Re: ipsec tunnel on pix 501

mikentosh · ‎07-13-2010

I am trying to create a site-to-site ipsec tunnel. My first attempt failed and I was given some information from someone using an ASA (8.0?) for my second attempt. They were not sure of the compatibility of some of the commands and I ran into an error with the first line they provided. Can somebody help me figure out why I am getting this error:

"ERROR: Source address,mask <255.255.255.252,170.x.x.0> doesn't pair"

when I try to add the following line:

access-list HCA permit ip host 10.x.x.0 255.255.255.252 170.x.x.0 255.255.255.128

Additionally, the ASA command I was provided included the word "extended" before the "permit", however the PIX did not recognize that command so I omitted it. Should still work right?

Here is my existing config:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *************** encrypted
passwd **************** encrypted
hostname JMSBCFW
domain-name JMS
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any source-quench
access-list outside_in permit tcp any interface outside eq 1000
access-list outside_in permit tcp any interface outside eq 1001
access-list outside_in permit tcp any interface outside eq 1002
access-list outside_in permit tcp any interface outside eq 1003
access-list outside_in permit tcp any interface outside eq 1004
access-list outside_in permit tcp any interface outside eq 1005
access-list outside_in permit tcp any interface outside eq 1006
access-list outside_in permit tcp any interface outside eq 1007
access-list outside_in permit tcp any interface outside eq 1008
access-list outside_in permit tcp any interface outside eq 1009
access-list outside_in permit tcp any interface outside eq 1010
access-list outside_in permit tcp any interface outside eq 1011
access-list outside_in permit tcp any interface outside eq 1012
access-list outbound permit tcp any any
access-list outbound permit ip any any
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 216.x.x.x 255.255.255.252
ip address inside 192.168.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.55 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 192.168.1.4 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1001 192.168.1.67 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1002 192.168.1.85 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1003 192.168.1.29 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1004 192.168.1.12 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1005 192.168.1.64 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1006 192.168.1.62 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1007 192.168.1.18 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1008 192.168.1.70 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1009 192.168.1.68 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1010 192.168.1.44 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1011 192.168.1.37 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1012 192.168.1.73 3389 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.168.1.4 source inside
http server enable
http 192.168.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
isakmp enable outside
isakmp key ******** address 199.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username admin password **************** encrypted privilege 2
terminal width 90
Cryptochecksum:5f1148abb28fc6b2ad0035733b20b393
: end

Please bear with me as I am a beginner to the Cisco firewall programming and unfortunately I cannot get the PDM to work for me (but that is another story), so I am doing everything in console. I am upgrading this customer to an ASA 5510, which I am told will be a whole lot easier to manage/configure. Not soon enough though.

Regards,

MIKET

Marcin Latosiewicz · ‎07-13-2010

Miket,

access-list HCA permit ip host 10.x.x.0 255.255.255.252 170.x.x.0 255.255.255.128

Notice the "host" ... host mean that the IP address give after will be treated with mask 255.255.255.255. Remove the host.

Check this out to see what more you might be missing:

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html

HTH,

Marcin

mikentosh · ‎07-14-2010

Thanks! I removed "host" from the line and was able to finish adding all of the commands that I was instructed to add. However, I was not able to achieve the desired end result of being able to ping the 170.x.x.x address. I have ordered an ASA5510 that should be arriving in a few days (been putting it off too long). Can you or any members here tell me whether it will be simple to transfer/migrate the PIX configuration into the new appliance?

Kind Regards,

MikeT

Marcin Latosiewicz · ‎07-15-2010

Mike,

ASA and PIX (6.3) use different syntax of commands. Good news is that there is a built in translator (into ASA/PIX 7.x/8.x versions).

Please note that some information will not be migrated by copy/paste (passwords if obfuscated for example).

I'll have a look at the config again and post an update to see if anything confg-wise is missing, but it would help if you put int current config.

Marcin

mikentosh · ‎07-15-2010

Thanks Marcin,

Here is the latest config:

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ******************** encrypted

passwd ******************** encrypted

hostname JMSBCFW

domain-name JMS

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_in permit icmp any any time-exceeded

access-list outside_in permit tcp any interface outside eq 3389

access-list outside_in permit icmp any any echo-reply

access-list outside_in permit icmp any any unreachable

access-list outside_in permit icmp any any source-quench

access-list outside_in permit tcp any interface outside eq 1000

access-list outside_in permit tcp any interface outside eq 1001

access-list outside_in permit tcp any interface outside eq 1002

access-list outside_in permit tcp any interface outside eq 1003

access-list outside_in permit tcp any interface outside eq 1004

access-list outside_in permit tcp any interface outside eq 1005

access-list outside_in permit tcp any interface outside eq 1006

access-list outside_in permit tcp any interface outside eq 1007

access-list outside_in permit tcp any interface outside eq 1008

access-list outside_in permit tcp any interface outside eq 1009

access-list outside_in permit tcp any interface outside eq 1010

access-list outside_in permit tcp any interface outside eq 1011

access-list outside_in permit tcp any interface outside eq 1012

access-list outbound permit tcp any any

access-list outbound permit ip any any

access-list HCA_cryptomap permit ip 10.129.64.0 255.255.255.252 170.x.x.0 255.255.255.128

access-list HCA permit ip 192.168.1.0 255.255.255.0 170.x.x.0 255.255.255.128

pager lines 24

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 216.x.x.x 255.255.255.252

ip address inside 192.168.1.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 2 10.129.64.1

nat (inside) 2 10.129.64.0 255.255.255.252 0 0

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 3389 192.168.1.55 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1000 192.168.1.4 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1001 192.168.1.67 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1002 192.168.1.85 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1003 192.168.1.29 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1004 192.168.1.12 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1005 192.168.1.64 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1006 192.168.1.62 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1007 192.168.1.18 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1008 192.168.1.70 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1009 192.168.1.68 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1010 192.168.1.44 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1011 192.168.1.37 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1012 192.168.1.73 3389 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

access-group outbound in interface inside

route outside 0.0.0.0 0.0.0.0 216.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

ntp server 192.168.1.4 source inside

http server enable

http 192.168.1.3 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map hca 10 ipsec-isakmp

crypto map hca 10 match address HCA_cryptomap

crypto map hca 10 set peer 199.x.x.x

crypto map hca 10 set transform-set myset

crypto map hca interface outside

isakmp enable outside

isakmp key ******** address 199.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

username admin password ******************************* encrypted privilege 2

terminal width 90

Cryptochecksum:5f1148abb28fc6b2ad0035733b20b393

: end

Marcin Latosiewicz · ‎07-16-2010

Mike,

Configuration from IPsec's point of view looks OK.

The thing to know ... if otherside side perepared to accept connections from here and were you supposed to NAT traffic?

show crypto isakmp

and

show crypto ipsec sa

will tell you if the negotiation finished correctly.

I will be off as of today, sorry I will not be able to provide further help

Marcin