04-04-2003 10:03 AM - edited 02-20-2020 10:40 PM
I have, in one site, a PIX 515 connected to a C827H (an ADSL router doing PPPoE). This router gives access to the Net. In another site I have another PIX (a 506) and another C827H router that gave access to Net. Both sites have access to net without problems. But when I what to establish a VPN tunnel (with Ipsec) between this two sites, through the Net, I cant establish the connection. The ADSL router has their public IP negotiated with the ISP. In my lab I simulate this two connections putting two PIXs (a 520 and a 506) back-to-back with a crossover cable. I used the same configuration. The thing worked. But in my two sites that is not working. Why?
Solved! Go to Solution.
04-08-2003 08:39 AM
I see, in that case. I suggest you change the ACL name defined in crypto map, try not to use the same ACL that you used for nat0, it causes problem sometimes.
Try that and see if it works for you.
-Jimmy
04-04-2003 11:04 AM
Can you post your configuration?
04-08-2003 03:32 AM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
OK.
The configuration of my two PIXs is like this:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
enable password xxxxx encrypted
passwd yyyy encrypted
hostname --moderator edit-- firewall
domain-name teste.pt
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
!
access-list 101 permit ip 10.10.10.0 255.255.255.0 --moderator edit-- mm.mmm.mmm.0 255.255.255.0
!
access-list outside-in permit icmp any any echo
access-list outside-in permit icmp any any echo-reply
access-list outside-in permit icmp any any unreachable
access-list outside-in permit icmp any any time-exceeded
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1452
mtu inside 1452
mtu DMZ 1500
!
ip address outside --moderator edit-- xx.xx.xx.1 255.255.255.252
ip address inside 10.10.10.254 255.255.255.0
ip address DMZ 172.16.1.254 255.255.255.0
!
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
!
nat (inside) 0 access-list 101
!
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside-in in interface outside
!
route outside 0.0.0.0 0.0.0.0 --moderator edit-- xx.xx.xx.2 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
!
sysopt connection permit-ipsec
no sysopt route dnat
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set peer 60.60.60.1
crypto map mymap 10 set transform-set myset
!
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 10.100.100.1 netmask 255.255.255.255 no-xauth no-co
nfig-mode
!
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 43200
!
telnet timeout 5
!
ssh timeout 5
terminal width 80
: end
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx encrypted
passwd yyyy encrypted
hostname --moderator edit-- firewall
domain-name teste.pt
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list out-in permit icmp any any echo
access-list out-in permit icmp any any echo-reply
access-list out-in permit tcp host 62.48.154.238 any eq 22
access-list out-in permit tcp --moderator edit-- nnn.nnn.nn.0 255.255.252.0 any eq 22
access-list out-in permit tcp 194.65.19.0 255.255.255.0 any eq 22
!
access-list 101 permit ip --moderator edit-- mm.mmm.mmm.0 255.255.255.0 10.10.10.0 255.255.255.0
!
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
!
ip address outside 60.60.60.1 255.255.255.252
ip address inside --moderator edit-- mm.mmm.mmm.254 255.255.255.0
!
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
!
nat (inside) 0 access-list 101
!
nat (inside) 1 --moderator edit-- mm.mmm.mmm.0 255.255.255.0 0 0
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 60.60.60.2 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
!
sysopt connection permit-ipsec
!
no sysopt route dnat
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set peer --moderator edit-- xx.xx.xx.1
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address --moderator edit-- xx.xx.xx.1 netmask 255.255.255.255
!
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 43200
!
telnet timeout 5
ssh timeout 5
terminal width 80
: end
The configuration of my two C807H is like this:
hostname RouterA-ADSL
enable secret WWWW
!
username ADSLPRIME password SRTFRD
ip subnet-zero
no ip domain-lookup
!
ip dhcp excluded-address 10.10.10.1
!
vpdn enable
vpdn-group pppoe
request-dialin
protocol pppoe
!
interface Ethernet0
ip address --moderator edit-- xx.xx.xx.2 255.255.255.252
ip tcp adjust-mss 1452
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface Dialer1
mtu 1492
ip address negotiated
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username ADSL000@teste.pt password --moderator edit--
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
access-list 2 permit xxx.xxx.xxx.xxx
access-list 2 permit xxx.xxx.xxx.xxx
access-list 2 deny any log
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
password --moderator edit--
login
stopbits 1
line vty 0 4
access-class 2 in
exec-timeout 120 0
password --moderator edit--
login
!
scheduler max-task-time 5000
end
Today I saw that the isakmp protocol is passing in the routers but the esp protocol is not. I had put an access-list to see what kind of traffic was passing in the adsl routers and I saw that. The version of the two adsl router is: c820-y6-mz.122-8.YJ.bin.
With the PIXs I can see that the isakmp (phase 1) negotiation is happening but the next negotiation (isakmp phase 2) is not. Is at this point that this thing fails. Some one can tell me why?
04-08-2003 07:16 AM
Hi,
I don't think the configuration will work according to the given scenario. your internal network should have no problem get to the internet, that's because your pix has a default route pointed to ADSL router and your ADSl router forwards everything to the internet.
I can see that you are trying to establish IPSec tunnel between two private networks through PIX's outside interface(70.70.70.1 and 60.60.60.1), but both of your PIX has no way of reaching to the remote address nor through ADSL router.
You can either change your pix's outside interface to a global routable address if it's possible or NAT them through ADSL routers.
Hope that helps,
-Jimmy
04-08-2003 07:42 AM
That networks (60.60.60.0/32 and 70.70.70.0/32) are not the real networks. I gave this two as an example. The two networks that I have in reality are routable (they are not privet networks), that is, are networks given to me by one of the locals ISPs and in the routers and in the PIXs I can reach to them.
04-08-2003 07:55 AM
Sorry.
The two networks that a gave as a example are 60.60.60.0/30 and 70.70.70.0/30.
04-08-2003 08:39 AM
I see, in that case. I suggest you change the ACL name defined in crypto map, try not to use the same ACL that you used for nat0, it causes problem sometimes.
Try that and see if it works for you.
-Jimmy
04-09-2003 07:45 AM
Ok.
The problem is solved.
Thank Jimmy for your help and advise.
Rui
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide