Solved: PIX and ADSL router.

rcapao · ‎04-04-2003

I have, in one site, a PIX 515 connected to a C827H (an ADSL router “doing” PPPoE). This router gives access to the Net. In another site I have another PIX (a 506) and another C827H router that gave access to Net. Both sites have access to net without problems. But when I what to establish a VPN tunnel (with Ipsec) between this two sites, through the Net, I can’t establish the connection. The ADSL router has their public IP negotiated with the ISP. In my lab I simulate this two connections putting two PIXs (a 520 and a 506) back-to-back with a crossover cable. I used the same configuration. The thing worked. But in my two sites that is not working. Why?

xiaoj · ‎04-08-2003

I see, in that case. I suggest you change the ACL name defined in crypto map, try not to use the same ACL that you used for nat0, it causes problem sometimes.

Try that and see if it works for you.

-Jimmy

View solution in original post

xiaoj · ‎04-04-2003

Can you post your configuration?

rcapao · ‎04-08-2003

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

OK.

The configuration of my two PIXs is like this:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security10

enable password xxxxx encrypted

passwd yyyy encrypted

hostname --moderator edit-- firewall

domain-name teste.pt

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

!

access-list 101 permit ip 10.10.10.0 255.255.255.0 --moderator edit-- mm.mmm.mmm.0 255.255.255.0

!

access-list outside-in permit icmp any any echo

access-list outside-in permit icmp any any echo-reply

access-list outside-in permit icmp any any unreachable

access-list outside-in permit icmp any any time-exceeded

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1452

mtu inside 1452

mtu DMZ 1500

!

ip address outside --moderator edit-- xx.xx.xx.1 255.255.255.252

ip address inside 10.10.10.254 255.255.255.0

ip address DMZ 172.16.1.254 255.255.255.0

!

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

!

nat (inside) 0 access-list 101

!

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside-in in interface outside

!

route outside 0.0.0.0 0.0.0.0 --moderator edit-- xx.xx.xx.2 1

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

!

sysopt connection permit-ipsec

no sysopt route dnat

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set peer 60.60.60.1

crypto map mymap 10 set transform-set myset

!

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 10.100.100.1 netmask 255.255.255.255 no-xauth no-co

nfig-mode

!

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 43200

!

telnet timeout 5

!

ssh timeout 5

terminal width 80

: end

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx encrypted

passwd yyyy encrypted

hostname --moderator edit-- firewall

domain-name teste.pt

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list out-in permit icmp any any echo

access-list out-in permit icmp any any echo-reply

access-list out-in permit tcp host 62.48.154.238 any eq 22

access-list out-in permit tcp --moderator edit-- nnn.nnn.nn.0 255.255.252.0 any eq 22

access-list out-in permit tcp 194.65.19.0 255.255.255.0 any eq 22

!

access-list 101 permit ip --moderator edit-- mm.mmm.mmm.0 255.255.255.0 10.10.10.0 255.255.255.0

!

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

!

ip address outside 60.60.60.1 255.255.255.252

ip address inside --moderator edit-- mm.mmm.mmm.254 255.255.255.0

!

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

!

nat (inside) 0 access-list 101

!

nat (inside) 1 --moderator edit-- mm.mmm.mmm.0 255.255.255.0 0 0

access-group out-in in interface outside

route outside 0.0.0.0 0.0.0.0 60.60.60.2 1

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

!

sysopt connection permit-ipsec

!

no sysopt route dnat

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set peer --moderator edit-- xx.xx.xx.1

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address --moderator edit-- xx.xx.xx.1 netmask 255.255.255.255

!

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 43200

!

telnet timeout 5

ssh timeout 5

terminal width 80

: end

The configuration of my two C807H is like this:

hostname RouterA-ADSL

enable secret WWWW

!

username ADSLPRIME password SRTFRD

ip subnet-zero

no ip domain-lookup

!

ip dhcp excluded-address 10.10.10.1

!

vpdn enable

vpdn-group pppoe

request-dialin

protocol pppoe

!

interface Ethernet0

ip address --moderator edit-- xx.xx.xx.2 255.255.255.252

ip tcp adjust-mss 1452

no cdp enable

hold-queue 100 out

!

interface ATM0

no ip address

load-interval 30

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 1

!

dsl operating-mode auto

!

interface Dialer1

mtu 1492

ip address negotiated

encapsulation ppp

ip tcp adjust-mss 1452

load-interval 30

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username ADSL000@teste.pt password --moderator edit--

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

!

access-list 2 permit xxx.xxx.xxx.xxx

access-list 2 deny any log

dialer-list 1 protocol ip permit

!

line con 0

exec-timeout 120 0

password --moderator edit--

login

stopbits 1

line vty 0 4

access-class 2 in

exec-timeout 120 0

password --moderator edit--

login

!

scheduler max-task-time 5000

end

Today I saw that the isakmp protocol is passing in the routers but the esp protocol is not. I had put an access-list to see what kind of traffic was passing in the adsl routers and I saw that. The version of the two adsl router is: c820-y6-mz.122-8.YJ.bin.

With the PIXs I can see that the isakmp (phase 1) negotiation is happening but the next negotiation (isakmp phase 2) is not. Is at this point that this thing fails. Some one can tell me why?

xiaoj · ‎04-08-2003

Hi,

I don't think the configuration will work according to the given scenario. your internal network should have no problem get to the internet, that's because your pix has a default route pointed to ADSL router and your ADSl router forwards everything to the internet.

I can see that you are trying to establish IPSec tunnel between two private networks through PIX's outside interface(70.70.70.1 and 60.60.60.1), but both of your PIX has no way of reaching to the remote address nor through ADSL router.

You can either change your pix's outside interface to a global routable address if it's possible or NAT them through ADSL routers.

Hope that helps,

-Jimmy

rcapao · ‎04-08-2003

That networks (60.60.60.0/32 and 70.70.70.0/32) are not the real networks. I gave this two as an example. The two networks that I have in reality are routable (they are not privet networks), that is, are networks given to me by one of the locals ISPs and in the routers and in the PIXs I can reach to them.

rcapao · ‎04-08-2003

Sorry.

The two networks that a gave as a example are 60.60.60.0/30 and 70.70.70.0/30.

xiaoj · ‎04-08-2003

I see, in that case. I suggest you change the ACL name defined in crypto map, try not to use the same ACL that you used for nat0, it causes problem sometimes.

Try that and see if it works for you.

-Jimmy

rcapao · ‎04-09-2003

Ok.

The problem is solved.

Thank Jimmy for your help and advise.

Rui