Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multiple VPN's on a PIX

The PIX now has three VPN's on it. The third (current) VPN doesn't seem to work. I've included the some of the config from the PIX 501 on our end. On the other end of the VPN is a PIX 515. The VPN that doesn't work should allow 192.168.2.0 and 192.168.4.2 to connect in.

name 192.168.2.0 THREE

name 192.168.4.2 THREEWEB1

object-group service BRANCHOFFICETCP tcp

description Service Group for Branch Office VPN Policies

port-object range 137 netbios-ssn

port-object eq lpd

port-object eq ftp-data

port-object eq ftp

port-object eq lotusnotes

port-object eq www

port-object eq login

port-object eq cmd

port-object eq 449

port-object eq pcanywhere-data

port-object eq 446

port-object eq https

port-object range 8470 8476

port-object eq telnet

port-object eq 135

port-object eq smtp

port-object eq 1433

port-object eq 8080

access-list NAT4ONE permit ip 192.168.40.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 150 permit ip 10.150.176.232 255.255.255.248 172.16.1.0 255.255.255.0

access-list inside_access_out remark Incoming from THREE

access-list inside_access_out permit tcp 192.168.2.0 255.255.255.0 object-group BRANCHOFFICETCP host 192.168.40.10 object-group BRANCHOFFICETCP

access-list inside_access_out remark Incoming from THREEWEBSERVER

access-list inside_outbound_nat0_acl permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outside_cryptomap_140 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0

access-list outside_cryptomap_140 permit ip host 192.168.40.10 host 192.168.4.2

access-list 101 permit ip 192.168.40.0 255.255.255.0 192.168.10.0 255.255.255.0

ip address outside wanip 255.255.255.248

ip address inside 192.168.40.1 255.255.255.0

global (outside) 1 10.150.176.233

global (outside) 2 interface

nat (inside) 0 access-list 101

nat (inside) 1 access-list NAT4ONE 0 0

nat (inside) 3 access-list outside_cryptomap_140 0 0

nat (inside) 4 access-list inside_outbound_nat0_acl 0 0

nat (inside) 2 192.168.40.0 255.255.255.0 0 0

static (inside,outside) 10.150.176.234 192.168.40.17 netmask 255.255.255.255 0 0

access-group INTERNET_TO_INSIDE in interface outside

sysopt connection permit-ipsec

crypto ipsec transform-set one esp-aes-256 esp-sha-hmac

crypto ipsec transform-set two esp-aes-256 esp-sha-hmac

crypto ipsec transform-set three esp-3des esp-sha-hmac

crypto map VPN 10 ipsec-isakmp

crypto map VPN 10 match address 150

crypto map VPN 10 set peer oneip

crypto map VPN 10 set transform-set one

crypto map VPN 20 ipsec-isakmp

crypto map VPN 20 match address 101

crypto map VPN 20 set peer twoip

crypto map VPN 20 set transform-set two

crypto map VPN 30 ipsec-isakmp

crypto map VPN 30 match address outside_cryptomap_140

crypto map VPN 30 set peer threeip

crypto map VPN 30 set transform-set three

crypto map VPN interface outside

isakmp enable outside

isakmp key ******** address oneip netmask 255.255.255.255

isakmp key ******** address twoip netmask 255.255.255.255

isakmp key ******** address threeip netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 1000

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption des

isakmp policy 50 hash sha

isakmp policy 50 group 1

isakmp policy 50 lifetime 86400

Phusion

4 REPLIES
New Member

Re: Multiple VPN's on a PIX

Here is what I see from logging.

crypto_isakmp_process_block:src:threeip, dest:wanip spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 1000

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 30 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 1000

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:threeip, dest:wanip spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:threeip, dest:wanip spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

VPN Peer: ISAKMP: Peer ip:threeip/500 Ref cnt incremented to:4 Total VPN Peers:3

ISAKMP (0): deleting SA: src threeip, dst wanip

ISADB: reaper checking SA 0xa187d4, conn_id = 0

ISADB: reaper checking SA 0xa17fbc, conn_id = 0

ISADB: reaper checking SA 0xa1b0b4, conn_id = 0 DELETE IT!

Let me know what you think.

Phusion

New Member

Re: Multiple VPN's on a PIX

Try adding these lines

access-list 101 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0

and

access-list 101 permit ip host 192.168.40.10 host 192.168.4.2

Because you are passing private ip addresses you have to exempt them from the public nat translation. You should have an access-list similar on the other end to get it to work.

New Member

Re: Multiple VPN's on a PIX

I entered these commands, then did a write mem. After entering these commands it worked. For a test, I restarted. After restarting, I checked the config file and these two commands were still in there, but the VPN didn't work anymore.

Phusion

New Member

Re: Multiple VPN's on a PIX

I figured out what the problem was. Thanks for your help.

Phusion

93
Views
0
Helpful
4
Replies
CreatePlease login to create content