Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Need help, VPN between 1841 router & PIX 501

Trying to setup a VPN between an 1841 router at HQ with static IP connecting to remote office with a PIX 501 and a persistent IP (not static, but Mediacom has mapped PIX MAC this IP so I always get same public IP even on equip reboot). I have configured both sides but tunnel will not come up, must be missing something.

See attached configs.

THANK YOU!

38 REPLIES
Silver

Re: Need help, VPN between 1841 router & PIX 501

You can safely remove following statement from router config :

no ip nat inside source list 1 interface FastEthernet0/1 overload

enable debugs on the router and PIX , "debug cry isa" and "debug cry ipsec" and initiate traffic from PIX side ,capture debugs and post them .

HTH

Saju

New Member

Re: Need help, VPN between 1841 router & PIX 501

Removed line as instructed.

Turned on debug on both sides.

Debug output from PIX:

ISAKMP (0): beginning Main Mode exchange

ISAKMP (0): retransmitting phase 1 (0)...

ISAKMP (0): retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (2)...

ISAKMP (0): retransmitting phase 1 (3)...

ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired:

count = 1,

(identity) local= 12.206.137.5, remote= 216.203.117.82,

local_proxy= 10.5.5.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src 12.206.137.5, dst 216.203.117.82

ISADB: reaper checking SA 0xb91cac, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 216.203.117.82/500 not found - peers:0

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 12.206.137.5, remote= 216.203.117.82,

local_proxy= 10.5.5.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.2.1.0/255.255.255.0/0/0 (type=4)

No debug feedback appearing router when I initiate a ping from router to device on PIX side (10.5.5.241).

THANKS!

Silver

Re: Need help, VPN between 1841 router & PIX 501

what is the output of :"show crypto isakmp sa" on PIX and router ?

also post result of "show crypto isakmp policy" on the router.

New Member

Re: Need help, VPN between 1841 router & PIX 501

PIX

secondstory# sho crypt isakmp sa

Total : 0

Embryonic : 0

dst src state pending created

ROUTER

RainingRose#sho crypto isakmp policy

Global IKE policy

Protection suite of priority 10

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Silver

Re: Need help, VPN between 1841 router & PIX 501

Also change following on the router . Use route-map instead of source list for bypassing Nat.When you make changes to Router you may or may not loose connectivity if you are logged on remotely.

route-map nonat permit 10

match ip address 112

no ip nat inside source list 112 interface FastEthernet0/1 overload

ip nat inside source route-map interface FastEthernet0/1 overload

Then initiate traffic from the private network of router anfd try to capture debugs.

Follow the link below to verify you configs :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

HTH

New Member

Re: Need help, VPN between 1841 router & PIX 501

router does not like following cmd:

ip nat inside source route-map interface fa0/1 overload

Silver

Re: Need help, VPN between 1841 router & PIX 501

What do you see if you try following , put a "?" after "ip nat inside source " ?

(config)#ip nat inside source ?

list Specify access list describing local addresses

route-map Specify route-map

static Specify static local->global mapping

New Member

Re: Need help, VPN between 1841 router & PIX 501

I tried to ping from router side to device on remote side and got the following. Appears as if it is sendong out to public Internet instead of opening VPN.

C:\Documents and Settings\Administrator.RAININGROSE>ping 10.5.5.242

Pinging 10.5.5.242 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Reply from 157.130.212.1: Destination host unreachable.

Ping statistics for 10.5.5.242:

Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Documents and Settings\Administrator.RAININGROSE>tracert 10.5.5.242

Tracing route to 10.5.5.242 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.2.1.254

2 2 ms 1 ms 1 ms wuw-nbwxpkze.dybb.com [216.203.117.81]

3 3 ms 3 ms 3 ms 172.16.61.1

4 4 ms 3 ms 4 ms 10.10.19.1

5 6 ms 7 ms 5 ms 10.2.0.5

6 5 ms 4 ms 5 ms 63-254-144-42.ip.mcleodusa.net [63.254.144.42]

7 7 ms 8 ms 5 ms 63-254-144-97.ip.mcleodusa.net [63.254.144.97]

8 POS1-3.GW4.CHI2.ALTER.NET [157.130.212.1] reports: Destination host unreac

hable.

Trace complete.

Silver

Re: Need help, VPN between 1841 router & PIX 501

can you clear nat translations, "clear ip nat translation * " and then check again

New Member

Re: Need help, VPN between 1841 router & PIX 501

Incomplete cmd?

RainingRose#clear ip nat trans ?

* Delete all dynamic translations

esp Encapsulating Security Payload

forced Delete all dynamic translations (forcefully)

inside Inside addresses (and ports)

outside Outside addresses (and ports)

tcp Transmission Control Protocol

udp User Datagram Protocol

vrf Clear entries of VRF instance

Silver

Re: Need help, VPN between 1841 router & PIX 501

clear ip nat trans *

New Member

Re: Need help, VPN between 1841 router & PIX 501

Executed cmd, ping from router still not working. Attached updated router config

Silver

Re: Need help, VPN between 1841 router & PIX 501

You have access-list 100 and access-list 101 bound to inside interface and outside interface on the router .

Can you remove those access-lists and check ?

interface FastEthernet0/0

no ip access-group 100 in

interface FastEthernet0/1

no ip access-group 101 in

If VPN works after removing these access-list we will modify them to allow VPN traffic .

New Member

Re: Need help, VPN between 1841 router & PIX 501

If am outside router now, if I remove ACL 101, I will lose connectivity to remote desktop behind router from which I am telnetting to router.

Can be on-site where router is located in about 45min and then remove ACL.

Will you be around to see my post in 1hr or so?

Silver

Re: Need help, VPN between 1841 router & PIX 501

Ok but removing access-list should not affect your connection in or out as we will be making the interfaces open for any traffic.

New Member

Re: Need help, VPN between 1841 router & PIX 501

Removed ACL 100 and 101, tried to ping form router side device, no reply.

RainingRose#sho crypt isakmp sa

dst src state conn-id slot status

Silver

Re: Need help, VPN between 1841 router & PIX 501

enable debugs on router and try to capture:

debug cry isa

debug cry ipsec

New Member

Re: Need help, VPN between 1841 router & PIX 501

router shows:

RainingRose#sho crypt isakmp sa

dst src state conn-id slot status

216.203.117.82 12.206.137.5 QM_IDLE 1 0 ACTIVE

PIX shows:

secondstory# sho crypt isakmp sa

Total : 1

Embryonic : 0

dst src state pending created

216.203.117.82 12.206.137.5 QM_IDLE 0 1

But not response to ping traffic from either direction.

Silver

Re: Need help, VPN between 1841 router & PIX 501

your tunnel is UP! Check on the PIX also for

"show crypto isakmp sa" if the tunnel state is QM_idle

Now not able to ping could be a routing issue and not VPN.

Can you also paste "show crypto ipsec sa" outputs

New Member

Re: Need help, VPN between 1841 router & PIX 501

Ok, I am on router side and now I can ping remote device on PIX side.

interface: FastEthernet0/1

Crypto map tag: IPSEC, local addr 216.203.117.82

protected vrf: (none)

local ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)

current_peer 12.206.137.5 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12

#pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 216.203.117.82, remote crypto endpt.: 12.206.137.5

path mtu 1500, ip mtu 1500

current outbound spi: 0xE669710B(3865669899)

inbound esp sas:

spi: 0x57AAE66C(1470817900)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 3001, flow_id: FPGA:1, crypto map: IPSEC

sa timing: remaining key lifetime (k/sec): (4433298/1228)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xE669710B(3865669899)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 3002, flow_id: FPGA:2, crypto map: IPSEC

sa timing: remaining key lifetime (k/sec): (4433301/1183)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

How do I fix ACL on router, because 100 & 101 are still removed?

Silver

Re: Need help, VPN between 1841 router & PIX 501

Cool you got it working.

you can plug access-list 100 to private interface of router , it does not need any modification.For 101 , i have added to allow esp and udp 500 ISAKMP.

interface FastEthernet0/0

ip access-group 100 in

no access-list 101

no access-list 101

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp host 216.203.122.200 eq domain host 216.203.117.82

access-list 101 permit udp host 216.203.115.234 eq domain host 216.203.117.82

access-list 101 permit tcp any host 216.203.117.83 eq 1494

access-list 101 permit tcp host 66.211.4.130 host 216.203.117.84 eq 1433

access-list 101 permit tcp host 66.211.4.130 host 216.203.117.83 eq 1433

access-list 101 permit tcp host 147.202.24.152 host 216.203.117.84 eq 1433

access-list 101 permit tcp host 147.202.24.152 host 216.203.117.83 eq 1433

access-list 101 permit tcp any host 216.203.117.83 eq ftp

access-list 101 permit tcp any host 216.203.117.83 eq 5360

access-list 101 permit tcp any host 216.203.117.83 eq 5366

access-list 101 permit tcp any host 216.203.117.83 eq 3389

access-list 101 permit tcp any host 216.203.117.83 eq 5365

access-list 101 permit tcp any host 216.203.117.83 eq 5364

access-list 101 permit tcp any host 216.203.117.83 eq 5361

access-list 101 permit tcp any host 216.203.117.85 eq smtp

access-list 101 permit tcp any host 216.203.117.85 eq 389

access-list 101 permit esp any host 216.203.117.82

access-list 101 permit udp any host 216.203.117.82 eq 500

access-list 101 permit tcp any host 216.203.117.85 eq www

access-list 101 permit tcp any host 216.203.117.85 eq 5362

access-list 101 permit tcp any host 216.203.117.85 eq 443

access-list 101 permit ip 10.5.5.0 0.0.0.255 10.2.1.0 0.0.0.255

access-list 101 deny ip 10.2.1.0 0.0.0.255 any

access-list 101 permit icmp any host 216.203.117.82 echo-reply

access-list 101 permit icmp any host 216.203.117.82 time-exceeded

access-list 101 permit icmp any host 216.203.117.82 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any

interface FastEthernet0/1

ip access-group 101 in

check and post results

HTH

Saju

Pls rate helpful posts

New Member

Re: Need help, VPN between 1841 router & PIX 501

OK, I can ping both directions. Routing issue, 10.2.1.6 (router side) has a static NAT, I can not ping this device from remote side nor access the Exchange stuff on that box. I am guessing static NAT is the related to the issue.

Ideas?

Silver

Re: Need help, VPN between 1841 router & PIX 501

Brian,

First of all do not forget to rate me :)

As for static NAT is concerned . you can create another access-list entry in crypto acl for it both sides.

since it being NAT'ed to 216.203.117.85 .

Add acl entry

access-list 111 permit ip host 216.203.117.85 10.2.1.0 0.0.0.255 10.5.5.0 0.0.0.255

and mirror image of this on the PIX .

New Member

Re: Need help, VPN between 1841 router & PIX 501

DOes not like the ACL cmd, marker at the 10.5.5.0 character.

Silver

Re: Need help, VPN between 1841 router & PIX 501

Corrected!try now

On Router

access-list 111 permit ip host 216.203.117.85 10.5.5.0 0.0.0.255

On Pix

access-list 111 permit ip 10.5.5.0 255.255.255.0 host 216.203.117.85

New Member

Re: Need help, VPN between 1841 router & PIX 501

OK, I can ping from PIX side to 10.2.1.6, though it says reply is from 216.203.117.85.

I can ping from the 10.2.1.6 device to remote devices on PIX side.

10.2.1.6 (216.203.117.85) is my Exchange server and does DNS for my domain. I should be able to go https://shampoo/exchange & bring OWA or use https://10.2.1.6/exchange, but neither work. As you can see from config, PIX is giving off DHCP addresses to client workstation & handing out 10.2.1.6 as Pri DNS server, but I don't think that is working?

Little more help.....

Silver

Re: Need help, VPN between 1841 router & PIX 501

how about

https://216.203.117.85/exchange

Does this work?

New Member

Re: Need help, VPN between 1841 router & PIX 501

Yes, that works. But how do we know that went across VPN versus across regular Internet?

Are you suggesting I change the DNS server given off by PIX DCHP, be that .85 address?

I just want to make sure that address is being reached across VPN.....

Silver

Re: Need help, VPN between 1841 router & PIX 501

To check that , can you post "show crypto ipsec sa" from PIX pls.?

200
Views
4
Helpful
38
Replies
CreatePlease to create content