Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Help please for multiple IPSec termination on the PIX515

I have a question regards multiple IPSec termination on the PIX-515 firewall. "outside" configured for VPN client from ISP#1 and "vpn-chicago" for PIX-to-PIX from ISP#2.

.

the IPSec SA for "vpn-chicago" cannot encapsulate the interest traffic even increase the matching traffic for ACL 101. Any idea why cannot encap ?

.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

nameif ethernet3 intf3 security20

nameif ethernet4 intf4 security20

nameif ethernet5 vpn-chicago security40

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

ip address outside 66.163.23.33 255.255.255.240

ip address inside 192.168.100.32 255.255.255.0

ip address vpn-chicago 204.50.151.81 255.255.255.248

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

crypto ipsec transform-set cpi esp-3des esp-md5-hmac

crypto dynamic-map cpi-dyna 5 set transform-set cpi

crypto map cpi-map-chi 10 ipsec-isakmp

crypto map cpi-map-chi 10 match address 101

crypto map cpi-map-chi 10 set peer 66.166.107.82

crypto map cpi-map-chi 10 set transform-set cpi

crypto map cpi-map-chi interface vpn-chicago

crypto map cpi-map-dyn 20 ipsec-isakmp dynamic cpi-dyna

crypto map cpi-map-dyn client configuration address respond

crypto map cpi-map-dyn client authentication cpi-auth

crypto map cpi-map-dyn interface outside

isakmp enable outside

isakmp enable vpn-chicago

isakmp key ******** address 66.166.107.82 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup cpivpn address-pool vpn-pool

vpngroup cpivpn dns-server 192.168.100.5

vpngroup cpivpn wins-server 192.168.100.2

vpngroup cpivpn default-domain cpiplastics.com

vpngroup cpivpn idle-time 1800

vpngroup cpivpn password ********

pixfirewall# sh ipsec sa

interface: vpn-chicago

Crypto map tag: cpi-map-chi, local addr. 204.50.151.81

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer: 66.166.107.82

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 708, #pkts decrypt: 708, #pkts verify 708

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 204.50.151.81, remote crypto endpt.: 66.166.107.82

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 438deb5e

inbound esp sas:

spi: 0x975c70ef(2539417839)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: cpi-map-chi

sa timing: remaining key lifetime (k/sec): (4607919/25521)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x438deb5e(1133374302)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: cpi-map-chi

sa timing: remaining key lifetime (k/sec): (4608000/25514)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

interface: outside

Crypto map tag: cpi-map-dyn, local addr. 66.163.23.33

2 REPLIES
Community Member

Re: Help please for multiple IPSec termination on the PIX515

Have you seen this?

http://www.cisco.com/warp/public/110/ipsec_tun_pass_data.html

It goes into the problems you can encounter when using the same access-list for no nat statements and pix2pix vpn tunnells

Hope that helps

Kev

Community Member

Re: Help please for multiple IPSec termination on the PIX515

it was routing issue. the interest packet couldn't encrypt because there were no routing path for 192.168.2.0. working fine after add the following routing entry.

.

route vpn-chicago 192.168.2.0 255.255.255.0 206.186.248.49 1

.

Thanks,

89
Views
0
Helpful
2
Replies
CreatePlease to create content