Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

pix site-to-site vpn problems

Please can someone help with a number of issues I am having with my pix515, when trying to configure a vpn to a checkpoint firewall. My pix has 16MB flash, 64MB RAM, 6.2.2 code and is running LAN-based failover. I have 6 interfaces, 5 of which are in use. I tried configuring a vpn to a checkpoint firewall to permit a single host on the Pix inside to access a single host on the cp inside network. I want to use NAT so did this using a static mapping. As soon as I applied the crypto map to the outside interface, the pix stopped passing all traffic out of the outside interface, including direct internet traffic.

I backed out and tried implementing the vpn with no nat using the nat 0 command. This had no impact on the operation of the pix however I could not get the vpn to kick into life (i.e. no isakmp or ipsec debug whatsoever). I then removed the nat 0 command and replaced it with "sysopt ipsec pl-compatible" now my vpn is working to some extent. The pix inside host can ping the cp inside host. However, the cp inside host can't ping the pix inside host. I think this is a config issue because I am seeing "proxy identities not supported" in the ipsec debug. I am continuing to work on this with the cp guys.

Ultimately however, I need to re-introduce nat but I am a bit wary after the previous problem. I am also seeing some other causes for concern. Firstly, the pix appears to failover for no apparent reason (I plan to implement logging to a syslog server to try to determine the cause of this). Also, when I was telnetted into the pix, it would not display back ipsec debugging (I had issued term mon). I checked using debug icmp and issuing pings and could see this fine.

Any help would be greatly appreciated.

Tracey

6 REPLIES
New Member

Re: pix site-to-site vpn problems

There is so much going on here that it would be hard to determine exactly what is happening without a config.

Is the CP side doing nat and IPSEC as well? I am guessing that there is some mismatch in the CP objects and the NAT/Interesting traffic of the Pix.

Also .. don't use sysopt pl-compatible :) Figure out what the problem is that causes it not to work using either nat 0 and sysopt connection permit ipsec / acls on the outside interface.

Regards,

New Member

Re: pix site-to-site vpn problems

Thanks for your reply. I appreciate there is a lot going on. I have included the current config (with public addresses replaced) to help clarify:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 WAN_Access security10

nameif ethernet3 Support security15

nameif ethernet4 DMZ security20

nameif ethernet5 Failover security25

enable password zDU4/BGnunLgHqiX encrypted

passwd zDU4/BGnunLgHqiX encrypted

hostname Primary-PIX

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list support_acl permit icmp host 192.168.1.1 any

access-list support_acl permit tcp host 192.168.1.1 host 192.168.1.254 eq telnet

access-list support_acl permit tcp host 192.168.1.1 host 192.168.1.254 eq https

access-list support_acl permit tcp host 192.168.1.1 16.0.0.0 255.255.255.0 eq lp

d

access-list support_acl permit tcp host 192.168.1.1 17.0.0.0 255.255.255.0 eq lp

d

access-list support_acl permit tcp host 192.168.1.1 18.0.0.0 255.255.255.0 eq lp

d

access-list support_acl permit tcp host 192.168.1.1 19.0.0.0 255.255.255.0 eq lp

d

access-list support_acl permit tcp host 192.168.1.1 132.147.161.0 255.255.255.0

eq lpd

access-list support_acl permit tcp host 192.168.1.1 192.168.98.0 255.255.255.0 e

q telnet

access-list support_acl permit tcp host 192.168.1.1 host 192.168.2.253 eq telnet

access-list support_acl permit tcp host 192.168.1.1 host 192.168.2.254 eq telnet

access-list support_acl deny ip any any

access-list WAN_Access_acl permit tcp 16.0.0.0 255.255.255.0 host 192.168.2.2 eq

telnet

access-list WAN_Access_acl permit tcp 17.0.0.0 255.255.255.0 host 192.168.2.2 eq

telnet

access-list WAN_Access_acl permit tcp 18.0.0.0 255.255.255.0 host 192.168.2.2 eq

telnet

access-list WAN_Access_acl permit tcp 19.0.0.0 255.255.255.0 host 192.168.2.2 eq

telnet

access-list WAN_Access_acl permit tcp 132.147.161.0 255.255.255.0 host 192.168.2

.2 eq telnet

access-list WAN_Access_acl permit icmp any any echo-reply

access-list WAN_Access_acl permit icmp any any time-exceeded

access-list WAN_Access_acl permit icmp 192.168.98.0 255.255.255.0 host 192.168.2

.2

access-list WAN_Access_acl permit tcp 192.168.98.0 255.255.255.0 host 192.168.2.

2 eq ftp

access-list WAN_Access_acl permit tcp 192.168.2.8 255.255.255.248 host 192.168.2

.2 eq telnet

access-list WAN_Access_acl deny ip any any

access-list To_Internet permit tcp 10.1.254.0 255.255.255.240 any eq www

access-list To_Internet permit tcp 10.1.254.0 255.255.255.240 any eq 8080

access-list To_Internet permit tcp 10.1.254.0 255.255.255.240 any eq telnet

access-list To_Internet permit tcp 10.1.254.0 255.255.255.240 any eq domain

access-list To_Internet permit tcp 10.1.254.0 255.255.255.240 any eq 9002

access-list To_Internet permit udp 10.1.254.0 255.255.255.240 any eq domain

access-list To_Internet permit icmp any any

access-list To_Internet permit tcp 10.1.254.0 255.255.255.240 any eq https

access-list To_Internet permit tcp 10.1.254.0 255.255.255.240 any eq smtp

access-list To_Internet permit tcp 10.1.254.0 255.255.255.240 any eq 3101

access-list To_Internet permit tcp 10.1.254.0 255.255.255.240 any eq ftp

access-list To_Internet deny ip any any

access-list From_Internet permit tcp any host mailserver eq smtp

access-list From_Internet permit icmp any any echo-reply

access-list From_Internet permit tcp host external host sftpserver eq

ssh

access-list From_Internet deny ip any any

access-list 101 permit ip host 10.1.254.8 host A.B.C.D

pager lines 200

logging console debugging

interface ethernet0 100full

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

interface ethernet4 auto shutdown

interface ethernet5 auto

mtu outside 1500

mtu inside 1500

mtu WAN_Access 1500

mtu Support 1500

mtu DMZ 1500

mtu Failover 1500

ip address outside W.X.Y.Z 255.255.255.240

ip address inside 10.1.254.9 255.255.255.240

ip address WAN_Access 192.168.2.250 255.255.255.0

ip address Support 192.168.1.254 255.255.255.0

ip address DMZ 172.16.254.121 255.255.255.248

ip address Failover 172.16.254.33 255.255.255.248

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface WAN_Access

ip verify reverse-path interface Support

ip verify reverse-path interface DMZ

ip verify reverse-path interface Failover

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside S.T.U.V

failover ip address inside 10.1.254.10

failover ip address WAN_Access 192.168.2.251

failover ip address Support 192.168.1.253

failover ip address DMZ 172.16.254.122

failover ip address Failover 172.16.254.34

failover link Failover

failover lan unit primary

failover lan interface Failover

failover lan key ********

failover lan enable

pdm location 192.168.1.1 255.255.255.255 Support

pdm history enable

arp timeout 14400

global (outside) 1 E.F.G.H I.J.K.L netmask 255.255.255.240

global (outside) 1 M.N.O.P netmask 255.255.255.240

nat (inside) 1 10.1.254.0 255.255.255.240 0 0

static (Support,WAN_Access) 192.168.2.2 192.168.1.1 netmask 255.255.255.255 0 0

static (inside,outside) 1.1.1.1 10.1.254.11 netmask 255.255.255.255 0 0

static (inside,outside) 2.2.2.2 10.1.254.8 netmask 255.255.255.255 0 0

access-group From_Internet in interface outside

access-group To_Internet in interface inside

access-group WAN_Access_acl in interface WAN_Access

access-group support_acl in interface Support

route outside 0.0.0.0 0.0.0.0 3.3.3.3 1

route WAN_Access 16.0.0.0 255.255.255.0 192.168.2.254 1

route WAN_Access 17.0.0.0 255.255.255.0 192.168.2.254 1

route WAN_Access 18.0.0.0 255.255.255.0 192.168.2.254 1

route WAN_Access 19.0.0.0 255.255.255.0 192.168.2.254 1

route WAN_Access 132.147.161.0 255.255.255.0 192.168.2.254 1

route WAN_Access 192.168.98.0 255.255.255.0 192.168.2.253 1

timeout xlate 3:00:00

timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authorization command LOCAL

http server enable

http 192.168.1.1 255.255.255.255 Support

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map BPB 10 ipsec-isakmp

crypto map BPB 10 match address 101

crypto map BPB 10 set peer 4.4.4.4

crypto map BPB 10 set transform-set myset

crypto map BPB 10 set security-association lifetime seconds 3600 kilobytes 46080

00

crypto map BPB interface outside

isakmp enable outside

isakmp key ******** address 4.4.4.4 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

telnet 192.168.1.1 255.255.255.255 Support

telnet timeout 5

ssh timeout 5

username admin password x5UicjfqZ4wWFwMV encrypted privilege 15

privilege show level 0 command version

privilege show level 0 command curpriv

privilege show level 3 command pdm

privilege show level 3 command blocks

privilege show level 3 command ssh

privilege configure level 3 command who

privilege show level 3 command isakmp

privilege show level 3 command ipsec

privilege show level 3 command vpdn

privilege show level 3 command local-host

privilege show level 3 command interface

privilege show level 3 command ip

privilege configure level 3 command ping

privilege configure level 5 mode enable command configure

privilege show level 5 command running-config

privilege show level 5 command privilege

privilege show level 5 command clock

privilege show level 5 command ntp

terminal width 80

Cryptochecksum:9de58c286a56bb9de9787cf9443db8de

As mentioned, I think I still have a config mismatch between the Pix and CP which I am working on. However, I am more concerned about how to get the vpn working with nat (and also why this previously caused the pix to stop passing traffic over the outside interface). With the nat config, I did not have the "no sysopt ipsec pl-compatible". The pix inside device is 10.1.254.8, which is statically mapped to a registered address. ACL 101 defines the traffic permitted down the tunnel. The CP is not doing nat.

Thanks,

Tracey

New Member

Re: pix site-to-site vpn problems

Tracy,

You have an interesting problem here and I would not be surprised if it come out in the CCIE lab.

Now I can not help you much with the CP, but take a look at the following:

1. I will use the static statement

2. Since for outbound traffic, NAT occurs before IPSEC, you will have to change your Crypto ACL to trigger IPSEC.

access-list 101 permit ip 2.2.2.2 X.X.X.X

Keep in mind that the only traffic that will be encrypted will be controlled by the ACL applied to the inside interface.

New Member

Re: pix site-to-site vpn problems

I didn't see anything "wrong" per say in your pix configuration. Usually what causes the Pix to stop passing all traffic when you apply a crypto map is if you have an incomplete crypto map or make changes with a crypto map applied.

What version of CP are you using ? 4.1 or NG? If NG are you using the Community Traffic Security Policy Accept all encrypted traffic? I have seen this cause many problems when not going to another CP.

Regards,

New Member

Re: pix site-to-site vpn problems

Thanks for the info. I believe my crypto map was complete however, I was making a lot of changes and it could be that I made some while the crypto map was applied. The CP is NG. I will check with the person responsible for configuring the CP if the Community Traffic Security Policy Accept All Encrypted Traffic is set. The problem I have is that the CP is already supporting a number of operational vpns so we are unable change some of the global settings.

Thanks again,

Tracey

New Member

Re: pix site-to-site vpn problems

Thanks for the info. I will bear that in mind when doing further work on this. I hope to get downtime soon to have another go.

Regards,

Tracey

212
Views
0
Helpful
6
Replies
CreatePlease to create content