10-15-2006 11:46 PM - edited 02-21-2020 02:40 PM
Dear All,
I have been give a task for connecting Head office(HO) with the branch office through internet VPN using PIX.branch office has 515E with pIX os 7.0 and HO has pix 501 with os 6.3. HO isp is giving me the dhcp ip at outside interface
Now i am preparing the configuration for the above task.
I have created a test enviornment with 02 pix 501.
As i am not so much familiar with the pix VPN so i followed the below cisco URL for this test purpose.
unfortunately i am unable to create the VPN ( by the way how can i check that VPN has been created) i tried using ping only.
below are the running config for the both PIX
Config for the HO ( outsid interface is dhcp)is below
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
ip address outside 172.18.124.167 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 172.18.124.166 1
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 101
crypto map newmap 10 set peer 172.18.124.166
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 172.18.124.166 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
Now the configuration for the PIX which has static ip ( Branch office)
access-list 100 permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
ip address outside 172.18.124.166 255.255.255.0
ip address inside 10.2.2.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
Now when i tried to ping the remote pix i failed. ( i can ping to the outside interface of both PIX.
Could any body tell me what is wrong and why cannot i ping to inside interface from remote side.
Waiting for reply
At the end sorry for my long post
10-16-2006 02:39 AM
hello
You should add command
route outside 0.0.0.0 0.0.0.0 172.18.124.167 on Branch Office PIX.
I think two PIXs have correct configuration after adding that command.
You can connect computers to both PIXs' inside interface.You can do ping test from the computer connected Branch Office PIX's inside interface to the computer connected HO PIX's inside interface.When you want to setup static-dynamic vpn using PIX,only interested traffic from static to dynamic can activate the process of SA negotiation.
When the vpn tunnel was created successfully,besides ping test you can also see below information
HO(config)# sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
172.18.124.166 172.18.124.167 QM_IDLE 0 1
HO(config)# sh crypto ipsec sa
..............
inbound esp sas:
spi: 0x9b48c914(2605238548)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: newmap
sa timing: remaining key lifetime (k/sec): (4607996/26794)
IV size: 8 bytes
replay detection support: Y
..................
outbound esp sas:
spi: 0xa2bc66f2(2730256114)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: newmap
sa timing: remaining key lifetime (k/sec): (4607998/26767)
IV size: 8 bytes
replay detection support: Y
10-17-2006 05:10 PM
Thank you very much Martin for your reply and guidance .
Test Lab scenerio is working fine and now the real stuff.
In test Lab i used both PIX 501 with OS 6.3 but in real scenerio i am going to use PIX 501( os 6.3) with PIX 515 ( OS 7.0).
Below is my configuration for PIX 515e (Branch office With static IP and this is also the central PIX).
Branch office PIX config
interface Ethernet0
nameif outside
security-level 0
ip address 10.1.1.162 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.73.3 255.255.255.0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 10.1.1.161
nat (inside) 0 access-list nat
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
**** below part is for vpn client software****
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
**** end part for VPN client software
And HO pix with PPPOE and dynamic ip the configuration is
ip address outside pppoe setroute
ip address inside 172.16.1.30 255.255.255.0
access-list nat permit ip 192.168.40.0 255.255.255.0 172.16.73.0 255.255.255.0
nat (inside) 0 access-list nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address nat
crypto map newmap 10 set peer 83.136.10.162
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 10.1.1.162 netmask 255.255.255.255
isakmp log 2000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
vpdn group xxx request dialout pppoe
vpdn group xxx localname xxx
vpdn group xxx ppp authentication pap
vpdn username xxx password *********
Now again my question is , is there any trouble with this config and this config really works?
Thanks
10-17-2006 09:34 PM
bhatti.imran:
On Branch PIX I think you should add and modify below commands.
access-list nat permit ip 172.16.73.0 255.255.255.0 192.168.40.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
sysopt connection permit-ipsec
tunnel-group DefaultRAGroup type ipsec-l2l
On HO PIX I think you should add and modify below commands.
global (outside) 1 interface
crypto map newmap 10 set peer 10.1.1.162( in real scenerio should be public address of Branch PIX)
You also should confirm that both isakmp policy must be identical.
Branch PIX:
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
HO PIX:
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
hope to help you
Martin
10-18-2006 01:25 AM
Dear Marting thanks for help
But i am in trouble now.
i have applied the configuration and i am getting below error.
pixfirewall# sh crypto isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
10.1.1.162 172.16.88.3 MM_NO_STATE 0 0
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:10.1.1.1622, dest 172.16.88.3 spt:500 dpt:5
00
return status is IKMP_NO_ERR_NO_TRANS
pixfirewall#
ISAKMP (0): deleting SA: src 172.16.88.3 , dst 10.1.1.162
ISADB: reaper checking SA 0xa2e9a4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 10.1.1.162/500 not found - peers:0
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:10.1.1.162, dest: 172.16.88.3 spt:500 dpt:5
00
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): deleting SA: src 172.16.88.3 , dst 10.1.1.162
ISADB: reaper checking SA 0xa2e9a4, conn_id = 0 DELETE IT!
Below is the configuration now on both Branach and ho
HO
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address nat
crypto map newmap 10 set peer 83.136.10.162
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 10.1.1.162 netmask 255.255.255.255
isakmp log 2000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
Branch office
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
It looks phase 1 error could you please help me.
Thanks
10-20-2006 02:18 AM
hello,bhatti.imran:
Pleasure to help you
crypto map newmap 10 set peer 83.136.10.162
isakmp key ******** address 10.1.1.162 netmask 255.255.255.255
Above information show you specify the different peer address.So you should modify the config.
If you do it in real environment,first of all you should check whether through the adsl line HO pix can get a public ip address
from ISP.Command "show int e0" can help you check it.After that you should check the connection between two pix.I think ping test is enough.
10-22-2006 09:39 PM
Dear Martin,
Thanks for correction.
now I successfully managed to establish the VPN tunnel.
I have add the below line in the branch office pix and vpn tunnel was established but now i cannot ping using the vpn tunnel to the inside interface of either pix firewall.
tunnel-group DefaultRAGroup general-attributes
authentication-server-group none
below is the post for thios trouble also
Can you please help me???
Waiting for your help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: