Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
5
Helpful
6
Replies

Configuring PIX to PIX Dynamic-to-Static IPSec in aggresive mode

bhatti.imran
Level 1
Level 1

‎10-15-2006 11:46 PM - edited ‎02-21-2020 02:40 PM

Dear All,

I have been give a task for connecting Head office(HO) with the branch office through internet VPN using PIX.branch office has 515E with pIX os 7.0 and HO has pix 501 with os 6.3. HO isp is giving me the dhcp ip at outside interface

Now i am preparing the configuration for the above task.

I have created a test enviornment with 02 pix 501.

As i am not so much familiar with the pix VPN so i followed the below cisco URL for this test purpose.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

unfortunately i am unable to create the VPN ( by the way how can i check that VPN has been created) i tried using ping only.

below are the running config for the both PIX

Config for the HO ( outsid interface is dhcp)is below

access-list 101 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

ip address outside 172.18.124.167 255.255.255.0

ip address inside 10.1.1.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 172.18.124.166 1

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 101

crypto map newmap 10 set peer 172.18.124.166

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address 172.18.124.166 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

Now the configuration for the PIX which has static ip ( Branch office)

access-list 100 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

ip address outside 172.18.124.166 255.255.255.0

ip address inside 10.2.2.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

Now when i tried to ping the remote pix i failed. ( i can ping to the outside interface of both PIX.

Could any body tell me what is wrong and why cannot i ping to inside interface from remote side.

Waiting for reply

At the end sorry for my long post

Labels:
0 Helpful
6 Replies 6

martin_lx1980
Level 1
Level 1

‎10-16-2006 02:39 AM

hello

You should add command

route outside 0.0.0.0 0.0.0.0 172.18.124.167 on Branch Office PIX.

I think two PIXs have correct configuration after adding that command.

You can connect computers to both PIXs' inside interface.You can do ping test from the computer connected Branch Office PIX's inside interface to the computer connected HO PIX's inside interface.When you want to setup static-dynamic vpn using PIX,only interested traffic from static to dynamic can activate the process of SA negotiation.

When the vpn tunnel was created successfully,besides ping test you can also see below information

HO(config)# sh crypto isakmp sa

Total : 1

Embryonic : 0

dst src state pending created

172.18.124.166 172.18.124.167 QM_IDLE 0 1

HO(config)# sh crypto ipsec sa

..............

inbound esp sas:

spi: 0x9b48c914(2605238548)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: newmap

sa timing: remaining key lifetime (k/sec): (4607996/26794)

IV size: 8 bytes

replay detection support: Y

..................

outbound esp sas:

spi: 0xa2bc66f2(2730256114)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: newmap

sa timing: remaining key lifetime (k/sec): (4607998/26767)

IV size: 8 bytes

replay detection support: Y

0 Helpful

bhatti.imran
Level 1
Level 1
In response to martin_lx1980

‎10-17-2006 05:10 PM

Thank you very much Martin for your reply and guidance .

Test Lab scenerio is working fine and now the real stuff.

In test Lab i used both PIX 501 with OS 6.3 but in real scenerio i am going to use PIX 501( os 6.3) with PIX 515 ( OS 7.0).

Below is my configuration for PIX 515e (Branch office With static IP and this is also the central PIX).

Branch office PIX config

interface Ethernet0

nameif outside

security-level 0

ip address 10.1.1.162 255.255.255.240

!

interface Ethernet1

nameif inside

security-level 100

ip address 172.16.73.3 255.255.255.0

global (outside) 1 interface

route outside 0.0.0.0 0.0.0.0 10.1.1.161

nat (inside) 0 access-list nat

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

tunnel-group DefaultRAGroup type ipsec-ra

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

**** below part is for vpn client software****

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 5

isakmp policy 10 lifetime 86400

**** end part for VPN client software

And HO pix with PPPOE and dynamic ip the configuration is

ip address outside pppoe setroute

ip address inside 172.16.1.30 255.255.255.0

access-list nat permit ip 192.168.40.0 255.255.255.0 172.16.73.0 255.255.255.0

nat (inside) 0 access-list nat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address nat

crypto map newmap 10 set peer 83.136.10.162

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address 10.1.1.162 netmask 255.255.255.255

isakmp log 2000

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

vpdn group xxx request dialout pppoe

vpdn group xxx localname xxx

vpdn group xxx ppp authentication pap

vpdn username xxx password *********

Now again my question is , is there any trouble with this config and this config really works?

Thanks

0 Helpful

martin_lx1980
Level 1
Level 1
In response to bhatti.imran

‎10-17-2006 09:34 PM

bhatti.imran:

On Branch PIX I think you should add and modify below commands.

access-list nat permit ip 172.16.73.0 255.255.255.0 192.168.40.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

sysopt connection permit-ipsec

tunnel-group DefaultRAGroup type ipsec-l2l

On HO PIX I think you should add and modify below commands.

global (outside) 1 interface

crypto map newmap 10 set peer 10.1.1.162( in real scenerio should be public address of Branch PIX)

You also should confirm that both isakmp policy must be identical.

Branch PIX:

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 5

isakmp policy 10 lifetime 86400

HO PIX:

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

hope to help you

Martin

bhatti.imran
Level 1
Level 1
In response to martin_lx1980

‎10-18-2006 01:25 AM

Dear Marting thanks for help

But i am in trouble now.

i have applied the configuration and i am getting below error.

pixfirewall# sh crypto isakmp sa

Total : 1

Embryonic : 1

dst src state pending created

10.1.1.162 172.16.88.3 MM_NO_STATE 0 0

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:10.1.1.1622, dest 172.16.88.3 spt:500 dpt:5

00

return status is IKMP_NO_ERR_NO_TRANS

pixfirewall#

ISAKMP (0): deleting SA: src 172.16.88.3 , dst 10.1.1.162

ISADB: reaper checking SA 0xa2e9a4, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 10.1.1.162/500 not found - peers:0

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:10.1.1.162, dest: 172.16.88.3 spt:500 dpt:5

00

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): deleting SA: src 172.16.88.3 , dst 10.1.1.162

ISADB: reaper checking SA 0xa2e9a4, conn_id = 0 DELETE IT!

Below is the configuration now on both Branach and ho

HO

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address nat

crypto map newmap 10 set peer 83.136.10.162

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address 10.1.1.162 netmask 255.255.255.255

isakmp log 2000

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

Branch office

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

tunnel-group DefaultRAGroup type ipsec-ra

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

It looks phase 1 error could you please help me.

Thanks

0 Helpful

martin_lx1980
Level 1
Level 1
In response to bhatti.imran

‎10-20-2006 02:18 AM

hello,bhatti.imran:

Pleasure to help you

crypto map newmap 10 set peer 83.136.10.162

isakmp key ******** address 10.1.1.162 netmask 255.255.255.255

Above information show you specify the different peer address.So you should modify the config.

If you do it in real environment,first of all you should check whether through the adsl line HO pix can get a public ip address

from ISP.Command "show int e0" can help you check it.After that you should check the connection between two pix.I think ping test is enough.

0 Helpful

bhatti.imran
Level 1
Level 1
In response to martin_lx1980

‎10-22-2006 09:39 PM

Dear Martin,

Thanks for correction.

now I successfully managed to establish the VPN tunnel.

I have add the below line in the branch office pix and vpn tunnel was established but now i cannot ping using the vpn tunnel to the inside interface of either pix firewall.

tunnel-group DefaultRAGroup general-attributes

authentication-server-group none

below is the post for thios trouble also

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddc867a

Can you please help me???

Waiting for your help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents