Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX and VPN with Linksys... weird problem!

People:

I am having the weirdest of the problems... I have a PIX515E with several Linksys BEFX41 routers with VPNs..... suddenly... the VPNs cannot be established... I have Linksys routers distributed in diferent places... and all of them are unable to connect. ... I even tried connecting with a Linksys right next to the ouside interface.. with an contiguous IP to the one assigned to the PIX's outside interface.... (you'll see that below.. the .34 and .44 addresses)..No luck either

so far... I have discarded my ISP... the linksys routers (if were only one I would suspect that... but with 3 or 4 failing...)... and I don't remember making any change to the firewall in the last weeks in fact I compared the last good known configuration and it's fine....

whenever I hit the connect buttom in the Linksys router I got the following response in the PIX

(and then the linksys routers hang and I have to reboot them!)

-----------------------------------------------------crypto_isakmp_process_block: src X.X.X.44, dest X.X.X.34

VPN Peer: ISAKMP: Peer ip:X.X.X.44 Ref cnt incremented to:1 Total VPN

Peers:1

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 1

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 1

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src X.X.X.44, dest X.X.X.34

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src X.X.X.44, dest X.X.X.34

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 10

ISAKMP (0): Total payload length: 14

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

-----------------------------------------------------as you can see... looks like the connection starts to be established.. but it stops right after sending that NOTIFY message.....

any idea?? or similar problem in the past??? I tried rebooting the firewall... rewriting the configuration..... etcetera... and no luck...

I attach my PIX configuration below.... thanks a lot for any help with this!

-----------------------------------------------------PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

hostname PIX01

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

no fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol skinny 2000

names

access-list 100 permit tcp any host X.X.X.37 eq smtp

access-list 100 permit tcp any host X.X.X.37 eq pop3

access-list 100 permit tcp any host X.X.X.37 eq domain

access-list 100 permit udp any host X.X.X.37 eq domain

access-list 100 permit tcp any host X.X.X.35 eq www

access-list 100 permit tcp any host X.X.X.35 eq 443

access-list 100 permit tcp any host X.X.X.36 eq www

access-list 100 permit tcp any host X.X.X.36 eq 443

access-list 100 permit tcp any host X.X.X.36 eq domain

access-list 100 permit udp any host X.X.X.36 eq domain

access-list 100 permit tcp any host X.X.X.38 eq www

access-list 100 permit tcp any host X.X.X.38 eq 443

access-list 100 permit tcp any host X.X.X.37 eq www

access-list 100 deny icmp any any

access-list 100 permit tcp any host X.X.X.42 eq www

access-list 100 permit tcp any host X.X.X.42 eq 443

access-list 100 permit tcp any host X.X.X.43 eq www

access-list 100 permit tcp any host X.X.X.43 eq 443

access-list 100 permit tcp any host X.X.X.39 eq www

access-list 100 permit tcp any host X.X.X.39 eq 443

access-list 100 permit tcp any host X.X.X.41 eq www

access-list 100 permit tcp any host X.X.X.41 eq 443

access-list 100 permit tcp any host X.X.X.46 eq www

access-list 100 permit tcp any host X.X.X.46 eq 443

access-list 101 permit tcp any any

access-list 101 permit udp any any

access-list 101 permit ip any any

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list nonat2 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list nonat2 permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list nonat2 permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat2 permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list nonat2 permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside X.X.X.34 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip address dmz 192.168.2.1 255.255.255.0

ip audit name attack1 attack action alarm drop reset

ip audit interface outside attack1

ip audit info action alarm

ip audit attack action alarm drop reset

pdm history enable

arp timeout 14400

global (outside) 1 X.X.X.50-X.X.X.61 netmask 255.255.255.224

global (outside) 1 X.X.X.62 netmask 255.255.255.224

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (dmz) 0 access-list nonat2

alias (inside) 192.168.1.2 X.X.X.38 255.255.255.255

alias (inside) X.X.X.36 192.168.2.11 255.255.255.255

alias (inside) X.X.X.35 192.168.2.10 255.255.255.255

alias (inside) X.X.X.37 192.168.2.12 255.255.255.255

alias (inside) X.X.X.40 192.168.2.14 255.255.255.255

alias (inside) X.X.X.42 192.168.2.16 255.255.255.255

alias (inside) X.X.X.43 192.168.2.17 255.255.255.255

alias (inside) X.X.X.39 192.168.2.19 255.255.255.255

alias (inside) X.X.X.45 192.168.2.18 255.255.255.255

alias (inside) X.X.X.41 192.168.2.15 255.255.255.255

alias (inside) 192.168.1.14 X.X.X.46 255.255.255.255

alias (dmz) 192.168.2.16 X.X.X.42 255.255.255.255

alias (dmz) 192.168.2.17 X.X.X.43 255.255.255.255

alias (dmz) 192.168.2.19 X.X.X.39 255.255.255.255

alias (dmz) 192.168.2.18 X.X.X.45 255.255.255.255

alias (dmz) 192.168.2.15 X.X.X.41 255.255.255.255

static (dmz,outside) X.X.X.36 192.168.2.11 netmask 255.255.255.255 0

static (dmz,outside) X.X.X.35 192.168.2.10 netmask 255.255.255.255 0

static (inside,outside) X.X.X.38 192.168.1.2 netmask 255.255.255.255

static (dmz,outside) X.X.X.37 192.168.2.12 netmask 255.255.255.255 0

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

static (dmz,outside) X.X.X.40 192.168.2.14 netmask 255.255.255.255 0

static (dmz,outside) X.X.X.42 192.168.2.16 netmask 255.255.255.255 0

static (dmz,outside) X.X.X.43 192.168.2.17 netmask 255.255.255.255 0

static (dmz,outside) X.X.X.39 192.168.2.19 netmask 255.255.255.255 0

static (dmz,outside) X.X.X.45 192.168.2.18 netmask 255.255.255.255 0

static (dmz,outside) X.X.X.41 192.168.2.15 netmask 255.255.255.255 0

static (inside,outside) X.X.X.46 192.168.1.14 netmask 255.255.255.255

access-group 100 in interface outside

access-group 101 in interface dmz

route outside 0.0.0.0 0.0.0.0 X.X.X.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00

si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set router-set esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set router-set

crypto map dyn-map 10 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

1 REPLY
Gold

Re: PIX and VPN with Linksys... weird problem!

Hi -

Seems like you are having similar problems as Rod Cagila (on the VPN Security forum), Please read the following doc:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/ipsec/

And also, Rod has a solution to this you can contact him at:

rod.caglia@electricmotorshop.com

Let me know how you get on... Jay

90
Views
0
Helpful
1
Replies