multiple VPN setup.

515e:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

names

name x.x.71.8 ConstOffice

access-list acl_outbound permit ip host 192.168.50.10 any

access-list acl_outbound permit ip host 192.168.50.75 any

access-list acl_outbound permit ip host 192.168.50.201 any


access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255. 255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host ConstOffice

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host 65.40.81.11

access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.52.0 255.255.255.0

access-list inside_nat0_outbound permit ip host x.x.81.11 192.168.50.0 255.255.255.0

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

icmp permit any outside

icmp permit any inside


ip address outside pppoe setroute

ip address inside 192.168.50.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255


global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.50.0 255.255.255.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside


sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address inside_nat0_outbound

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 match address 101

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer x.x.81.11

crypto map vpn1 20 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp key ******** address x.x.81.11 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet ConstOffice 255.255.255.255 outside

telnet 192.168.51.0 255.255.255.0 outside

telnet 192.168.52.0 255.255.255.0 outside

telnet x.x.81.11 255.255.255.255 outside

telnet 192.168.50.201 255.255.255.255 inside

telnet 192.168.50.202 255.255.255.255 inside

telnet timeout 5

ssh timeout 5


terminal width 80


501e:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 host x.x.71.7

access-list inside_nat0_outbound permit ip host x.x.81.11 192.168.50.0 255.255.255.0

access-list acl_outbound permit ip 192.168.52.0 255.255.255.0 any

access-list acl_inbound permit ip host x.x.71.7 any

interface ethernet0 10baset

interface ethernet1 10full


ip address outside x.x.81.11 255.0.0.0

ip address inside 192.168.52.1 255.255.255.0


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.52.0 255.255.255.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside


sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 9 ipsec-isakmp

crypto map vpn1 9 match address inside_nat0_outbound

crypto map vpn1 9 set pfs group2

crypto map vpn1 9 set peer x.x.71.7

crypto map vpn1 9 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address x.x.81.11 netmask 255.255.255.255

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption des

isakmp policy 9 hash sha

isakmp policy 9 group 1

isakmp policy 9 lifetime 86400

telnet 192.168.50.0 255.255.255.0 outside

telnet x.x.71.7 255.255.255.255 outside

telnet 192.168.50.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:f4e78a76793783478f6e56f567e1f9cd

: end


So I must be missing something to get multiple VPN's up,


My debug info from the 515 is as follows:

ISAKMP (0): beginning Quick Mode exchange, M-ID of 299217336:11d5b1b8

crypto_isakmp_process_block: src x.x.81.11, dest x.x.71.7

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 299217336


ISAKMP : Checking IPSec proposal 1


ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-SHA

ISAKMP: group is 2

ISAKMP (0): atts are acceptable.

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 3

return status is IKMP_ERR_NO_RETRANS

crypto_isakmp_process_block: src x.x.81.11, dest x.x.71.7

ISAKMP (0): processing DELETE payload. message ID = 2059037963

ISAKMP (0): deleting SA: src x.x.71.7, dst x.x.81.11

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0x813d3688, conn_id = 0

ISADB: reaper checking SA 0x813d65c8, conn_id = 0 DELETE IT!


VPN Peer: ISAKMP: Peer ip:x.x.81.11 Ref cnt decremented to:0 Total VPN Peers:2

VPN Peer: ISAKMP: Deleted peer: ip:x.x.81.11 Total VPN peers:1

ISADB: reaper checking SA 0x813d3688, conn_id = 0


Thx,

Dave

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mike-greene Tue, 01/21/2003 - 12:46
User Badges:
  • Bronze, 100 points or more

Dave,

The most obvious thing I see is this in your 501 config...


crypto map vpn1 9 set peer x.x.71.7

isakmp key ******** address x.x.81.11 netmask 255.255.255.255



Either the crypto map peer address is wrong, or the isakmp key address is wrong.


Also, if you use SSH instead of telneting through the vpn tunnel, you can cut down on some of the access list statements you have in your configs. (just a helpful hint)


Hope that helps...





dsingleterry Tue, 01/21/2003 - 18:56
User Badges:

oh my goodness... thank you, I had overlooked that line I dont know how many times now and didnt even notice that.


SSH, this is my first time setting up PIX's, how do I setup the SSH on them.

thanks,

Dave

dsingleterry Wed, 01/22/2003 - 06:49
User Badges:

ahh, durn it, that didnt fix the problem.

Im still getting

ISAKMP (0): beginning Quick Mode exchange, M-ID of 801661563:2fc8627b

crypto_isakmp_process_block: src BftOffice, dest MainOffice

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 801661563

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-SHA

ISAKMP: group is 2

ISAKMP (0): atts are acceptable.

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

Is it possible its checking against the isakmp key for the first VPN thats still running? or the line that says IPSec policy invalidated proposal, what does that mean? I have the same IPSec line for both VPN's.


Also, for some reason I cant seem to ping the x.x.81.11 firewall from this location, but I can ping everything else. I can also ping the x.x.81.11 firewall from other locations, so I know its up and I know they are hittng the web from that location as well.

mike-greene Wed, 01/22/2003 - 10:38
User Badges:
  • Bronze, 100 points or more

Dave,

Try changing the DH group from 1 to 2 on the 501. Looks like your PFS on your 515 want to use group 2....

isakmp policy 9 group 2

The reason you probably cannot ping is because your no nating the traffic from behind the 515 to the outside interface of the 501. If you remove the line "access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host 65.40.81.11" you probably will be able to ping. The tunnel is not up so I think that line is causing problems. It's hard to believe you can ping that from other locations seeing as though you have no access list permiting icmp or icmp echo replys....

Also make sure your access lists on both side mirror each other...


kagodfrey Wed, 01/22/2003 - 15:31
User Badges:

Hi Dave


You may want to try rebooting your pix if you havent already. I can't count the number of times I have sat in front of a perfectly useful config that just won't work after I have tweaked it by, say, changing a target IP address. Before you change these things you have to turn of stuff like sysopt permit-ipsec, isakmp enable outside, and crypto map enable outside statements, or it just wont happen. I'd be sat there staring at it and getting cross, then after a reboot it would be like hey-presto (TM), instant vpnage! Anyway, worth a mention :)


Regards


Kev


PS Nice one on the x-over cable!

b-pelphrey Wed, 01/22/2003 - 17:01
User Badges:

Dave-


I was concentrating on your question that you asked "or the line that says IPSec policy invalidated proposal, what does that mean?". I searched on that and that is when I came up with the troubleshooting url I posted earlier. I believe that your SAs are not matching up. It seems that a possiblity for this error could be that your acls that you are using are not 100% matching from both ends, and it did seem that there were some differences.


The next thing I might suggest, if rebooting, and looking at the acls don't work is delete everything to do with this tunnel and start a fresh. Since you have been making a bunch of changes over and over you might want to start clean....just a thought :)


Good luck.

kagodfrey Wed, 01/22/2003 - 19:15
User Badges:

Hello again

Just to throw something else in the mix (as if you didnt need anything else!), whilst you are taking the fine adjustment spanner/lump hammer to your config it may be a good idea to seperate your acls on the hub pix a bit more, to allow a more granular control i.e.

- acl1 for connections to site a (for site a crypto map)

- acl2 for connections to site b (for site b crypto map)

- acl3 for no NAT

acl4 for outbound connections

acl3 would at least have to include all statements in acl1 and acl2

acl4 would at least have to include all statements in acl3

More typing I know, but it makes it a hell of a lot easier to drive it.


Rgdzzz [time 4 bed:-)]


Kev


dsingleterry Fri, 01/24/2003 - 05:58
User Badges:

wow, thanks guys, that was some serious response...

I was sick for a couple days and came back to see all of them just now.


I will be banging on this problem and let ya'll know what happens, I greatly appreciate all the suggestions, it helps a lot.


Dave

dsingleterry Wed, 01/29/2003 - 05:42
User Badges:

Well, I tried some things and still have no luck, but I do have some more info.

1. I reentered the vpn info for the second vpn store on both firewalls.

2. My acl's are matched now, no differences between the existing vpn remote store and the new one's acl's.

3. I played with the isakmp policy, changed group numbers, changed policy numbers, and even took down the existing vpn to see if pointing the 'match address' to the same acl would even work.

4. I ran debug on both PIX's and on the 515e that has an existing vpn already, I was getting the same output, "SA not acceptable!" along with a bunch of other stuff. And on the 515e when running 'sho crypto ipsec sa' I get the following:

interface: outside

Crypto map tag: vpn1, local addr. MainOffice


local ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.51.0/255.255.255.0/0/0)

current_peer: ConstOffice

PERMIT, flags={origin_is_acl,}

#pkts encaps: 55367, #pkts encrypt: 55367, #pkts digest 55367

#pkts decaps: 59927, #pkts decrypt: 59927, #pkts verify 59927

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0


local crypto endpt.: MainOffice, remote crypto endpt.: ConstOffice

path mtu 1492, ipsec overhead 56, media mtu 1492

current outbound spi: 34e2c28d


inbound esp sas:

spi: 0x9686469a(2525382298)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: vpn1

outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.52.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)

current_peer: ConstOffice

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0


local crypto endpt.: MainOffice, remote crypto endpt.: ConstOffice

path mtu 1492, ipsec overhead 0, media mtu 1492

current outbound spi: 0

outbound pcp sas:

local crypto endpt.: MainOffice, remote crypto endpt.: BftOffice (x.x.81.11)

path mtu 1492, ipsec overhead 0, media mtu 1492

current outbound spi: 0


Office 50.0 is the 515e, 51.0 is the existing vpn, 52.0 is the new one that wont work.


on the new one running a 501e, (52.0) I get this:

interface: outside

Crypto map tag: vpn1, local addr. x.x.81.11


local ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.52.0/255.255.255.0/0/0)

current_peer: 64.53.71.7

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0


local crypto endpt.: x.x.81.11, remote crypto endpt.: x.x.71.7 (MainOffice)

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0


On this remote site's 501e, when running debug crypto isakmp i get (I may not spell this right, its from memory) ISAK_NO_ERR_NO_TRANS


When checking hitcnt's on the acl's, the remote 501e shows that its sending data to the 515e via the vpn tunnel that its trying to establish. The 515e doesnt seem to want to accept that data.


So it seems that the 501 is setup right, but that here on the 515e, it doesnt want to allow more than one vpn, it wont accept the 52.0 network. At the bottom here I will attach my current 515e config. Thanks for all your help guys, sorry to keep beating this horse, but I cant seem to get this problem resolved.


names

name x.x.71.8 ConstOffice

name x.x.81.11 BftOffice

name x.x.71.7 MainOffice


access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any

access-list acl_inbound permit tcp any host MainOffice eq 3389

access-list acl_inbound permit icmp any any

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51

.0 255.255.255.0

access-list inside_nat0_outbound permit ip host MainOffice 192.168.51.0 255.255.

255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host Const

Office

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.52

.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.53

.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host BftOf

fice

access-list inside_nat0_outbound permit ip host MainOffice 192.168.52.0 255.255.

255.0

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 101 permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0



global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.50.0 255.255.255.0 0 0


sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address inside_nat0_outbound

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 match address 101

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer BftOffice

crypto map vpn1 20 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp key ******** address BftOffice netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400


Thanks,

Dave


b-pelphrey Wed, 01/29/2003 - 07:02
User Badges:

Alright, lets see if this helps out a little more....don't worry, we will get this working!!!

Also, your statement "2. My acl's are matched now, no differences between the existing vpn remote store and the new one's acl's. " make sure that there ARE NOT truly the same, however, just the concept of them. You will need to change IPs and such.

*************************************************************************************

names

name x.x.71.8 ConstOffice

name x.x.81.11 BftOffice

name x.x.71.7 MainOffice

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any

access-list acl_inbound permit tcp any host MainOffice eq 3389

access-list acl_inbound permit icmp any any


****Seems that you just want all IP to access both remote locations....therefore, just put IP****


****BftOffice ACL should be different than ConstOffice ACL****

****These Crypto ACLs are your "interesting traffic" that defines when to engage the use of the IPSec tunnel****


****BftOffice ACL****

access-list permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0


****ConstOffice ACL****

access-list permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0


****The ACL needed for NO NATing to both BftOffice and ConstOffice****

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0


global (outside) 2 interface

nat (inside) 0 access-list 101

nat (inside) 2 192.168.50.0 255.255.255.0 0 0


sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac


****ConstOffice IPSec Phase 2 SA****

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset


****BftOffice IPSec Phase 2 SA****

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 match address

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer BftOffice

crypto map vpn1 20 set transform-set myset


crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp key ******** address BftOffice netmask 255.255.255.255

isakmp identity address


isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

*************************************************************************************

I tried to separate each piece so you can see it a little easier. I believe I got all your addressing and everything correct???...Hopefully. That url I posted a couple back is truly a very good helper.

Hope this helps! I will keep checking back. Good luck...

dsingleterry Thu, 01/30/2003 - 06:12
User Badges:

your statement "2. My acl's are matched now, no differences between the existing vpn

remote store and the new one's acl's. " make sure that there ARE NOT truly the same, however,

just the concept of them. You will need to change IPs and such.

*************************************************************************************


>>>Um, I know, I'm not that dense. :)




names

name x.x.71.8 ConstOffice

name x.x.81.11 BftOffice

name x.x.71.7 MainOffice

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any

access-list acl_inbound permit tcp any host MainOffice eq 3389

access-list acl_inbound permit icmp any any


****Seems that you just want all IP to access both remote locations....therefore, just put IP****


>>> just put IP what? Im sorry, I dont get what you are saying.


****BftOffice ACL should be different than ConstOffice ACL****

****These Crypto ACLs are your "interesting traffic" that defines when to engage the use of the IPSec tunnel****


>>> I have a separate ACL for Bft and Const as it is, now what I do have that may be a problem , I am not sure

is that my Const ACL is also the one that is pointed directly to NAT 0.

My Bft ACL is ACL named 101, my Const ACL is named inside_nat0_outbound and it also includes the same entries that

the Bft ACL has. Is this gonna cause problems? I could setup a 101 ACL for Const, and make say a 100 ACL as the one

that includes all the VPN ACL commands and is connected to NAT 0.



****ConstOffice IPSec Phase 2 SA****

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset


****BftOffice IPSec Phase 2 SA****

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 match address

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer BftOffice

crypto map vpn1 20 set transform-set myset


crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp key ******** address BftOffice netmask 255.255.255.255

isakmp identity address


isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400


>>> So the only thing I see different here from my existing config is possibly the match

address ACL list names, which at the moment are pointing :



crypto map vpn1 10 match address inside_nat0_outbound (const and bft access lines included)

crypto map vpn1 20 match address 101 (bft access lines only)


so instead you're saying I should have:



crypto map vpn1 10 match address 101 (const access lines only)

crypto map vpn1 20 match address 102 (bft access lines only)


and further up have:


nat (inside) 0 access-list 100 (ACL including both const and bft access entries)


Is this correct or am I missing what you're saying I need to try?


Thanks,

Dave

b-pelphrey Thu, 01/30/2003 - 07:46
User Badges:

Yep, from what you said in your last post, this would be your entries. And the IP thing I just meant you are ok with allowing all IP ports and services, so just put IP instead of specific ports or services.


****BftOffice ACL****

access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0


****ConstOffice ACL****

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0


****The ACL needed for NO NATing to both BftOffice and ConstOffice****

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0


global (outside) 2 interface


****The NAT statement saying you don't want to NAT from the main office to both the Bftoffice and ConstOffice****

nat (inside) 0 access-list 100



nat (inside) 2 192.168.50.0 255.255.255.0 0 0


sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac


****ConstOffice IPSec Phase 2 SA****

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address 101

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset


****BftOffice IPSec Phase 2 SA****

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 match address 102

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer BftOffice

crypto map vpn1 20 set transform-set myset


crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp key ******** address BftOffice netmask 255.255.255.255

isakmp identity address


isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400



I truly hope I am helping and not hurting here! But I truly believe that url I posted several back will aid a lot in this type of configuration. I not only shows you the main site, but also gives the configs for both remote offices.



kagodfrey Thu, 01/30/2003 - 14:08
User Badges:

Aye - thats what I meant by seperating your acls out. That should work a treat.

b-pelphrey Thu, 01/30/2003 - 14:45
User Badges:

Yes Kev!


I believe you were absolutely right...i just did a little extra work for him.

dsingleterry Thu, 01/30/2003 - 14:47
User Badges:

haha, well, here in a few minutes we'll find out, i'll be taking everyone offline to try these changes :) i'll let ya know.

kagodfrey Thu, 01/30/2003 - 14:56
User Badges:

Rofl


I was too tired and it was a lot of typing, plus every time i try go into detail it fails to post - just unlucky I guess :-)



dsingleterry Thu, 01/30/2003 - 15:12
User Badges:

Hmm, welp, it didnt work. I've posted my current 515e config down here. But I did separate out the acl's, and the same VPN that was working is still working on the new acl setup, so... heh, at least it didnt get worse :)


Secondary question, I posted another topic as well about it, but, my SSH isnt quite right either, i can see it to auth, but cant get auth using my en password.


I do appreciate ya'll continuing to try to help me solve this, I feel bad because I feel like I must be missing some tidbit of info we all need to know exactly what to do to get it running, i dunno.


Here's the config, and thanks again.

Dave


PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password *********** encrypted

passwd ********* encrypted

hostname YRPCI

domain-name yearroundpool.com

...

names

name x.x.71.8 ConstOffice

name x.x.81.11 BftOffice

name x.x.71.7 MainOffice

object-group network Bluff_Inside

network-object 192.168.50.0 255.255.255.0

access-list acl_outbound permit ip host 192.168.50.10 any

...

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp

access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3

access-list acl_inbound permit tcp any host MainOffice eq 3389

access-list acl_inbound permit icmp any any

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 101 permit ip host MainOffice 192.168.52.0 255.255.255.0

access-list 101 permit ip 192.168.50.0 255.255.255.0 host BftOffice

access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 102 permit ip host MainOffice 192.168.51.0 255.255.255.0

access-list 102 permit ip 192.168.50.0 255.255.255.0 host ConstOffice

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 100 permit ip host MainOffice 192.168.51.0 255.255.255.0

access-list 100 permit ip host MainOffice 192.168.52.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 host ConstOffice

access-list 100 permit ip 192.168.0.0 255.255.255.0 host BftOffice

logging console debugging

logging trap debugging

...

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside pppoe setroute

ip address inside 192.168.50.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

no pdm history enable

arp timeout 14400

global (outside) 2 interface

nat (inside) 0 access-list 100

nat (inside) 2 192.168.50.0 255.255.255.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

timeout xlate 8:00:00

timeout conn 7:00:00 half-closed 6:00:00 udp 7:00:00 rpc 7:00:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 7:30:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server AuthOutbound protocol radius

http server enable

http 192.168.50.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address 102

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 match address 101

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer BftOffice

crypto map vpn1 20 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp key ******** address BftOffice netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400


telnet timeout 10

ssh 0.0.0.0 0.0.0.0 outside

ssh x.x.203.51 255.255.255.255 outside

ssh timeout 10

...

: end

kagodfrey Thu, 01/30/2003 - 16:52
User Badges:

Hello

I don't know if there is a reason you have these lines in your config that are to do with bits some of the bits that arent posted, but what happens if you take them out? I don't think you need them for the purposes of the vpns...

access-list 101 permit ip host MainOffice 192.168.52.0 255.255.255.0

access-list 101 permit ip 192.168.50.0 255.255.255.0 host BftOffice

access-list 102 permit ip host MainOffice 192.168.51.0 255.255.255.0

access-list 102 permit ip 192.168.50.0 255.255.255.0 host ConstOffice

access-list 100 permit ip host MainOffice 192.168.51.0 255.255.255.0

access-list 100 permit ip host MainOffice 192.168.52.0 255.255.255.0


b-pelphrey Thu, 01/30/2003 - 17:05
User Badges:

No worries! I feel bad as well. I want you to get this resolved as well!!

Let me ask you this, are your 2 remote sites configs pretty much the same? If these are little remote sites, except for IP addresses I would imagine they should be almost identical.

Second thing, I am kind of confused by your ACLs.

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 101 permit ip host MainOffice 192.168.52.0 255.255.255.0

access-list 101 permit ip 192.168.50.0 255.255.255.0 host BftOffice

****Since your external IP address of the peer you are trying to build the tunnel with is in the set peer section of your phase 2 stuff you don't need them here. So, the acl lines about the host MainOffice and host BftOffice are not needed since they are external addresses of your vpn peers****

access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 102 permit ip host MainOffice 192.168.51.0 255.255.255.0

access-list 102 permit ip 192.168.50.0 255.255.255.0 host ConstOffice

****Again, some of these I don't believe are necessary****

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 100 permit ip host MainOffice 192.168.51.0 255.255.255.0

access-list 100 permit ip host MainOffice 192.168.52.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 host ConstOffice

access-list 100 permit ip 192.168.0.0 255.255.255.0 host BftOffice

****Again, I don't believe some of these are necessary***

However, that doesn't solve your problem. I hate to do this, but is it possible to get your other configs? The site that is working and the site that is not? I know you entered the site that isn't working before, but if you could post it again along with the sit that is working we all should be able to figure this out. I know this is a pain in the ass, but we need to get your issue resolved...this has gone on long enough !!!! :)

dsingleterry Fri, 01/31/2003 - 06:14
User Badges:

Ok, here we go :)

I removed these lines:


access-list 101 permit ip host MainOffice 192.168.52.0 255.255.255.0

access-list 101 permit ip 192.168.50.0 255.255.255.0 host BftOffice

access-list 102 permit ip host MainOffice 192.168.51.0 255.255.255.0

access-list 102 permit ip 192.168.50.0 255.255.255.0 host ConstOffice

access-list 100 permit ip host MainOffice 192.168.51.0 255.255.255.0

access-list 100 permit ip host MainOffice 192.168.52.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 host ConstOffice

access-list 100 permit ip 192.168.0.0 255.255.255.0 host BftOffice


When first setting up this stuff when something didnt work right off I resorted to the shotgun

approach to try to find where the problem was. :) Thanks for helping me clean that up.


BftOffice: (unabridged)


PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 7RD3DIuHCed/Bft9 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname bft

domain-name yearroundpool.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name x.x.81.11 BftOffice

name x.x.71.7 MainOffice

access-list acl_outbound permit ip 192.168.52.0 255.255.255.0 any

access-list acl_inbound permit icmp any any

access-list acl_inbound permit ip host MainOffice any

access-list 102 permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 102 permit ip 192.168.52.0 255.255.255.0 host MainOffice

access-list 102 permit ip host BftOffice 192.168.50.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside BftOffice 255.255.255.128

ip address inside 192.168.52.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

no pdm history enable

arp timeout 14400

global (outside) 2 interface

nat (inside) 0 access-list 102

nat (inside) 2 192.168.52.0 255.255.255.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.81.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 20 ipsec-isakmp

crypto map vpn1 20 set pfs group2

crypto map vpn1 20 set peer MainOffice

crypto map vpn1 20 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address MainOffice netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet MainOffice 255.255.255.255 outside

telnet 192.168.50.0 255.255.255.0 outside

telnet 192.168.52.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:425d8eb50cd76e12434093ae6d7db027

: end



ConstOffice: (unabridged)


PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 7RD3DIuHCed/Bft9 encrypted

passwd 7RD3DIuHCed/Bft9 encrypted

hostname Const

domain-name yearroundpool.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol http 8080

fixup protocol ftp 22

names

name x.x.71.8 ConstOffice

name x.x.71.7 MainOffice

access-list acl_outbound permit ip 192.168.51.0 255.255.255.0 any

access-list inside_nat0_outbound permit ip 192.168.51.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.51.0 255.255.255.0 host MainOffice

access-list inside_nat0_outbound permit ip host ConstOffice 192.168.50.0 255.255.255.0

access-list acl_inbound permit icmp any any

access-list acl_inbound permit ip host ConstOffice any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.51.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.50.0 255.255.255.0 outside

pdm location 192.168.51.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.51.0 255.255.255.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

timeout xlate 8:00:00

timeout conn 7:00:00 half-closed 6:00:00 udp 7:00:00 rpc 7:00:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 7:30:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.51.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address inside_nat0_outbound

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer MainOffice

crypto map vpn1 10 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address MainOffice netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet MainOffice 255.255.255.255 outside

telnet 192.168.50.0 255.255.255.0 outside

telnet 192.168.51.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname yearround2

vpdn group pppoex ppp authentication pap

vpdn username yearround2 password *********

terminal width 80

Cryptochecksum:33de0e57a606c12b8148a4b6e267dc17

: end


(I will clean up the acl's for this one as well, i just somehow killed telnet capability

to this office, I gotta figure out what I did)


Thanks again guys,

Dave

dsingleterry Fri, 01/31/2003 - 13:18
User Badges:

Its fixed!

The key we were missing had to do with the acl_outbound access-list bound to the inside interface.


I added :

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.51.0

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 host 192.168.52.0


I called an outside source and just went over stuff with him on the phone, once we unassigned an access-list from the inside interface, suddenly the second vpn popped up. So from there we knew where the problem was.


Thanks for all your help and patience guys.

b-pelphrey Fri, 01/31/2003 - 14:45
User Badges:

Excellent! It look very similiar to a part of a post a made a while back. What is different than the below?


b-pelphrey

Jan 30, 2003, 7:46am PST

Yep, from what you said in your last post, this would be your entries. And the IP thing I just meant you are ok with allowing all IP ports and services, so just put IP instead of specific ports or services.


****BftOffice ACL****

access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0


****ConstOffice ACL****

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0


****The ACL needed for NO NATing to both BftOffice and ConstOffice****

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0




I would like to know for my knowledge, but it looks identifical to what i had said.


Congrats!


dsingleterry Fri, 01/31/2003 - 14:52
User Badges:

whats different is that the access-list that needed those lines was the one tied to the inside interface.

(I'm sorry if thats what you meant by the post, but it didnt seem that was the acl you were referring to)


The ACL's involved are:

1. ACL 100 - tied to "nat (inside) 0"

2. ACL's 101-102 - tied to the crypto VPN lines with match address

3. ACL acl_inbound - tied to the outside interface

4. ACL acl_outbound - tied to the inside interface


acl_outbound was the one that needed those lines added. For some reason I never considered the VPN being dependant on that as well as the one tied to nat 0.


But now I know.


Thanks again.

Dave

kagodfrey Fri, 01/31/2003 - 14:59
User Badges:

Or, to put it another way...


- acl1 for connections to site a (for site a crypto map)

- acl2 for connections to site b (for site b crypto map)

- acl3 for no NAT

- acl4 for outbound connections

acl3 would at least have to include all statements in acl1 and acl2

acl4 would at least have to include all statements in acl3


Glad it's all finally sorted !!


Rgds


Kev

dsingleterry Fri, 01/31/2003 - 15:03
User Badges:

Ok, well if someone put it that way and I didnt interpret it properly, I apologize. I'm used to switches and some routing, this is my first set of PIXes, again, I greatly appreciate all of your help guys.

Dave

b-pelphrey Fri, 01/31/2003 - 17:03
User Badges:

At any rate...CONGRATS and I am glad it is over for you!!!


Until next time...

Actions

This Discussion